CMMC Is Here: What the Defense Industrial Base Needs to Know Now That Phase 1 Has Begun

If you sell to the Department of War (DoW) — or plan to — the clock is no longer theoretical. On November 10, 2025, Phase 1 of the Cybersecurity Maturity Model Certification (CMMC) Program officially kicked off, and the rollout continues in staggered phases through November 2027. The days of self-attesting your way into a contract on vibes are over.
Here's a clean, no-fluff breakdown of what CMMC is, who it applies to, and what you actually need to do about it.
What Is CMMC, Really?
CMMC is the Department of War's framework for verifying that defense contractors and subcontractors are actually implementing the cybersecurity controls they've been contractually required to follow for years. The program was published as a final rule in the Federal Register in October 2024 and applies across the defense industrial base (DIB).
It exists for one reason: the DIB is under constant, increasingly sophisticated cyber attack, and self-attestation alone hasn't been cutting it. CMMC closes that gap by tying verified cybersecurity maturity to contract eligibility.
The program protects two categories of information:
Federal Contract Information (FCI) — non-public information provided by or generated for the government under a contract to deliver a product or service.
Controlled Unclassified Information (CUI) — information the government creates or possesses (or that's created on its behalf) that laws, regulations, or government-wide policy require to be safeguarded.
If your systems process, store, or transmit either, CMMC applies to you.
The Three Levels, Decoded
CMMC is a tiered model. The level you need depends on the type and sensitivity of the information your contracts touch.
Level 1 — Basic Safeguarding of FCI
15 security requirements aligned with FAR clause 52.204-21
Annual self-assessment plus annual affirmation of compliance
Results entered into the Supplier Performance Risk System (SPRS)
Plans of Action & Milestones (POA&Ms) are NOT permitted
Translation: you either meet the 15 requirements or you don't. No partial credit.
Level 2 — Broad Protection of CUI
110 security requirements aligned with NIST SP 800-171 Revision 2
Either a self-assessment or an independent assessment by a CMMC Third-Party Assessment Organization (C3PAO) every three years, depending on what the solicitation specifies
Annual affirmation required
POA&Ms are permitted under specific conditions in 32 CFR § 170.21(a)(2) and must be closed out within 180 days
Level 2 is where most DIB contractors handling CUI will live. If your solicitation calls for a C3PAO assessment, you'll need one from an authorized third party — the days of grading your own homework for these contracts are ending.
Level 3 — Higher-Level Protection Against Advanced Persistent Threats
Prerequisite: a Final CMMC Status of Level 2 (C3PAO) for the same assessment scope
All 110 NIST SP 800-171 R2 requirements, plus 24 selected requirements from NIST SP 800-172
Assessed every three years by the Defense Contract Management Agency's Defense Industrial Base Cybersecurity Assessment Center (DIBCAC)
Annual affirmation required — and the Level 2 (C3PAO) affirmation must continue annually as well
Level 3 is reserved for the most sensitive work, where nation-state adversaries are a real and present concern.
The Phased Rollout: Know Your Deadlines
CMMC implementation unfolds over three years across four phases, giving both assessors and contractors time to adapt.
PhaseStart DateWhat ChangesPhase 1Nov 10, 2025Applicable solicitations require Level 1 or Level 2 self-assessmentPhase 2Nov 10, 2026Applicable solicitations require Level 2 Certification (C3PAO)Phase 3Nov 10, 2027Applicable solicitations require Level 3 CertificationPhase 4Nov 10, 2027Full implementation — Level 3 Certification requirements fully in effect
One important wrinkle: DoW reserves the right to include Level 2 (C3PAO) requirements in some Phase 1 procurements, or Level 3 requirements in some Phase 2 procurements. In other words, the phased timeline is a floor, not a ceiling. A program office can accelerate its requirements for a specific contract if the sensitivity of the work justifies it. That may limit the pool of eligible competitors and drive cost — but it's on the table.
The Department may also choose to delay certification requirements in a contract to an option period, giving some contractors runway to come into compliance.
POA&Ms: What They Are and What They Aren't
A Plan of Actions and Milestones (POA&M) is essentially a documented roadmap for closing out cybersecurity requirements you haven't yet met. CMMC allows limited use of POA&Ms — but with strict guardrails:
Level 1: POA&Ms are not permitted. Full stop.
Level 2 and Level 3: POA&Ms are permitted for certain requirements per 32 CFR § 170.21, but critical requirements cannot be placed on a POA&M, and any open POA&M items must be closed within 180 days of the Conditional CMMC Status Date.
A POA&M closeout assessment evaluates only the items flagged as NOT MET in the initial assessment:
Level 2 self-assessments get a self-assessment closeout.
Level 2 certification assessments get a closeout by an authorized or accredited C3PAO.
Level 3 certification assessments get a closeout by DCMA DIBCAC.
Miss the 180-day window and your Conditional CMMC Status expires. That's not a cliff you want to walk off.
What You Should Be Doing Right Now
If you're a prime or sub in the DIB, here's a practical starting list:
Scope your information flows. Know exactly where FCI and CUI live in your environment — and where they shouldn't.
Determine your target level. Talk to your contracting officers and review anticipated solicitations. Don't guess.
Conduct a gap assessment against NIST SP 800-171 R2. If you're aiming for Level 2, this is non-negotiable.
Build or refresh your System Security Plan (SSP). Assessors will read it.
Remember the affirmation requirement. Submit affirmations with your CMMC assessments in SPRS. A lapsed annual affirmation invalidates your assessment.
Start the C3PAO conversation early. Authorized third-party assessors are a finite resource, and demand is rising as Phase 2 approaches.
The Bottom Line
CMMC isn't a new set of cybersecurity requirements — the underlying controls (FAR 52.204-21, NIST SP 800-171, NIST SP 800-172) have existed for years. What's new is verification with teeth. If you want to keep winning DoW contracts, you need to be able to prove you've done the work, and in many cases, prove it to someone other than yourself.
The organizations that treat CMMC as a strategic compliance program rather than a one-time box-check will end up with stronger security postures, faster contract awards, and fewer unpleasant surprises during assessment windows. The ones that wait until a solicitation drops on their desk will be scrambling.
The phase clock is ticking. Start now.
For official program documentation, FAQs, and resources, visit the DoW CIO CMMC page or the CMMC final rule in the Federal Register.