It’s official, 48CFR has been published and the CMMC Phase 1 rollout is just 60 days away. Defense Industrial Base (DIB) contractors are understandably beginning to search for information regarding the recently finalized DFARS rule (Case 2019-D041), formally integrating the Cybersecurity Maturity Model Certification (CMMC) requirements into the DoD acquisition process.  

This is a big deal—especially for security and compliance professionals! This rule makes CMMC a contractual requirement for all DoD contractors and subcontractors that process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) in performance of a DoD contract. So, what can you expect in the coming months and how does it impact your organization? Let’s start with a timeline: 

CMMC Phases and Their Timeline 

Phase 1: November 10, 2025 

DoD intends to include the requirement of CMMC statuses of Level 1 (Federal Contract Information) (Self) or certain Level 2 (Self) for all applicable DoD solicitations and contracts as a condition of contract award. 

Phase 2: November 10, 2026 

Begins the requirements for CMMC status of Level 2 (C3PAO) as a condition of award for all applicable DoD solicitations and contracts. 

Phase 3: November 10, 2027 

Begins the requirements for CMMC status of Level 3 (DIBCAC) as a condition of award for all applicable DoD solicitations and contracts. 

Phase 4: November 10, 2028 

Begins full implementation. DoD will include CMMC program requirements in all applicable DoD solicitations and contracts including option periods on contracts awarded prior to the beginning of Phase 4. 

CMMC Contractor Requirements

• Post results of a CMMC Level 1 or Level 2 self-assessment in Supplier Performance Risk System (SPRS) 

• Maintain the required CMMC status for the life of the contract 

• Complete annual affirmation of continuous compliance with security requirements identified in 32 CFR part 170 for each CMMC UID applicable to each contractor information system used in performance of contract that processes, stores, or transmits FCI/CUI 

• Provide CMMC UID of information systems used in performance of contract that processes, stores, or transmits FCI/CUI, to the Government prior to award, option, or extension 

• Flow down requirements to sub-contractors that process, store, or transmit FCI/CUI 

Final Thoughts

We understand this is an exciting, but stressful, and possibly confusing time. Hopefully, this quick guide serves as a small peace of mind that empowers you to take action and feel prepared. A compliance program is never “finished,” but you have to start somewhere. We’re all in this together, ensuring our national security is upheld to the highest standard. Get ready to rumble—it’s going to be a wild ride!  

If you or members of your organization have additional questions, concerns, or want to see where your security maturity stands, one of our consultants is happy to help.