Key Takeaways
- The Countdown is On: CMMC 2.0 requirements start appearing in new DoD contracts on November 10, 2025. Preparation must begin now.
- Phase 1: Self-Assessment is Key: The initial phase mandates self-assessments for both Level 1 (FCI, no POA&Ms) and Level 2 (CUI, limited 180-day POA&Ms allowed on some contracts).
- Third-Party Assessments are Coming: From 2026 to 2028, the number of contracts requiring CMMC Level 2 third-party assessments will steadily grow, making compliance by November 10, 2028, mandatory for all applicable contracts.
- Prioritize Accuracy: Due to the risk of False Claims Act liability, companies must ensure their self-assessments are honest, accurate, and reflect a true statement of their security posture.
CMMC Acquisition Rule Published
The final Cybersecurity Maturity Model Certification (CMMC) Acquisition Rule has been published. This isn’t just a regulatory update; it’s the beginning of a phased, multi-year journey for the entire Defense Industrial Base (DIB).
The most important date to remember is November 10, 2025, when CMMC requirements will begin appearing in new DoD contracts. Knowing what’s coming next is the key to staying ahead.
Speak to a Compliance Specialist.
Phase 1: The First Steps (Starting Nov 10, 2025)
The initial phase is all about self-assessments. Starting on November 10th, new contracts may require you to conduct a self-assessment and submit the results to the Supplier Performance Risk System (SPRS).
- For CMMC Level 1: If you handle Federal Contract Information (FCI), you’ll need to assess your compliance with 15 security requirements. This must be an honest evaluation, with no remediation plans (POA&Ms) allowed. Your attestation in SPRS is a direct statement of your security posture.
- For CMMC Level 2: If you handle Controlled Unclassified Information (CUI), some contracts will allow for a self-assessment. While a limited remediation plan (POA&M) is permitted, it’s not a grace period, it’s a strict 180-day deadline to close security gaps.
Even for self-assessments, accuracy is critical. False claims can lead to severe consequences, including False Claims Act liability.
The Phased Rollout: What Comes After Phase 1?
The DoD has a clear plan to integrate CMMC throughout the DIB. The phased approach is designed to give companies time to prepare, but it also means the requirements will become more widespread and stringent over time.
- 2026-2028: Over the next three years, CMMC requirements will be included in a growing number of contracts. The DoD will gradually increase the number of contracts requiring CMMC Level 2 third-party assessments, performed by authorized organizations like a C3PAO.
- November 10, 2028: By this date, CMMC compliance is expected to be mandatory for all applicable DoD contracts. This is the ultimate goal: a fully secure and resilient defense supply chain.
For companies seeking CMMC Level 2 compliance, engaging a C3PAO for a formal assessment will be a requirement for many contracts. The time to prepare for that is now.
Auditwerx: Your Partner on the CMMC Journey
Navigating this roadmap can be complex, but you don’t have to do it alone. As a candidate C3PAO, Auditwerx is fully prepared to help your organization at every stage of the CMMC process.
- CMMC Readiness: We can help you with your initial gap analysis and readiness preparation. Our team will review your existing controls and provide a clear plan to address any deficiencies. This preparation is a crucial first step for both self-assessments and future third-party evaluations.
- Mock Assessments: Want to be sure you’re ready before the official assessment? We conduct mock assessments to simulate the formal process, allowing you to identify and fix any last-minute issues, ensuring you’re fully prepared for the day of the real evaluation.
Our goal is to help you build a strong security foundation that not only meets CMMC requirements but also protects your business for years to come. Don’t wait until a solicitation with a CMMC clause appears in your inbox. Let’s start the conversation about your compliance strategy today.
FAQs
The most important date is November 10, 2025. This is when CMMC requirements will begin appearing in new DoD solicitations.
Companies that handle Federal Contract Information (FCI) must conduct a self-assessment of 15 security requirements. This assessment must be submitted as an attestation in the Supplier Performance Risk System (SPRS). No remediation plans (POA&Ms) are allowed for Level 1.
For companies handling Controlled Unclassified Information (CUI), some contracts will initially allow for a self-assessment. While a limited remediation plan (POA&M) is permitted, it is subject to a strict 180-day deadline to close any minor security gaps.
By November 10, 2028, CMMC compliance is expected to be mandatory for all applicable DoD contracts, marking the completion of the phased rollout.
Accuracy is critical. That is why it’s important to choose the right partner. False claims regarding your security posture can lead to severe consequences, including False Claims Act liability.
As a candidate C3PAO, Auditwerx offers two key services:
- CMMC Readiness: Initial gap analysis and preparation to address deficiencies.
- Mock Assessments: Simulated formal assessments to identify and fix last-minute issues before the official evaluation.
About the Author
Auditwerx Team
Related Content
Gain Deeper Insights
Read More
- It’s Official: CMMC Has Landed > Office of Small Business Programs > Newsfeed Repository
- CIO – About CMMC
- https://www.federalregister.gov/documents/2025/09/10/2025-17359/defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of#:~:text=Effective%20Date%2011%2F10%2F2025,is%20effective%20November%2010%2C%202025.
- CMMC Phase 1 to Begin Nov. 10