Key Takeaways
- CMMC is Now Final and Imminent: The Final CMMC Acquisition Rule has been published, integrating CMMC directly into DFARS, making it a definitive condition for many future DoD contract awards.
- Phase 1 Starts November 10, 2025: The initial rollout focuses on self-assessments. Contractors must be ready to attest to their security posture in the SPRS starting with new contract solicitations on or after this date.
- Strict Rules for Self-Assessments: Level 1 requires full compliance with the 15 FAR requirements (no POA&Ms). Level 2, while generally requiring a C3PAO assessment, allows limited self-assessments with a short (e.g., 180-day) POA&M for minor gaps on specific contracts during Phase 1.
- Proactive Preparation is Mandatory: Organizations must immediately identify their CMMC level (FCI → Level 1 or CUI → Level 2), conduct a gap assessment against the relevant controls (FAR or NIST SP 800-171), and remediate deficiencies to ensure compliance and continued eligibility for DoD work.
CMMC Phase 1 Implementation Starts Nov. 10
The cybersecurity landscape for the Defense Industrial Base (DIB) has just undergone a monumental shift. The Department of Defense (DoD) has officially published the Final Cybersecurity Maturity Model Certification (CMMC) Acquisition Rule, marking the beginning of a new era for safeguarding sensitive government information.
This isn’t just another update; it’s the culmination of years of planning and development, and it sets the stage for mandatory cybersecurity compliance across the entire defense supply chain. Most critically, CMMC Phase 1 implementation, specifically regarding self-assessments, is set to begin on November 10, 2025.
Speak to a Compliance Specialist.
What Does the Final CMMC Acquisition Rule Mean for You?
The rule solidifies CMMC as a requirement for DoD contracts, integrating it directly into the Defense Federal Acquisition Regulation Supplement (DFARS). This means that depending on the type and sensitivity of information involved in a contract, companies will need to achieve a specific CMMC level as a condition for contract award.
The primary goal remains unchanged: to enhance the protection of Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) within the DIB from increasingly sophisticated cyber threats.
Phase 1: The Rollout of Self-Assessments (Starting November 10th)
The phased implementation is designed to allow organizations to adapt. Phase 1, kicking off on November 10, 2025, will focus on self-assessments. This is where many contractors will first encounter CMMC requirements in new solicitations and contracts.
Here’s a breakdown of what that means for different CMMC levels:
- CMMC Level 1 (Foundational): This level applies to companies that handle only Federal Contract Information (FCI). If your organization falls into this category, you will be required to perform a self-assessment against the 15 requirements of FAR 52.204-21. This self-assessment must be attested to by a senior official and then submitted to the Supplier Performance Risk System (SPRS). Critically, no Plans of Action & Milestones (POA&Ms) are permitted for Level 1; full compliance is required.
- CMMC Level 2 (Advanced): For organizations handling Controlled Unclassified Information (CUI), the journey begins here. Level 2 requirements are based on the 110 requirements of NIST SP 800-171. While Level 2 generally requires a CMMC Third-Party Assessment Organization (C3PAO) assessment, Phase 1 (starting November 10th) will allow for self-assessments for a subset of Level 2 contracts that do not involve critical CUI. These self-assessments, like Level 1, must be submitted to SPRS. For these specific Level 2 self-assessments, a limited Plan of Action & Milestones (POA&M) will be allowed, but for a defined period (e.g., 180 days) for minor deficiencies.
It’s crucial to understand that even with self-assessments, the DoD retains the right to conduct validation assessments. Accuracy and thoroughness in your self-assessment are paramount.
Why November 10th is Important for CMMC
On November 10, 2025, CMMC requirements will begin to appear in new DoD solicitations and contracts. This means companies vying for new business or contract renewals on or after this date will need to demonstrate their CMMC compliance or have a clear plan for achieving it.
Delaying preparation is no longer an option. The DoD is serious about securing its supply chain, and CMMC is the mechanism to achieve that.
Your Path Forward: Prepare Now!
The publication of the final rule and the impending Phase 1 rollout on November 10th means it’s time to act if you haven’t already.
- Understand Your CMMC Level: Identify whether you handle FCI (Level 1) or CUI (Level 2) in your DoD contracts. This will dictate the requirements you need to meet.
- Conduct a Gap Assessment: Even if you plan for a self-assessment, conduct an internal assessment against the relevant CMMC requirements (FAR 52.204-21 for Level 1, NIST SP 800-171 for Level 2). Identify any gaps in your current cybersecurity posture.
- Remediate Deficiencies: Develop a plan to address identified gaps. Implement necessary security controls, update policies, and train your staff.
- Prepare for SPRS Submission: Familiarize yourself with the Supplier Performance Risk System and the process for submitting your CMMC self-assessment results.
- Stay Informed: CMMC is an evolving framework. Continue to monitor official DoD communications and industry updates.
The CMMC Acquisition Rule is here, and its implementation is imminent. By preparing proactively, your organization can ensure continued eligibility for DoD contracts and strengthen its overall cybersecurity resilience. Don’t wait until the November 10th deadline is upon you – Auditwerx can help start your CMMC journey today.
FAQs
The most critical date is November 10, 2025. This is when CMMC Phase 1 implementation begins, and CMMC requirements will start appearing in new DoD solicitations and contracts.
CMMC Level 1 (Foundational) applies to companies handling Federal Contract Information (FCI). CMMC Level 2 (Advanced) applies to organizations handling Controlled Unclassified Information (CUI).
Level 1 requires a self-assessment against the 15 requirements of FAR 52.204-21. The assessment must be attested to by a senior official and submitted to the SPRS. No Plans of Action & Milestones (POA&Ms) are permitted; full compliance is mandatory.
Yes, for the subset of Level 2 contracts allowed to self-assess during Phase 1, a limited Plan of Action & Milestones (POA&M) will be allowed for minor deficiencies, but only for a defined, short period (e.g., 180 days).
CMMC Level 2 requirements are based on the 110 requirements of NIST SP 800-171.
The DoD retains the right to conduct validation assessments to ensure the accuracy and thoroughness of a contractor’s self-assessment.
About the Author
Auditwerx Team
Related Content
Gain Deeper Insights
Read More
- It’s Official: CMMC Has Landed > Office of Small Business Programs > Newsfeed Repository
- CIO – About CMMC
- https://www.federalregister.gov/documents/2025/09/10/2025-17359/defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of#:~:text=Effective%20Date%2011%2F10%2F2025,is%20effective%20November%2010%2C%202025.
- CMMC Phase 1 to Begin Nov. 10