If you work with the Department of Defense, you’ve probably heard the term CMMC thrown around more times than you can count. Maybe you’ve even nodded along in meetings pretending you were totally up to speed. Don’t worry, you’re not alone. This stuff gets confusing quickly, even for people who live in it every day.
CMMC is basically the DoD’s way of saying, “We’re tired of taking your word for it. Show us.” It takes cybersecurity requirements that have technically been around since 2017 and makes them enforceable at contract award. Think of it like moving from the honor system to a “trust but verify” model.
Let’s walk through what’s happened, what’s coming, and what you actually need to do.
So what is CMMC really
CMMC stands for Cybersecurity Maturity Model Certification. It applies to contractors and subcontractors that handle either Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).
If you’re only selling simple commercial products that are truly off the shelf, you may not have to worry about CMMC. Everyone else in the defense supply chain eventually will.
There are three levels to know:
-
Level 1 covers basic safeguarding of FCI. It’s a self-assessment that you perform once a year and upload into the government’s portal called SPRS.
-
Level 2 covers the security controls in NIST 800-171. Some contracts will only require a self-assessment, while others will demand a third-party audit from an accredited C3PAO. The DoD itself (through DIBCAC) also has authority to perform what are called Level 2 High assessments if they choose to.
-
Level 3 is for high-security contracts. These are always assessed directly by the DoD’s Defense Industrial Base Cybersecurity Assessment Center, or DIBCAC.
No matter which level applies to you, you’ll need to affirm your compliance in SPRS every year.
The road so far
Back in 2017, DFARS 252.204-7012 required contractors handling CUI to implement NIST 800-171. A lot of companies signed off that they were compliant but never actually closed all the gaps. That’s the problem CMMC is trying to solve.
Fast forward to October 2024. The DoD published the program rule, which laid out the structure of CMMC 2.0. That rule went into effect in December 2024.
Then on September 10, 2025, the DoD published the acquisition rule. That is the one that matters most because it means contracting officers can actually require CMMC in solicitations. It becomes effective November 10, 2025.
That date is important. Mark it. Circle it. Put it on a sticky note on your monitor.
Do you need to be certified right now?
This is the number one question I hear. The short answer is no. There is not a single date where everyone suddenly has to be certified.
Here’s what it really looks like:
-
Right now, before November 10, 2025, you don’t need CMMC certification to win new contracts. You still need to comply with NIST 800-171 and DFARS, and many contracts require you to post a score in SPRS, but no one is pulling awards because you don’t have a CMMC certificate in hand yet.
-
Starting November 10, 2025, things change. Any new solicitation may include CMMC requirements. If the contract says you need a Level 1 or Level 2 self-assessment, you’ll need to have that posted in SPRS before you can win. If it says you need a Level 2 third-party assessment, you’ll need that certificate before award.
-
By late 2028, the phased rollout will be complete. At that point, all contracts involving FCI or CUI will require CMMC at the appropriate level.
So no, you don’t need to be certified this very moment. But if you plan on winning contracts after November 2025, you need to be ready.
What the rollout looks like
CMMC is not flipping on overnight. The DoD built a phased rollout so the whole industry can catch up.
-
Phase 1 begins November 10, 2025. Some contracts will start requiring CMMC. Expect Level 1 self-assessments, Level 2 self-assessments, and in some cases Level 2 third-party certifications.
-
Phase 2 begins about a year later. More contracts will require third-party certifications at Level 2.
-
Phase 3 begins around year two. This is when Level 3 certifications show up for high-security contracts, and they will always be performed by DIBCAC.
-
Phase 4 begins about three years in. By late 2028, all new contracts that involve FCI or CUI will require CMMC.
Think of it like rolling out new rules at the gym. At first the trainer only checks if you’re stretching. Then a year later they start watching your form. By year three they’re filming your reps and grading you.
What this means in real life
Here’s what I’ve seen working with contractors:
-
You cannot wing it. A real gap assessment against NIST 800-171 is your starting line. Otherwise you’re just guessing where the problems are.
-
Documentation is half the battle. Having a firewall is great. Proving you have logs and policies and training around it is where most companies stumble.
-
Self-assessments are not free passes. Even Level 1 requires you to submit results and affirm them every year. Contracting officers will check SPRS.
-
POA&Ms are limited. You can only have certain controls on a Plan of Action and Milestones, and you only get 180 days to fix them if you receive one along with a conditional certificate . This is not a “we’ll get around to it” list. It’s a hard deadline.
-
Scope is everything. If you can contain where your CUI lives, you shrink the cost and complexity. A smaller scope means fewer headaches.
Resources you should actually bookmark
The bottom line
CMMC is no longer just a talking point. Starting November 10, 2025, it becomes a real factor in contract awards. There isn’t one single date where everyone must be certified, but if you want to stay competitive, you need to be prepared before it shows up in your contracts.
If you want help building a game plan, that’s what we do every day. We’ll map out where your sensitive data lives, identify your gaps, and give you a roadmap to get compliant without drowning in checklists. Reach out now so the next time someone asks if you’re ready for CMMC, you can say yes with confidence.