The CMMC Implementation Phased Rollout

The road to finalization for CMMC has been an arduous one, but with the publication of the 48 CFR rule into the federal register on September 10, 2025, DoW contractors now have a more concrete timeline of when they can expect these requirements to appear in their contracts. Alongside the publication of the 48 CFR Final Rule, CMMC will be required beginning November 10, 2025. However, the DoW is rolling out CMMC requirements through a phased approach, the first of which will begin on November 10th.

CMMC Phased Rollout

Phase 1 (Beginning Nov. 10, 2025): 

During phase 1, new solicitations may require compliance under CMMC. On the effective date of November 10, CMMC level 1 moves from guidance to enforcement and any new DoW solicitation or contract including the DFARS 252.204-7021 clause will require contractors to demonstrate compliance with level 1. To demonstrate eligibility, contractors will need to submit their self-assessment to the Supplier Risk Performance System (SPRS) prior to the award. Once phase 1 begins, handling Federal Contract Information (FCI) without a valid CMMC level 1 self-assessment on file will not be permitted.

During phase 1, some contractors may require a level 2 self-assessment as well.

Phase 2 (Beginning ~12 months after Phase 1):

Phase 2 will begin approximately one year after phase 1. During this time, contractors will begin to see level 2 third-party certification requirements appear in contracts as a condition for award. CMMC level 2 applies to any contract that requires the supplier to store, transmit, or process controlled unclassified information (CUI). This means that contractors will need to be CMMC level 2 certified by early 2026 in order to bid on or keep certain contracts. 

Phase 3 (Beginning ~24 after Phase 1):

During phase 3, contractors will be required to implement advanced cybersecurity controls and comply with CMMC level 2 requirements if they are handling CUI. Contractors with level 2 requirements will have to undergo a third-party audit conducted by a C3PAO and demonstrate compliance with all 320 assessment objectives outlined in NIST 800-171. Some contracts will include level 3 requirements.

Phase 4 (Beginning 2028):

Phase 4 will conclude the CMMC rollout with CMMC requirements implemented into all DoW solicitations and contracts by the end of 2028.

Avoid Confusion! Several Misconceptions Regarding CMMC Compliance

1. Phase 1 is not limited to level 1 and level 2 self-assessments: While not required, some contracts may require CMMC level 2 third-party certification on November 10th. It is unwise to wait until later phases to begin implementing level 2 into your organization. Additionally, many prime contractors are requiring their suppliers to achieve level 2 compliance regardless of what implementation phase CMMC is in.
2. Your prime cannot flow down your certification to you: Subcontractors working under a CMMC compliant prime do not inherit their prime's certification. It is still the subcontractor's responsibility to achieve and maintain compliance. 
3. CMMC will not replace DFARS 252.204-7012: CMMC is intended to verify the implementation of NIST 800-171, which is already required under DFARS 7012. 

What Are Your Next Steps for CMMC Compliance?

1. Start By Mapping Your Data Flow: Most contractors fail their CMMC audit due to improper scoping. Your Data Flow Diagram confirms which systems, people, and facilities will interact with FCI or CUI.
2. Determine Your Requirements: If you handle only FCI, you will need to comply with CMMC L1. If your organization stores, processes, or transmits CUI, you will need to comply with CMMC L2. 
3. Conduct a Gap Assessment: Perform an analysis of your current security and compliance posture in order to understand what needs to be fixed.
4. Use SPRS Carefully: Upload and maintain self-assessment scores and affirmations. Assign ownership to monitor and refresh entries annually or whenever your environment changes. This system establishes a legal attestation to the federal government. Don’t open yourself up to a false claims case, use SPRS with care and maintain the evidence supporting your SPRS attestation for 6 years.

CorpInfoTech, a CMMC L2 Certified MSP

CorpInfoTech is a CMMC L2 certified MSP that offers IT, cybersecurity, and CMMC compliance solutions to SMBs working within the Defense Industrial Base (DIB). Through TAS for CMMC Compliance, we are able to flow down 200+ of the 320 objectives required by CMMC. With our third-party certification, we are uniquely positioned to guide subcontractors through the CMMC compliance journey, from assessment planning and documentation to remediation and audit readiness.

CorpInfoTech is the:

1. The Fastest Way to Compliance: We immediately cover 200+ of the 320 objectives required by CMMC
2. The Least Expensive Path to Compliance: We use proven systems to reduce audit scope and cost.
3. The Most Flexible Compliance Solution: We offer fully or co-managed compliance services for on-site technologies.

Key Takeaways

• Phase 1 of the CMMC Implementation Rollout begins Nov. 10, 2025. At this time CMMC level 1 will be required.
• Many prime contractors are requiring their subs to achieve CMMC L2 compliance regardless of where CMMC is in its implementation.
• These phases are not a grace period for companies that have not started on their CMMC compliance. Many contracts will still require third-party certification even in the first phase.

CorpInfoTech, a Managed Service Provider (MSP) with over 25 years in the SMB space, is a trusted partner for business pursuing compliance and cybersecurity. We are a CMMC Level 2 (C3PAO) certified MSP and a Cyber AB Registered Provider Organization (RPO). Also, as the first CIS accredited organization, we help organizations implement the CIS controls as it pertains to CMMC and your overall cybersecurity posture. CorpInfoTech is your trusted partner for secure, compliant growth in every changing digital landscape.