On November 10, 2025, the 48CFR CMMC Final Rule was finalized, beginning the first phase of CMMC implementation across the DIB. As of now, new DoW contracts and solicitations will contain CMMC level 1 requirements with some contracts requiring level 2. CMMC will be implemented in a phased approach, however, many prime contractors are already requiring their suppliers to achieve level 2 compliance. It is important to act now and ensure that when the time comes-- your organization is prepared to pass its audit.
The CMMC program is intended to be implemented in four phases:
Phase 1 (Beginning Nov. 10, 2025):
During phase 1, new solicitations may require compliance under CMMC. On the effective date of November 10, CMMC level 1 moves from guidance to enforcement and any new DoW solicitation or contract including the DFARS 252.204-7021 clause will require contractors to demonstrate compliance with level 1. To demonstrate eligibility, contractors will need to submit their self-assessment to the Supplier Risk Performance System (SPRS) prior to the award. Once phase 1 begins, handling Federal Contract Information (FCI) without a valid CMMC level 1 self-assessment on file will not be permitted.
During phase 1, some contractors may require a level 2 self-assessment as well.
Phase 2 (Beginning ~12 months after Phase 1):
Phase 2 will begin approximately one year after phase 1. During this time, contractors will begin to see level 2 third-party certification requirements appear in contracts as a condition for award. CMMC level 2 applies to any contract that requires the supplier to store, transmit, or process controlled unclassified information (CUI). This means that contractors will need to be CMMC level 2 certified by early 2026 in order to bid on or keep certain contracts.
Phase 3 (Beginning ~24 after Phase 1):
During phase 3, contractors will be required to implement advanced cybersecurity controls and comply with CMMC level 2 requirements if they are handling CUI. Contractors with level 2 requirements will have to undergo a third-party audit conducted by a C3PAO and demonstrate compliance with all 320 assessment objectives outlined in NIST 800-171. Some contracts will include level 3 requirements.
Phase 4 (Beginning 2028):
Phase 4 will conclude the CMMC rollout with CMMC requirements implemented into all DoW solicitations and contracts by the end of 2028.
While many may be tempted to think that CMMC is still several years away from full implementation, that doesn't mean organizations should wait to pursue compliance. As a reminder, the CMMC rule is the DoD's way of assessing compliance to the controls outlined in NIST 800-171, a framework contractors have been required to adhere to since 2017.
Every organization has to start somewhere, and contractors that are just beginning their journey to CMMC compliance have a long road ahead of them. Begin by scoping out your organization.
For a more detailed CMMC Compliance Checklist, click here!
Partnering with an externally verified MSP is crucial for contractors seeking help in achieving and maintaining CMMC compliance. While many MSPs are able to claim that they are certified via a "self-assessment", their processes will still be in scope of your organizations audit. This means that if your service provider fails to comply with CMMC standards, you will be left facing the consequences.
CorpInfoTech passed our CMMC Level 2 Assessment with perfect 110 score. We are among the first MSPs to pass our CMMC Level 2 Assessment. By partnering with CorpInfoTech, your organization will automatically inherit 200+ out of the 320 objectives required by CMMC. These controls come pre-certified and will reduce implementation time and provide greater assurance in your ability to pass a third-party audit.
CorpInfoTech is a CMMC Level 2 (C3PAO) certified MSP that has passed our audit with a perfect 110, making us one of the first MSPs to achieve level 2 compliance
CMMC Update: As of November 10, 2025, CMMC compliance requirements are officially in effect and mandatory for all new Department of Work (formerly DoD) contracts. In Phase 1, organizations handling Federal Contract Information (FCI) must complete a CMMC Level 1 self-assessment and submit their results to the Supplier Risk Performance System (SRPS) before being awarded new contracts. Primes may also require their supply chain partners to achieve CMMC certification at any stage of the rollout.
CorpInfoTech, a Managed Service Provider (MSP) with over 25 years in the SMB space, is a trusted partner for business pursuing compliance and cybersecurity. We are a CMMC Level 2 (C3PAO) certified MSP and a Cyber AB Registered Provider Organization (RPO). Also, as the first CIS accredited organization, we help organizations implement the CIS controls as it pertains to CMMC and your overall cybersecurity posture. CorpInfoTech is your trusted partner for secure, compliant growth in every changing digital landscape.