As of November 10, 2025, the U.S. Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) program entered Phase 1 — marking the beginning of a three-year journey to mandate cybersecurity compliance across the entire Defense Industrial Base. If your organization works with federal contract information (FCI) or controlled unclassified information (CUI) under a DoD contract, this affects you directly.
What CMMC Is and Why It Matters
CMMC is a unified cybersecurity framework that requires defense contractors and subcontractors to implement, assess, and certify their cybersecurity practices in order to be eligible for DoD contract awards. Unlike prior frameworks that relied on self-attestation without verification, CMMC introduces independent third-party assessments for most contracts. It is built on existing standards including NIST SP 800-171 and FAR 52.204-21, and will be progressively enforced through three certification levels depending on the sensitivity of information handled.
The Three-Level Structure
Level 1 (Self) applies to contractors handling only FCI and requires annual self-assessment against 15 baseline security requirements. Level 2 applies to contractors handling CUI and requires compliance with all 110 security requirements in NIST SP 800-171 Revision 2 — either through self-assessment or a certified third-party assessment organization (C3PAO), depending on contract risk. Level 3, the highest tier, requires an assessment by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) and compliance with additional controls drawn from NIST SP 800-172.
The Four-Phase Rollout Timeline
Phase 1 (now active) introduces Level 1 and Level 2 self-assessment requirements into new solicitations and contracts. Phase 2 in November 2026 will add Level 2 C3PAO assessment requirements. Phases 3 and 4 (2027 and 2028) will progressively expand mandatory CMMC compliance until, by November 2028, it applies to all applicable DoD contracts without discretion. Contractors who fail to meet required CMMC levels will not be eligible to bid or continue performing on covered contracts.
Act Now — The Clock Is Already Running
Organizations in the defense supply chain should immediately conduct a readiness assessment of all information systems that process, store, or transmit FCI or CUI. Gaps must be addressed and documented in a Plan of Action and Milestones (POA&M) within 180 days to maintain conditional compliance status. Given the False Claims Act liability exposure for contractors who falsely certify compliance, the stakes could not be higher. The time to act is now — before CMMC requirements appear in your next solicitation.
