As of today, November 10, 2025, the implementation of CMMC through defense contracts officially begins.

For most organizations, this means CMMC Level 1 or Level 2 self-assessments are now required at the time of award (although select contracts may require Level 2 third-party assessments even in this first phase).

This marks the first time the Department will formally incorporate CMMC assessment requirements into contracts under the revised DFARS 252.204-7021, as updated by the 48 CFR CMMC Acquisition rule. This transforms CMMC from a long-discussed cybersecurity initiative into a real, enforceable condition of eligibility for defense work.

Below, we break down what this milestone means for the Defense Industrial Base (DIB), what to expect from the phased rollout, and how automation can help fast-track readiness.

CMMC readiness gaps persist across the DIB despite Phase 1

With the 48 CFR rule now in effect, Phase 1 of the CMMC rollout has started and CMMC requirements will now begin appearing in Department of Defense (or Department) contracts—if they haven’t already. 

Even with Phase 1 now underway and primes having put pressure on their supply chains for months ahead of this deadline, readiness across the DIB remains critically low. 

As of the October CyberAB Town Hall, only 431 organizations had achieved a final CMMC Level 2 certification—representing just 0.5% of the roughly 80,000 companies the DoD estimates will require Level 2.

Independent research paints a similarly stark picture: an October 2025 report by CyberSheath found that only 1% of DIB organizations felt fully prepared for upcoming CMMC assessments. Critical readiness gaps remain, including:

• Fewer than 50% have completed foundational documentation like an SSP or POA&M or implemented all NIST 800-171 requirements.
• The average SPRS score remains at just 60, far below the required 110.
• 17% of contractors still report negative scores.

These readiness gaps have persisted for years—since the initial CMMC program was introduced in 2020 and even earlier considering that CMMC security requirements are derived from existing regulations, including DFARS 252.204-7012, which went into effect in 2017. 

Given that compliance with these cybersecurity requirements has remained challenging and inconsistent across the DIB, the Department designed CMMC to roll out gradually in phases, rather than all at once. 

Let’s take a closer look at the phased implementation plan and rulemaking process behind CMMC.

The road to Phase 1 of CMMC enforcement: Understanding the 48 CFR rule, DFARS 7021, and clause 204.7503 specifically

To understand the significance of today’s enforcement milestone, it’s helpful to revisit the rulemaking process behind CMMC.

CMMC 2.0—now referred to simply as CMMC—was finalized in December 2024 under the 32 CFR rule, which governs the overall structure and policy of the CMMC program. 

However, at this time, DoD program managers weren’t authorized to include CMMC assessment requirements in contracts and solicitations. This required a separate rule—the 48 CFR CMMC Acquisition Rule—to update Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7021, Cybersecurity Maturity Model Certification Requirements. 

DFARS 7021 includes clause 204.7503, also known as the Contract Clause, which formally requires CMMC certification as a condition for contract award. Here’s what clause 204.7503(b) says exactly:

“The Contractor shall have a current (i.e. not older than 3 years) CMMC certificate at the CMMC level required by this contract and maintain the CMMC certificate at the required level for the duration of the contract."

Once the 48 CFR rule was published in the Federal Register, it triggered a 60-day countdown until it was enforceable—bringing us to today’s Phase 1 kickoff.

Today, on November 10, 2025, the DoD will begin rolling out CMMC requirements in most new contracts and solicitations, requiring at least CMMC Level 1 or Level 2 (self) certification at the time of award. 

These requirements will likely apply to 65% of the DIB, according to DoD estimates in the 32 CFR rule.

A deeper dive into 48 CFR rulemaking milestones to publication

Here’s a closer look at this rule’s journey to publication:

• On July 22, 2025, the DoD submitted the 48 CFR rule to the Office of Management and Budget (OMB), with clause 204.7503 stating that CMMC certification must be included in all applicable solicitations and contracts awarded after October 1, 2025. However, this date was an old reference from CMMC 1.0 and was replaced with the language above.
• On August 25, 2025, about six weeks later, this rule cleared regulatory review.

Source: Open DFARS Cases as of 8/29/2025

• On September 10, 2025, the final 48 CFR rule was published in the Federal Register.
• On November 10, 2025, 60 days after the publish date, the rule became enforceable 

What happens next in the phased rollout?

Today, on November 10, 2025, the CMMC phased rollout officially begins.

As described in 32 CFR § 170.3(e), CMMC requirements will be added incrementally to DoD contracts in four phases, with each kicking off one year after the preceding phase.

Phase 1: Began November 10, 2025

• Requires CMMC Level 1 or Level 2 self-assessments in applicable contracts and solicitations. 
• Level 2 third-party assessments may be required at the DoD’s discretion. 

Phase 2: Begins November 10, 2026

• Requires third-party assessments for Level 2 certifications for new contracts. 

Phase 3: Begins November 10, 2027

• Requires CMMC Level 2 certifications to exercise option periods on applicable contracts awarded after the effective date of the CMMC rule and introduces Level 3 certifications. 

Phase 4: Begins November 10, 2028)

• Full implementation of CMMC requirements across all applicable DoD contracts. 

While the full rollout is expected to extend through 2028, organizations cannot wait until then. 

Phase 1 will impact the majority of contractors and may require self and third-party assessments depending on contract criticality. 

In short, most of the DIB will have to implement CMMC as soon as possible to get or stay eligible for DoD work and improve the security and resilience of the defense supply chain.

What Phase 1 means for the DIB: Understanding the requirements

If you handle sensitive unclassified information like Federal Contract Information (FCI), Export Controlled Information (ECI), or Controlled Unclassified Information (CUI) and plan to bid on or maintain defense contracts or subcontracts, you must now be prepared to meet your required CMMC level at award.

The DoD estimates that 99% of the entities that get CMMC certified will fall into Levels 1 and 2: 

• 63% for Level 1 (self)
• 2% for Level 2 (self)
• 35% for Level 2 (C3PAO)

To meet Level 1 requirements, contractors should:

• Understand what FCI is and where it resides in your environment
• Implement controls to meet the 15 requirements from FAR 52.204-21
• Maintain documentation and evidence showing these practices are in place and operating effectively
• Ensure access controls, device protections, and data handling procedures align with the CMMC scoping guide for Level 1
• Perform and submit a self-assessment, including an affirmation from a senior company official

While Level 1 is less complex than Level 2, organizations should not underestimate the effort required. Self-assessments can still be time-consuming, especially without tools to help track and document control implementation across teams and systems.

To meet Level 2 requirements, contractors should:

• Identify your assessment scope by mapping where CUI and/or SPD resides and what systems, users, and vendors interact with it
• Fully implement the 110 controls and 320 assessment objectives from NIST SP 800-171
• Document your control implementation in a detailed System Security Plan (SSP) and Plan of Actions and Milestones (POA&M)
• Inventory in-scope vendors, assets, and data flows and confirm vendor compliance
• Conduct a gap assessment to validate implementation and readiness
• Select a C3PAO with certified assessors, clear communication processes, and audit availability aligned with your timeline

CMMC Level 2 compliance is much more complex and time-intensive, especially compared to other frameworks like SOC 2 and ISO 27001. 

Since these steps must be completed before contract award and demand for C3PAO assessment services will surge, the time to get ready is now.

Are you just getting started with CMMC? Check out our Pocket Guide to CMMC for a high-level overview of the CMMC 2.0 history, levels, and requirements to help orient your compliance journey.

Why now is the time to get CMMC ready if you haven’t yet

Now that the 48 CFR rule is enforceable and the CMMC phased rollout is officially underway, the pressure to achieve CMMC readiness is higher than ever. But the deadline isn’t the only reason contractors, subcontractors, and service providers should act quickly.

Below are eight of the most important reasons to accelerate your readiness efforts now.

1. CMMC enforcement is no longer theoretical

CMMC assessment requirements begin appearing in DoD contracts today (if they haven’t already), starting with Level 1 and Level 2 self-assessments and, in some cases, Level 2 third-party (C3PAO) assessments. Delaying CMMC readiness until 2026 could mean missing contract opportunities entirely.

Preparing for CMMC certification, especially for a Level 2 certification, can take several months—or longer—depending on your current posture, resource availability, and assessment readiness. The earlier you start, the more options you’ll have.

2. Risk—and penalties—are growing under the False Claims Act

CMMC Level 2 security requirements align with the security requirements of DFARS 252.204-7012—a regulation that has already been enforceable for years. That means organizations who haven’t implemented or documented 110 NIST 800-171 requirements are not only at risk of failing to comply with CMMC Level 2 requirements if those appear in contracts after today—they are already at risk of failing to comply with contractual requirements under the False Claims Act.

In the past two years, the Department of Justice has shown increasing willingness to investigate and penalize contractors with:

• inaccurate SPRS scores
• incomplete or unimplemented NIST 800-171 controls
• misrepresentation of compliance in proposals or affirmations

These risks apply to all DIB entities now—not just those who fall under Phase 1. Getting CMMC compliant reduces this legal liability and minimizes costly exposure.

3. Defense sensitive information remains at risk

CMMC is designed to raise the cybersecurity baseline across the entire DIB. Compliance isn’t about checking a box—it’s about reducing the risk of unauthorized access, compromise, or espionage across thousands of contractors, subcontractors, partners, and service providers at every tier of the defense supply chain

When even a single supplier lags in readiness, the entire ecosystem becomes vulnerable. So CMMC compliance isn’t just about maintaining contract eligibility or avoiding legal risk—it’s about strengthening the DIB’s collective ability to safeguard sensitive defense information—and by extension, improving national security.

4. Operational readiness and mission risk is at stake too

If contractors or subcontractors fail to meet the CMMC requirements reflected in their contracts, the consequences extend far beyond contract loss.

Organizations risk:

• capability loss
• project delays
• reduced workforce or production throughput
• inability to deliver on Department timelines

—all of which will cause defense supply-chain disruption cascading upward and downward. 

Even a small percentage of noncompliant defense suppliers can slow production lines, impact program delivery schedules, and otherwise affect operational readiness—which puts military operations at risk. 

Prioritizing CMMC certification not only mitigates contract risk—it mitigates mission risk.  

5. The CMMC ecosystem is already showing signs of strain

Demand is already outpacing supply in the CMMC ecosystem, and that pressure will only grow as Phase 1 is underway:

• There are more Organizations Seeking Certification (OSCs) than authorized assessors available
• C3PAO waitlists and costs are rising as demand for assessors grows
• Primes urging subcontractors to prepare for CMMC Level 2 certification ahead of contract flow-downs

The longer you wait, the harder (and more expensive) it may be to get on an auditor’s calendar before the deadline.

6. You may be in scope even if CMMC or CUI isn’t in your contract

For some service providers, CMMC certification is the most efficient way to meet their responsibilities, even if they’re not directly under contract with the DoD.

Cloud platforms, SOCs, and MSSPs that support defense contractors are often pulled into CMMC assessments as part of the contractor’s boundary and/or as part of flow-down requirements. These providers are then responsible for supplying evidence of their control implementation to every customer undergoing an audit.

Getting CMMC compliant yourself can reduce the burden of participating in each of your customers’ assessments, and strengthen your security posture and competitive advantage.

7. CMMC certification is a competitive advantage

While some view CMMC compliance as a cost of doing business, others see it as an opportunity to stand out in a crowded market.

As of June 2025, Secureframe customer Manufacturing Consulting Concepts (MCC) already achieved CMMC Level 2 compliance and is able to provide that assurance when customers reach out for proof.

Getting CMMC certified—particularly at a higher level—can remove barriers to entry to the defense market, primes’ supply chains, and contracts with more sensitive data.

Whether you’re a subcontractor handling FCI, SPD, or CUI or a prime bidding on major defense contracts, prioritizing readiness now is the best way to prevent bottlenecks or lost business later.

8. CMMC is significantly more complex than other frameworks

Many organizations mistakenly assume that CMMC will be similar to frameworks they’ve already achieved, like SOC 2 or ISO 27001. But that’s not the case.

“Coming from an organization that has gone through SOC 2 and ISO 27001 certification—and as an auditor who has performed hundreds of PCI audits—I can say that CMMC is on another level,” said Marc Rubbinaccio, Head of Security and Compliance at Secureframe, said in a recent IQT GPA webinar.

That complexity shows up in every stage of the process—from defining your scope and implementing 110 NIST 800-171 controls, to developing extensive documentation like your System Security Plan (SSP), which can stretch well beyond 150 pages. Waiting too long to prepare means you’re not just racing against the clock—you’re doing so with one of the most demanding federal compliance frameworks out there.

Taken together, these eight factors make CMMC readiness not only a regulatory requirement, but a critical operational and competitive priority for every organization in the defense supply chain.

Why automation matters now in Phase 1 more than ever

Now that Phase 1 is live, the DIB is facing a readiness crisis that manual processes can’t solve.  Even with consultants, spreadsheets, ad-hoc remediation lists, manual evidence collection, and other processes can’t scale in time.

Automation is the only path forward. The right tool can:

• Eliminate countless hours of manual evidence collection
• Automatically map controls to CMMC level requirements and identify gaps
• Simplify generation and management of required documentation (including SSP, POA&M, and SPRS scores)
• Monitor controls continuously and detect configuration drift
• Slash average readiness timelines (6–12 months) in half
• Keep you assessment-ready year-round

These efficiencies are key now that CMMC assessments and annual affirmations are enforceable obligations.

How Secureframe can help you get CMMC ready and keep government contracts

With Phase 1 now officially in effect, the window for CMMC readiness is open for tens of thousands of organizations across the DIB—and shrinking fast. The organizations that move quickly and adopt automation will be the ones that avoid delays, minimize costs, and maintain contract eligibility as CMMC requirements begin appearing in awards and solicitations.

Secureframe Federal helps defense contractors, subcontractors, and service providers achieve readiness faster, more consistently, and with fewer internal resources by automating the hardest parts of CMMC:

• Automatically assess compliance gaps and collect evidence across your tech stack for all 15 requirements and 58 assessment objectives for Level 1, or all 110 requirements and 320 assessment objectives for Level 2.
• Generate your SSP, POA&M, and live SPRS score automatically, without spreadsheets or manual formatting.
• Use the Federal Navigator for guided implementation, with step-by-step workflows, AI-powered remediation guidance, and pre-written policy templates mapped to NIST 800-171 and CMMC.
• Continuously monitor controls and detect configuration drift across 400+ integrations to maintain year-round compliance.
• Simplify assessments with the Auditor Module, allowing Coalfire Federal or your chosen C3PAO to securely access evidence and machine-readable SSP exports to reduce delays.
• Map CMMC controls to 50+ other frameworks, including FedRAMP, GovRAMP, and NIST 800-53, to streamline multi-framework compliance.
• Complete training, asset inventory, vendor due diligence, risk management, and policy updates directly within the platform to support ongoing compliance.

CMMC is happening. Whether you’re just getting started or need to accelerate in the final stretch, Secureframe gives you the tools and support to fast-track CMMC certification and stay eligible for new and existing contracts.

Schedule a demo to see how Secureframe can help you get CMMC ready fast while keeping costs low.

This post was originally published on July 24, 2025 and has been updated for accuracy and comprehensiveness to reflect updates in the 48 CFR rulemaking process, including the beginning of CMMC Phase 1 enforcement.