← Back to all briefings

Cybersecurity · Credibility 88/100 · · 3 min read

Cybersecurity Briefing — November 2025: DoD CMMC Phase 1 enforcement locks into solicitations

DoD’s final DFARS rule activating the Cybersecurity Maturity Model Certification programme takes effect 10 November 2025, triggering Phase 1 Level 1 and Level 2 self-assessments on covered solicitations and option exercises.

Executive briefing: The Department of Defense’s 10 September 2025 Defense Federal Acquisition Regulation Supplement (DFARS) final rule takes effect 10 November 2025, enabling contracting officers to insert the Cybersecurity Maturity Model Certification (CMMC) clause into awards that handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). Phase 1 demands that primes and subcontractors demonstrate Level 1 or Level 2 self-assessment statuses in the Supplier Performance Risk System (SPRS) before award, with DoD empowered to flow the requirement into option periods on existing vehicles.

Key compliance pressure points

  • Phase 1 gating. Beginning 10 November, solicitations that include DFARS 252.204-7021 will condition award on CMMC Level 1 (Self) or Level 2 (Self) attestations, and program managers can elevate to Level 2 (C3PAO) where higher assurance is required.
  • Option exercises. DoD may apply Phase 1 requirements when extending option periods on contracts awarded before the effective date, forcing incumbents to remediate CMMC gaps ahead of renewal decisions.
  • Conditional status limits. Conditional Level 2 approvals tied to Plans of Action and Milestones (POA&Ms) expire after 180 days, meaning POA&M items from self-assessments must be closed quickly to maintain eligibility.

Operational priorities for November

  • Map portfolio exposure. Inventory open solicitations, recompetes, and options that will process FCI or CUI to confirm which awards will immediately require Level 1 or Level 2 self-assessments.
  • Seal SPRS packages. Complete 32 CFR 170.21 self-assessment uploads—including affirmation letters and POA&M closure evidence—so contracting officers see current CMMC UIDs before bid submission.
  • Prime–sub coordination. Require subcontractors supporting covered information flows to evidence matching CMMC levels and to register their CMMC unique identifiers against the correct SPRS records.

Enablement moves

  • Cross-train vendor oversight, procurement, and cyber leads so DFARS 252.204-7021 clause management mirrors service-provider governance refinements driven by the SEC Regulation S-P incident-response deadline on 18 November.
  • Embed CMMC readiness checkpoints into November board and programme reviews so executives see option-period risk alongside Reg S-P breach-notification rehearsals.

Sources

  • Cybersecurity Maturity Model Certification
  • DFARS 252.204-7021
  • Controlled Unclassified Information
  • Defense industrial base
Back to curated briefings