November 2025: DoD CMMC Phase 1 enforcement locks into solicitations

The Department of Defense’s 10 September 2025 Defense Federal Acquisition Regulation Supplement (DFARS) final rule takes effect 10 November 2025, enabling contracting officers to insert the Cybersecurity Maturity Model Certification (CMMC) clause into awards that handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). Phase 1 demands that primes and subcontractors show Level 1 or Level 2 self-assessment statuses in the Supplier Performance Risk System (SPRS) before award, with DoD helped to flow the requirement into option periods on existing vehicles.

Key compliance pressure points

• Phase 1 gating. Beginning 10 November, solicitations that include DFARS 252.204-7021 will condition award on CMMC Level 1 (Self) or Level 2 (Self) attestations, and program managers can elevate to Level 2 (C3PAO) where higher assurance is required.
• Option exercises. DoD may apply Phase 1 requirements when extending option periods on contracts awarded before the effective date, forcing incumbents to remediate CMMC gaps ahead of renewal decisions.
• Conditional status limits. Conditional Level 2 approvals tied to Plans of Action and Milestones (POA&Ms) expire after 180 days, meaning POA&M items from self-assessments must be closed quickly to maintain eligibility.

Operational priorities for November

• Map portfolio exposure. Inventory open solicitations, recompetes, and options that will process FCI or CUI to confirm which awards will immediately require Level 1 or Level 2 self-assessments.
• Seal SPRS packages. Complete 32 CFR 170.21 self-assessment uploads—including affirmation letters and POA&M closure evidence—so contracting officers see current CMMC UIDs before bid submission.
• Prime–sub coordination. Require subcontractors supporting covered information flows to evidence matching CMMC levels and to register their CMMC unique identifiers against the correct SPRS records.

References

• Federal Register — DFARS CMMC final rule (Case 2019-D041)
• DoD Office of Small Business Programs — “It’s Official: CMMC Has Landed”
• eCFR — 32 CFR 170.3 phased CMMC setup

Security Architecture Considerations

Security architecture should account for the implications of this development across the technology stack. Defense-in-depth principles recommend implementing multiple layers of controls that address different attack vectors and failure modes. Network segmentation, endpoint protection, identity controls, and application security measures should work together to reduce overall risk exposure.

Threat modeling exercises should incorporate the specific attack patterns and techniques associated with this development. Understanding adversary capabilities and likely attack paths helps focus on defensive investments and ensures controls address realistic threats rather than theoretical risks.

Security Monitoring and Response

If you are affected, implement continuous monitoring mechanisms to detect and respond to security incidents related to this vulnerability or threat. Security operations centers should update detection rules, threat hunting hypotheses, and incident response procedures to address the specific attack patterns and indicators associated with this development. Regular testing of detection and response capabilities ensures readiness to handle related security events.

Post-incident analysis should document lessons learned and drive improvements to preventive and detective controls. Information sharing with industry peers and sector-specific information sharing organizations contributes to collective defense against common threats.

CMMC Level 1 vs Level 2 assessment requirements

Phase One focuses on Level 1 (self-assessment for FCI) and Level 2 (third-party assessment for CUI). Contractors should verify which level applies to their contracts and begin assessment preparation as needed. Level 2 requires CMMC Third-Party Assessment Organization (C3PAO) engagement—lead times may extend as demand increases.

Organizations handling both FCI and CUI across different contracts may need separate enclaves or unified Level 2 setup to simplify compliance posture.

Plan of Action and Milestones (POA&M) requirements

CMMC allows limited use of Plans of Action and Milestones for certain controls not yet fully implemented. However, POA&Ms have stricter timelines and scope limitations compared to NIST SP 800-171 self-assessments. If you are affected, minimize POA&M reliance by achieving full compliance before assessment.

Controls related to access control, identification and authentication, and audit logging typically cannot be addressed through POA&Ms—these must be fully implemented at assessment time.

Scoping and asset categorization

CMMC assessments scope to systems processing, storing, or transmitting CUI or FCI. Accurate asset categorization prevents over-scoping (unnecessary compliance costs) and under-scoping (compliance gaps). Network segmentation between CUI-handling systems and general IT infrastructure can reduce assessment scope.

Document data flows and system boundaries clearly to support C3PAO assessors in understanding the assessment scope.

Supply chain flow-down requirements

Prime contractors must flow CMMC requirements to subcontractors handling CUI. Subcontract modifications should specify required CMMC levels and assessment timelines. Primes may need to assist smaller suppliers in achieving compliance to maintain supply chain continuity.

Joint ventures and teaming arrangements require clear delineation of which entity handles CUI and bears assessment responsibility.

SPRS score and assessment coordination

The Supplier Performance Risk System (SPRS) score from NIST SP 800-171 self-assessment remains relevant during CMMC transition. Maintain current SPRS submissions while preparing for formal CMMC assessment. C3PAO assessors will review prior self-assessment documentation as part of the evaluation process.

Evidence collection and documentation practices

CMMC assessments require evidence demonstrating control setup. Establish documentation standards early: screenshots of configuration settings, policy documents with approval signatures, training completion records, and audit logs showing control operation. Organize evidence by control family for efficient assessor review.

Automated evidence collection through GRC platforms or compliance tools reduces manual effort and ensures consistent documentation quality across assessment cycles.

Continuous monitoring and compliance maintenance

CMMC certification requires ongoing compliance, not just point-in-time assessment. Implement continuous monitoring to detect configuration drift, policy violations, and control failures. Annual affirmations confirm continued compliance between assessment cycles.

Assessment preparation checklist

Before engaging a C3PAO, complete internal readiness review. Verify all 110 NIST SP 800-171 controls (Level 2) or 17 FAR 52.204-21 controls (Level 1) are implemented with supporting evidence. Address known gaps and document any POA&M items with realistic remediation timelines. Pre-assessment preparation reduces assessment duration and costs.

Cost planning and resource allocation

Budget for CMMC compliance includes assessment fees (C3PAO costs vary by scope), remediation investments, and ongoing compliance maintenance. Assessment costs typically range from $20,000 to $100,000+ depending on system complexity and organization size. Factor in internal staff time for evidence preparation and assessment support.

What This Really Means for Your Business

Let us cut through the regulatory jargon: if you are doing business with the DoD, the clock is ticking. This is not just another compliance checkbox—it is a shift in how the defense industrial base proves cybersecurity readiness.

Companies that began preparation early are in the driver's seat for contracts. Those still scrambling face a choice: rush through compliance (risking costly mistakes) or watch competitors win opportunities.

Advice from the Trenches

Here's what official guidance will not tell you: successful companies are not treating CMMC as a one-time project. They are building compliance into daily operations rather than an annual fire drill. That mindset shift makes all the difference.

Related articles

Curated signals from the same pillar or overlapping topics.

Cybersecurity · Credibility 91/100 · October 19, 2025

NIST SP 800-171

Defense industrial base suppliers must finish migrating policies, asset inventories, and assessment playbooks to NIST SP 800-171 Revision 3 before DoD finalizes CMMC rulemaking in late 2025.

Cybersecurity · Credibility 92/100 · May 15, 2024

NIST Finalizes SP 800-171 Revision 3

NIST SP 800-171 Rev 3 finalization aligns CUI protection requirements with SP 800-53 Rev 5. Federal contractors need to map their security controls to the updated framework. The changes affect CMMC compliance preparation…

Cybersecurity · Credibility 93/100 · December 26, 2023

DoD Issues CMMC 2.0 Proposed Rule — December 26, 2023

The U.S. Department of Defense published a proposed rule to implement Cybersecurity Maturity Model Certification 2.0 across the defense industrial base with phased contract requirements.

Cybersecurity · Credibility 92/100 · January 12, 2021

NIST SP 800-172 Enhanced Security Requirements — January 12, 2021

NIST’s SP 800-172 supplement now pushes CUI operators to implement zero trust architectures, advanced monitoring, and resilience measures to counter nation-state threats.

Cybersecurity · Credibility 94/100 · November 12, 2025

OpenClinica CRF import XXE and traversal (CVE-2025-12921/12922)

Another CVE to track: CVE-2025-12921 affects common enterprise software with a medium severity rating. Check your vulnerability scanners and patch management systems. Even medium-severity vulnerabilities can be chained…

Continue in the Cybersecurity pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Cybersecurity Operations Playbook

  Use our research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.

• Network Security Fundamentals Explained Practically

  A practitioner-focused guide to network security fundamentals covering firewalls, segmentation, IDS/IPS, DNS security, VPNs, wireless security, zero trust architecture, and traffic…

• Small Business Cybersecurity Survival Checklist

  A budget-conscious cybersecurity checklist built specifically for small businesses. This guide covers foundational security policies, network hardening, employee training, phishing…

Coverage intelligence

Published

November 10, 2025

Coverage pillar

Cybersecurity

Source credibility

91/100 — high confidence

Topics

Cybersecurity Maturity Model Certification · DFARS 252.204-7021 · Controlled Unclassified Information · Defense industrial base

Sources cited

3 sources (federalregister.gov, business.defense.gov, ecfr.gov)

Reading time

6 min

References

1. DFARS CMMC Final Rule — Federal Register
2. DoD CMMC Announcement — DoD
3. 32 CFR 170 — eCFR