CMMC Phase 1 Begins!

Introduction

November 10, 2025, marks the official effective date of the Cybersecurity Maturity Model Certification (CMMC) via a four-phased rollout approach. In development since the Department of Defense (DoD) first announced the program in 2019, this moment marks years of collaboration and a shared mission across the Defense Industrial Base (DIB): protecting the information that defines our national defense.

As adversaries grow more sophisticated, CMMC is the mechanism that unites the DIB under NIST SP 800-171 to strengthen cyber resilience, ensure supply chain integrity, and safeguard our nation’s data.

This blog breaks down what happens on November 10, what Phase 1 means, the timeline ahead, what you need to do right now, and how Redspin can help you stay mission-ready.

 

Table of Contents

What is CMMC Phase 1?

CMMC Phase 1 represents the beginning of formal enforcement under the DoD’s final rule (48 CFR Part 7021 / DFARS 252.204-7021). As of November 10, new DoD contracts and solicitations may include CMMC requirements.

For contractors across the DIB, this means eligibility to…

  1. Accept new contract awards
  2. Secure or maintain Period of Performance (PoP) extensions
  3. Remain eligible for renewals or options

and

  1. Meet flowdown requirements

…will depend on your demonstrated CMMC level of compliance and the specific requirements outlined in your contract(s).

While CMMC Phase 1 introduces a phased approach to rollout, any prime contractor, subcontractor, or the DoD itself may require any CMMC level at any time based on the sensitivity of the work, type of information handled, or contract conditions.

While many organizations have already implemented NIST SP 800-171 controls or self-attested under DFARS 7012, CMMC adds a new layer of accountability through third-party validation and verified evidence of compliance, ensuring trust and consistency across the entire DIB ecosystem.

Why it Matters

Phase 1 marks the official beginning of CMMC enforcement and the end of waiting.

Starting November 10, 2025, the Department of Defense (DoD) will begin including CMMC requirements in some contracts and solicitations.

This is the moment where CMMC officially moves from policy to practice.

 

Under Phase 1, contractors and subcontractors must now demonstrate a CMMC Status of Level 1 (Self) or Level 2 (Self) as a condition of contract award.

Per 32 CFR, the DoD also reserves the right to:

  • Require those same levels as a condition for exercising an option period on an existing contract, and
  • Substitute a Level 2 (C3PAO) assessment in place of a self-attestation for any solicitation or award at its discretion.

In other words, CMMC has entered the contract landscape.

While Phase 1 still relies on trust and self-attestation, it’s the first tangible step toward a verified, enforceable cybersecurity standard across the Defense Industrial Base.

We’re already seeing CMMC language appear in solicitations and contracts. This is just the beginning.

Organizations that take action now, updating their SPRS scores, completing a self-assessment, and preparing for third-party validation, will be well-positioned when Phase 2 begins on November 10, 2026 (if we stick to the current timeline, as the DoD also reserves the right to change this timeline at any given time).

That next phase will move from self-attestation to formal C3PAO assessments for Level 2, and many assessment calendars are already filling up well into next year.

Those who get ahead in Phase 1 will avoid the backlog, reduce risk to contract eligibility, and stay competitive as CMMC requirements expand.

Bottom line: Phase 1 may still run on trust, but it’s also the start of accountability, and the countdown to full certification has officially begun.

The Four-Phase Rollout Timeline

The CMMC rollout will take place over four years, from November 2025 through November 2029, with each phase introducing additional certification requirements.

Note: Ultimately, your CMMC requirements will be determined by your contracts, not this schedule.

As mentioned above, some solicitations and renewals are already requiring full CMMC Level 2 certification through a formal C3PAO assessment. At Redspin, we are already helping clients prepare for Level 3.

Deciding when and how to certify is ultimately a business decision, but those who act early will have greater flexibility, fewer delays, and a competitive edge when CMMC clauses appear in their next contract.

 Here is a breakdown of the four-phased approach:

Phase 1  Self-Assessment Begins (November 10, 2025 – November 10, 2026)

Phase 1 marks the official start of CMMC enforcement. Beginning November 10, 2025, CMMC becomes a condition of contract award for certain DoD solicitations and renewals. Contractors will need to demonstrate proof of either a Level 1 (Self) or Level 2 (Self) assessment before award.

This initial phase focuses on self-assessment, where contractors are responsible for evaluating and documenting their cybersecurity practices against NIST SP 800-171 and submitting results to the Supplier Performance Risk System (SPRS).

During this phase, the DoD may also:

  • Require Level 1 (Self) or Level 2 (Self) for option periods on existing contracts.
  • Replace Level 2 (Self) with Level 2 (C3PAO) for certain solicitations or contracts based on mission sensitivity or data risk.

Phase 1 is your opportunity to finalize documentation, validate controls, and prepare before third-party assessments become mandatory. Getting organized now will position you ahead of the curve as the program expands.

 

Phase 2  C3PAO Assessments Begin (November 10, 2026 – November 10, 2027)

In Phase 2, the DoD begins requiring Level 2 (C3PAO) assessments for applicable contracts. Contractors handling Controlled Unclassified Information (CUI) will need formal third-party validation by an authorized C3PAO to be eligible for award.

The DoD may also introduce Level 3 (DIBCAC) assessments for select critical programs. This is the first major transition from self-attestation to independent verification.

Assessment backlogs are expected as organizations across the DIB rush to schedule their reviews. Contractors who secure their assessment slots early will avoid delays and maintain eligibility for upcoming solicitations.

 

Phase 3 Expanded Enforcement (November 10, 2027 – November 10, 2028)

Phase 3 expands the enforcement of CMMC requirements. All applicable contracts will now require Level 2 (C3PAO) certification both at award and when exercising option periods.

Additionally, Level 3 (DIBCAC) certification becomes mandatory for critical programs and contracts involving higher sensitivity data.

This phase significantly narrows the window for organizations that have delayed compliance efforts. Those who have not yet achieved certification by this point may face contract ineligibility or extended downtime waiting for assessment availability.

 

Phase 4 Full Implementation (November 10, 2028 and Beyond)

By Phase 4, the CMMC program reaches full implementation. The DoD will include CMMC requirements in all applicable solicitations and contracts, including option periods on those awarded before this date.

At this point, CMMC certification is no longer optional — it is a baseline requirement for doing business with the Department of Defense. Contractors that have not yet completed certification will be unable to accept new or retain covered contracts.

Looking ahead, Phase 4 also marks an exciting point of reflection for the broader federal landscape. By this time, the ripple effects of CMMC could extend beyond the DoD, influencing cybersecurity standards across other government agencies and sectors. Many within the ecosystem anticipate that CMMC’s model, rooted in verified/measurable compliance, will serve as a blueprint for safeguarding sensitive data throughout the federal supply chain.

As CMMC achieves full adoption within the DIB, we’ll be watching to see which agencies follow suit and how this shared framework continues to elevate cybersecurity maturity across the nation

Summary of Phases

  • Phase 1 (2025–2026): Self-assessment required for Level 1 and Level 2.
  • Phase 2 (2026–2027): Third-party C3PAO assessments begin for Level 2.
  • Phase 3 (2027–2028): Level 2 (C3PAO) and Level 3 (DIBCAC) required broadly.
  • Phase 4 (2028+): Full enforcement across all DoD contracts.

6 Things You Need to Do Now

Confirm Your Contract Requirements
Ask your Contracting Officer (KO) or prime whether CMMC applies to your current or upcoming solicitations.

Update Your SPRS Score
Ensure your Supplier Performance Risk System entry accurately reflects your NIST 800-171 implementation status

Identify Your CMMC Level
Determine what Level you need based on the data you handle (FCI vs CUI). Make sure to consider future business goals and growth.

Schedule a Readiness or Mock Assessment
Treat this as a dress rehearsal to validate readiness and avoid surprises during your formal assessment.

 Engage Your Service Providers
Your Managed Service Providers, Cloud Providers, and IT partners may be in scope, verify their CMMC readiness, too.

Start Now
Because assessment backlogs are already forming.

Common Questions

Q: Do we need to be certified today?
A: Not yet, but your next contract or option modification could require it. Be ready before that date arrives.

Q: Will CMMC apply to subcontractors?
A: Yes, all entities handling CUI or FCI must meet the appropriate Level of compliance.

Q: When should we schedule our assessment?
A: Now. C3PAO capacity is limited, and wait times will increase as Phase 2 approaches.

How Redspin Helps

Redspin was one of the first Authorized C3Pas, has the largest in-house team of assessors, and has completed more CMMC assessments than any other organization in the ecosystem. Our team has guided hundreds of DIB companies through every stage of readiness and certification.

Our services include:

Redspin helps you not just pass the test, but live the controls, building cyber resilience that endures beyond assessment day.

 

Book a meeting to get CMMC certified with Redspin: