Federal Contractor's Guide to the CMMC Program

Overview

---

On October 15, 2024, the CMMC Program rule (32 CFR Part 170) was published in the Federal Register, formally establishing the Cybersecurity Maturity Model Certification (CMMC) program.

This was followed by the final acquisition rule amending the Defense Federal Acquisition Regulation Supplement (DFARS), published September 10, 2025, which took effect on November 10, 2025. With this step, DoD began phasing CMMC requirements into applicable solicitations and contracts. For many contractors, this transition can feel overwhelming.

As a CMMC RPO, we've broken down the latest developments, key milestones, and what you should be doing right now to avoid disruptions. This article contains important information that can ease your CMMC Journey.

">

CMMC Assessments and Contract Requirements

• The 32 CFR Part 170 rule took effect December 16, 2024, authorizing C3PAO certification assessments to begin. The DFARS acquisition rule took effect November 10, 2025, enabling DoD to include CMMC requirements in applicable solicitations and contracts.
• CMMC applies to new contracts and task orders awarded on or after November 10, 2025. Incorporation of CMMC requirements into existing contracts requires a bilateral modification\.
• CMMC does not apply to contracts solely for the acquisition of Commercial Off-The-Shelf (COTS) items.
• Prime contractors that receive flowed-down CMMC requirements must pass those requirements to subcontractors that will process, store, or transmit FCI or CUI on covered contractor information systems. The required CMMC level for a subcontractor follows the information it handles, it is not automatically the same as the prime's level.
• If you haven't started preparing, now is the time: Phase 2 (requiring C3PAO certification assessments for most CUI contracts) begins November 10, 2026.

CMMC Phase-In Timeline

• Phase 1 (Nov 10, 2025, Nov 9, 2026) is underway: applicable solicitations now include primarily Level 1 and Level 2 self-assessment requirements. Note that DoD may also require a Level 2 C3PAO certification assessment in select Phase 1 procurements. Phase 2 begins November 10, 2026. Phase 3 begins November 10, 2027. Phase 4 (full implementation) begins November 10, 2028. The exhibit below outline the 4 stages of CMMC Rollout Roadmap

CMMC Levels and Assessment Types

CMMC has three levels, each matched to the sensitivity of the information handled and the degree of risk.

• Level 1 (Foundational, 15 practices): Required where applicable for contractors whose covered systems process, store, or transmit FCI.
  Assessment type: annual self-assessment by the organization (OSA). Results and annual affirmation submitted to SPRS. POA&Ms not permitted. All 15 requirements must be met before submission.
• Level 2 (Advanced, 110 practices): Required where applicable for contractors whose covered systems process, store, or transmit CUI. Aligned to NIST SP 800-171 Rev. 2.
  Assessment type: (a) self-assessment (OSA) for a defined subset of contracts, results submitted to SPRS; or (b) C3PAO Certification Assessment (OSC) for most CUI contracts, results submitted to CMMC eMASS. Annual affirmation for both paths is always submitted to SPRS. Assessment is valid for 3 years. Annual affirmation is required each year in between.
• Level 3 (Expert, 110 + 24 practices): Required for select acquisitions involving CUI requiring enhanced protection against Advanced Persistent Threats (APTs). Includes all Level 2 requirements plus 24 identified requirements from NIST SP 800-172 (Feb 2021), as detailed in Table 1 to 32 CFR §170.14(c)(4).
  Prerequisite: the organization must hold Final CMMC Level 2 status (via C3PAO certification assessment) for the same assessment scope before a Level 3 assessment can begin.
  Assessment type: government-led CMMC Level 3 Certification Assessment conducted by DCMA DIBCAC (OSC). Results submitted to CMMC eMASS. Annual affirmations for both Level 2 (C3PAO) and Level 3 must be maintained annually in SPRS.

Preparing for a CMMC Level 2 Certification Assessment Requires Meaningful Lead Time

• Most Level 2 contractors require 6 to 18 months or more of preparation, spanning scoping, gap analysis, remediation, documentation, and evidence gathering, before they are ready for a formal certification assessment. The timeline depends on organization size, complexity, and starting cybersecurity posture.
• Delaying preparation risks contract ineligibility and assessment scheduling backlogs as C3PAO demand increases in Phase 2.

Prime Contractors Have Dual Compliance Responsibilities

• Prime contractors must maintain their own required CMMC status and flow down CMMC requirements to subcontractors where those subcontractors will process, store, or transmit FCI or CUI. The required level for each subcontractor is determined by the type of information it handles, not by the prime's level.
• Subcontractors that cannot demonstrate the required CMMC status risk removal from the supply chain.

CMMC Enclaves Can Reduce Scope and Cost

• Consider using a CMMC enclave, a logically or physically segmented environment dedicated to processing, storing, and transmitting CUI, to reduce the number of systems, users, and processes that must meet CMMC requirements.
• An enclave can serve as either a transition strategy or a permanent scoping approach. Because CMMC requirements apply only to in-scope systems, proper enclave design directly reduces assessment complexity and compliance cost.

Cloud Service Providers Must Meet DoD Requirements

• Cloud Service Providers (CSPs) processing, storing, or transmitting CUI must meet the FedRAMP Moderate baseline or a DoD-recognized equivalent, as required under DFARS 252.204-7012. Contractors can verify currently authorized CSPs at marketplace.fedramp.gov.
• Do not rely on vendor marketing claims alone. Verify each CSP's current FedRAMP authorization status and applicability to your specific contract requirements before selecting a platform.

External Service Providers and MSPs Must Be Evaluated for CMMC Scope

• Service providers must be evaluated as External Service Providers (ESPs) when they process, store, or transmit CUI, or when they provide security protection for the contractor's covered systems. ESPs that meet this threshold must be included in the assessment scope. Use the applicable DoD CMMC Scoping Guide (available at dodcio.defense.gov) to make accurate ESP scoping determinations.

Why You Can't Afford to Wait on CMMC

---

CMMC requirements are now active. Phase 1 solicitations are already going out with CMMC requirements attached. Whether your obligation is Level 1 self-assessment, Level 2 self-assessment, Level 2 C3PAO certification, or Level 3 DIBCAC assessment, the clock is running. If you are not preparing now, you are already behind.

The Timeline Is Tighter Than You Think

Phase 1 (November 10, 2025 to November 9, 2026) is underway, primarily requiring Level 1 and Level 2 self-assessments. Phase 2 begins November 10, 2026, when most CUI contracts will require Level 2 C3PAO certification assessments. DoD may also begin requiring Level 3 in select Phase 2 procurements.

Even Level 1 and Level 2 self-assessments require real preparation. You need accurate scoping, documented controls, a current SSP, and a valid affirmation in SPRS. For Level 2 C3PAO, the preparation timeline is 6 to 18 months, and that's before you schedule the assessment itself.

C3PAO Capacity Is Finite

If your solicitation requires Level 2 C3PAO certification, you are competing for a limited pool of accredited assessors. As Phase 2 approaches, scheduling backlogs will grow. Early movers get assessed first. Contractors that wait until the deadline will compete for availability alongside everyone else who waited.

DoJ Is Already Coming After Non-Compliant Contractors

The False Claims Act does not follow the CMMC phase schedule. It applies today. If you are claiming compliance you don't have, whether through a self-assessment score in SPRS or a misrepresented certification status, you are exposed.

Legal action by the U.S. Department of Justice against Georgia Tech and Penn State University underscores the consequences of failing to implement required cybersecurity controls. Both cases involve failures under DFARS 252.204-7012 and NIST SP 800-171.

"Government contractors that fail to fully implement required cybersecurity controls jeopardize the confidentiality of sensitive government information. The department's Civil Cyber-Fraud Initiative was designed to identify such contractors and to hold them accountable."
Principal Deputy Assistant Attorney General Brian M. Boynton

Under the Civil Cyber-Fraud Initiative, organizations that misrepresent their CMMC status or cybersecurity posture face civil penalties and permanent exclusion from future DoD contracts, whistleblower-driven investigations, and contract termination for material cybersecurity failures. The DOJ recovered $52 million in FY2025 alone for cybersecurity noncompliance. This is not theoretical risk. It is active enforcement.

Two Rules Now Decide Whether You Stay in the Defense Supply Chain

Two final rules create the complete foundation for CMMC enforcement:

32 CFR Part 170 (published October 15, 2024; effective December 16, 2024) established the CMMC program structure, three certification levels, assessment types, and program roles. Under the program, contractors and subcontractors whose covered contractor information systems process, store, or transmit FCI or CUI must demonstrate the applicable CMMC status before contract award.

DFARS Clause 252.204-7021 (published September 10, 2025, Federal Register 90 FR 43560; effective November 10, 2025) integrates CMMC into the procurement process. Applicable DoD solicitations now include CMMC requirements, and offerors must hold the required CMMC status prior to award. The clause codifies a minimum passing score of 88 out of 110 requirements for Level 2, restrictions on which requirements may appear on a POA&M, a maximum 180-day closeout period measured from the Conditional CMMC Status Date, annual affirmation of continued compliance submitted to SPRS for all levels, and mandatory flowdown of CMMC requirements to applicable subcontractors.

Your Legacy SPRS Score Is Not a CMMC Status

A self-reported score under DFARS 252.204-7020 is not the same as a CMMC Status. Contracting officers will be looking for current CMMC status, whether that's a Level 1 self-assessment, a Level 2 self-assessment, a Level 2 C3PAO certification in eMASS, or a Level 3 DIBCAC certification in eMASS, each backed by a valid annual affirmation in SPRS. If you don't hold the required CMMC status when a solicitation requires it, you are ineligible for award. There is no grace period and no workaround.

Your Annual Affirmation Is Not Optional

This applies to every CMMC level and every assessment path. Miss your annual affirmation once and your CMMC Status goes inactive. Inactive status means ineligible for award on any solicitation that requires it. This is not a renewal reminder you can defer. It is a hard compliance gate.

Quick Reference: Where Your Results Go:
Level 1 and Level 2 self-assessment scores go into SPRS.
Level 2 C3PAO and Level 3 DIBCAC certification results go into eMASS.
Annual affirmations for all levels, regardless of assessment type, are always submitted to SPRS.
To stay eligible: maintain current scores and affirmations in SPRS (Level 1; Level 2 self-assessment), maintain current C3PAO certification records in eMASS and annual affirmations in SPRS (Level 2 C3PAO; Level 3), and keep systems aligned with NIST SP 800-171 Rev. 2 (Level 2) and applicable NIST SP 800-172-derived requirements (Level 3).

Primes Are Already Filtering Their Supply Chains

If your prime holds CMMC status and you don't, you become the weak link. Primes have no incentive to wait for you. They have flowdown obligations under DFARS 252.204-7021 and they are already prioritizing subcontractors who can demonstrate the required status. If you can't, someone else in the supply chain will.

Your Competitors Are Moving

Every contractor that achieves the required CMMC status before you takes one more seat at the table you're not sitting at yet. Contractors that move early benefit from stronger prime and agency relationships ensuring long-term business stability, increased eligibility and access to high-value procurement opportunities, and enhanced cyber protection reducing breach and supply chain risk. In a market where contract award now depends on verified cybersecurity status, being ready first is a competitive advantage that compounds over time.

What CMMC Means for Your Defense Supply Chain

---

CMMC compliance is not just about your own organization. If you're a prime, your certification means nothing if your subcontractors can't meet the same standard when required. If you're a sub, waiting for your prime to tell you what to do puts your position in the supply chain at risk. The DoD designed CMMC with mandatory flowdown requirements precisely because the defense supply chain is only as secure as its weakest link.

Prime contractor

Maintains own status & flows requirements down

Flow down DFARS 252.204-7021 and related clauses

Insert CMMC, safeguarding, and incident reporting clauses into every subcontract that will handle FCI or CUI.

252.204-7012252.204-7020252.204-7021 Verify subcontractor CMMC status before award

Confirm the sub can demonstrate the required CMMC status for the information they will handle, prior to subcontract execution.

Evaluate ESPs, CSPs, and MSPs for CMMC scope

Assess each provider's role in processing or protecting CUI. Verify CSP FedRAMP status at marketplace.fedramp.gov.

Subcontractor

Achieves & maintains CMMC status independently

Develop and maintain an SSP to NIST SP 800-171 R2

Document system boundary, asset categorization, and implementation status for every applicable control.

Run internal gap analyses and remediate

Identify and close control deficiencies before scheduling a formal assessment. Track open items in a POA&M.

Conduct readiness reviews and prepare evidence

Align preparation to the applicable assessment type (self-assessment or C3PAO certification) before engaging a C3PAO.

Invest in cybersecurity within scope, start early

Concentrate spend inside the defined assessment boundary. The process can take a year or more.

If You're a Prime, Your Compliance Includes Your Subs

Prime contractors must maintain their own CMMC status and flow down CMMC requirements to applicable subcontractors. This means flowing down DFARS 252.204-7021 and related clauses to subcontractors that will handle FCI or CUI, verifying that subcontractors can demonstrate the required CMMC status where applicable prior to subcontract award, and evaluating ESPs, CSPs, and MSPs for CMMC scope based on their role in processing or protecting CUI. Verify CSP FedRAMP status at marketplace.fedramp.gov.

If You're a Sub, No One Else Can Get Certified for You

Subcontractors receiving flowed-down CMMC requirements must achieve and maintain the applicable CMMC status on their own. That means developing and maintaining a System Security Plan (SSP) aligned to NIST SP 800-171 Rev. 2, conducting internal gap analyses and remediating deficiencies before scheduling a formal assessment, completing thorough readiness reviews and evidence preparation aligned to the applicable assessment type (self-assessment or C3PAO certification assessment) before engaging a C3PAO, and investing in cybersecurity improvements within the defined assessment scope. Begin early. The process can take a year or more.

CMMC Program Structure and Implementation

---

The CMMC Program is governed by 32 CFR Part 170 (the program rule) and implemented contractually through the DFARS clauses summarized below.

• DFARS 252.204-7012: Safeguarding Covered Defense Information (CDI) and Cyber Incident Reporting
• DFARS 252.204-7019: NIST SP 800-171 Assessment Requirements (notification of prior assessments)
• DFARS 252.204-7020: NIST SP 800-171 DoD Assessment Requirements (SPRS submission)
• DFARS 252.204-7021: CMMC Requirements (required CMMC status at award)
• DFARS 252.204-7025 : Notice of CMMC Level Requirements (solicitation provision; effective November 10, 2025, requires offerors to submit current CMMC status and affirmation in SPRS as a condition of award eligibility)

Contractors are evaluated as Organizations Seeking Assessment (OSA) for self-assessment paths or Organizations Seeking Certification (OSC) for C3PAO and DIBCAC certification paths, and must demonstrate the applicable CMMC status before contract award whenever the solicitation requires it.

Four-Phase Rollout and Key Compliance Requirements

The DoD is implementing CMMC requirements through four phases. But DoD may implement Level 2 C3PAO requirements in some Phase 1 contracts, or Level 3 requirements in some Phase 2 contracts, which may limit competition or drive cost. As a Defense Contractors you should always review each solicitation carefully.

• Status at time of award: The required CMMC status must be current and valid at the time of contract award. For self-assessments, scores and affirmations must be current in SPRS. For C3PAO certification assessments, the assessment record must be in CMMC eMASS and the affirmation current in SPRS.
• Annual affirmation: The designated Affirming Official must affirm continuing compliance annually via SPRS, for all CMMC levels and all assessment paths.
• CMMC Status validity: 3 years from the CMMC Status Date (Level 2 and Level 3). For Level 1, annual reassessment and affirmation are required.
• Existing contracts: CMMC requirements apply to new contracts and task orders awarded on or after November 10, 2025. Incorporation into existing contracts requires a bilateral modification.
• NIST SP 800-171 version: Level 2 is currently aligned to Rev. 2. Monitor dodcio.defense.gov/CMMC for any future transition to Rev. 3.
• Full implementation deadline: November 10, 2028.

Key Element of The CMMC Community

Understanding the CMMC community helps contractors identify the right partners and verify credentials before engaging for assessment or consulting services.

• DoD CIO CMMC PMO: Program oversight and official guidance. Primary resource: dodcio.defense.gov/CMMC.
• CMMC Accreditation Body (Cyber AB): Accredits C3PAOs and RPOs. Maintains the Marketplace. Resource: cyberab.org/marketplace.
• CAICO (Cyber Assessor and Instructor Certification Organization): Certifies individual CMMC professionals: Certified CMMC Professional (CCP), Certified CMMC Assessor (CCA), and Certified CMMC Instructor (CCI).
• C3PAO (Certified Third-Party Assessment Organization): Accredited by the Cyber AB to conduct Level 2 Certification Assessments. Find accredited C3PAOs at cyberab.org/marketplace.
• DCMA DIBCAC (Defense Contract Management Agency Defense Industrial Base Cybersecurity Assessment Center): Conducts Level 3 government-led Certification Assessments and oversees C3PAO assessment quality.
• RPO (Registered Provider Organization): Registered with the Cyber AB to provide CMMC consulting and implementation support. RPOs do not conduct assessments.

CMMC Path From Readiness to the Required Assessment Level

---

Achieving the required CMMC status is a structured, multi-step process. A well-planned approach reduces compliance risk, avoids assessment backlogs, and protects your business from contract ineligibility and legal exposure.

Key Steps in the Journey to CMMC Compliance

Defense contractors and subcontractors must take proactive steps to prepare for certification, mitigate risks, and maintain contract eligibility.

Here are broad steps contractors should take to become CMMC Compliant:

1. Consult an RPO or CMMC Advisor: Engage a Registered Provider Organization (RPO) or qualified advisor to understand your obligations, define scope, identify gaps, and build a compliance roadmap. Find RPOs at cyberab.org/marketplace.
2. Build an Internal CMMC Team: Designate a task force to manage documentation, track remediation, and coordinate assessment readiness.
3. Determine Your Required CMMC Level and Assessment Path: Review solicitation language. Confirm whether Level 1, Level 2 self-assessment, Level 2 C3PAO, or Level 3 applies, and plan accordingly for the Phase 2 C3PAO requirement arriving November 2026.
4. Define Your Assessment Scope: Use the applicable DoD CMMC Scoping Guide to map all in-scope assets, security protection assets, out-of-scope assets, and external service providers that process, store, or transmit FCI or CUI.
5. Conduct a Gap Analysis and Remediate: Compare your posture against NIST SP 800-171 Rev. 2. Implement required controls: MFA, encryption, access control, audit logging, configuration management, and incident response.
6. Build Required Documentation: Develop an SSP describing your boundary, environment, and how each requirement is met. Prepare a POA&M for any allowable gaps, non-critical requirements only, with a 180-day closeout from the Conditional CMMC Status Date.
7. Complete the Required Assessment:
   
   1. Level 1 → Annual self-assessment submitted to SPRS with Affirming Official affirmation.
   2. Level 2 (self-assessment) → Self-assessment submitted to SPRS with annual affirmation.
   3. Level 2 (C3PAO) → Engage an accredited C3PAO. Results to CMMC eMASS. Annual affirmation to SPRS.
   4. Level 3 → Must hold Final Level 2 C3PAO status first. DCMA DIBCAC conducts government-led assessment. Results to CMMC eMASS. Both Level 2 and Level 3 annual affirmations to SPRS.

Challenges For Small Businesses

For small and mid-sized defense contractors, achieving CMMC compliance presents significant hurdles. Addressing these challenges early ensures a smoother transition and positions your business for continued DoD contract eligibility.

1. Resource limitations: Implementing 110 NIST SP 800-171 controls requires time, personnel, and financial investment disproportionate for small organizations.
2. Expertise gaps: Level 2 and Level 3 requirements demand cybersecurity depth many small businesses lack in-house.
3. C3PAO availability: With Phase 2 beginning November 2026, C3PAO scheduling demand is rising. Early engagement is critical to avoid backlogs.
4. Cost: Remediation, tools, consulting, and assessment fees can be significant. See the cost section for planning estimates.
5. Misinformation: Large volumes of outdated guidance still circulate online. Rely only on dodcio.defense.gov/CMMC, cyberab.org, and official NIST publications.

Tips for Small Businesses Managing CMMC Compliance

To reduce costs and simplify compliance, small businesses should focus on targeted, foundational strategies that minimize operational disruptions while ensuring adherence to CMMC requirements.

1. Understand Your CUI Footprint

Before implementing controls, you must understand what CUI you have and where it resides.

• Confirm whether you actually handle CUI. The responsible contracting agency should identify what CUI you are obligated to protect under the contract.
• Map your CUI data flow: where it enters, is stored, moves, and is accessed. This is the foundation of accurate scoping and directly drives your compliance cost.

2. Limit the Scope with a "Compliance Enclave"

The CMMC security requirements only apply to the components of your systems that process, store, or transmit CUI. Appropriately scoping your environment is a critical strategy for managing costs and effort.

• Isolate CUI to a defined, segmented environment to reduce the number of systems and users in scope.
• Logical separation (firewalls, VLANs) or physical separation can achieve this. Only the enclave must meet the full CMMC requirements.

3. Create Foundational Documents, the SSP and POA&M

Documentation is not optional. It is a core component of compliance. Federal agencies use these documents as inputs for risk-based decisions about your systems.

• System Security Plan (SSP): Required for all assessment paths. Describes your system boundary, environment, and how each requirement is met.
• Plan of Action & Milestones (POA&M): Documents how unsatisfied non-critical requirements will be remediated. Allowable items must be closed within 180 days of the Conditional CMMC Status Date through a formal POA&M closeout assessment. Level 1 does not permit POA&Ms.

4. Process Before Technology

Many NIST SP 800-171 requirements can be met through documented policies and procedures, not new technology purchases. Identify process-based solutions before investing in tools.

5. Invest in Cybersecurity Training

• Train all personnel before authorizing access to CUI. Cover recognized threats, social engineering, insider threats, and reporting procedures.
• Free DoD resources: DAU offers free CMMC training at dau.edu/courses/cyb-1010 (CMMC Basics) and dau.edu/courses/cyb-1030 (CMMC Practitioner). CISA also provides free cybersecurity awareness resources.

6. Find Help When You Need It

• Manufacturing Extension Partnerships (MEPs) and APEX Accelerators provide low-cost CMMC implementation support for small businesses.
• The Cyber AB Marketplace (cyberab.org/marketplace) lists accredited C3PAOs and RPOs.
• Explore state-funded cybersecurity grants and SBA programs for financial assistance with compliance costs.

7. Monitor Regulatory Updates

Follow dodcio.defense.gov/CMMC, the Cyber AB, and NIST for authoritative guidance. Do not rely on vendor blogs, industry associations, or non-official sources as substitutes for official requirements. The volume of outdated and inaccurate CMMC guidance online remains a serious challenge for the DIB.

Estimated Cost of CMMC Compliance

The cost of CMMC readiness and assessment varies significantly based on organization size, required level, IT complexity, existing cybersecurity posture, and scoping strategy. The figures below are market-based planning estimates only, they are not official DoD figures. Budget for preparation, remediation, documentation, ongoing maintenance, and assessment fees.

Level	Assessment Type	Estimated Cost	What's Included
Level 1	Annual Self-Assessment	~$5,000–$15,000	Gap analysis, basic remediation, documentation, internal labor
Level 2 Self-Assessment	Annual Self-Assessment	~$15,000–$40,000	More complex controls, SSP development, internal labor
Level 2 C3PAO Certification Assessment	C3PAO (every 3 years)	~$50,000–$150,000+	Remediation, tools, consulting, C3PAO certification assessment fee
Level 3 DIBCAC	Government-Led Certification Assessment (DCMA DIBCAC)	~$150,000–$300,000+	Enhanced requirements (NIST SP 800-172), DIBCAC-led assessment activity. Also requires prior Level 2 C3PAO cost

Typical Cost Components

Businesses should budget for three main categories of expenses:

• Preparation and remediation: Gap analysis, RPO/MSSP consulting fees, security tools (MFA, encryption, endpoint protection, SIEM, audit logging).
• Documentation: SSP, policies, procedures, and POA&M development: whether in-house or via consultant.
• Assessment fees: C3PAO certification assessment fee (Level 2) or DIBCAC assessment costs (Level 3). Fees vary by scope and complexity.
• Recurring compliance: Annual affirmation labor, continuous monitoring, software licensing, and, for Level 2 C3PAO, a POA&M closeout assessment fee if Conditional Status was granted.

Managing Compliance Costs

While CMMC requires investment, strategic planning can help manage the financial impact:

• Scope tightly: Enclave-based scoping is the most effective cost-reduction strategy.
• Prioritize process solutions: Many controls can be met through documented procedures without new technology investment.
• Start early: Spreading remediation over time is far less expensive than compressing it before an assessment deadline.
• Seek assistance: MEPs and APEX Accelerators provide low-cost support for eligible small businesses.

Budgeting early for these various costs reduces financial strain and helps avoid last-minute expenses as certification deadlines approach.

Why Act Now?

---

With CMMC enforcement rolling out in phases, defense contractors and subcontractors must act early to prevent delays and ensure compliance before certification becomes mandatory. Phase 1 is already underway (since November 10, 2025) and Phase 2, which will require C3PAO Certification Assessments for most CUI contracts, begins November 10, 2026. That is approximately six months from now. Contractors that have not started preparing face serious risk.

• Avoid C3PAO bottlenecks: C3PAO capacity is finite. As Phase 2 takes effect in November 2026, demand will surge. Organizations that delay risk being unable to schedule assessments in time for contract opportunities.
• Strengthen your cybersecurity posture: Implementing NIST SP 800-171 Rev. 2 controls proactively reduces vulnerability exposure and increases the likelihood of achieving Final CMMC Status on the first assessment attempt.
• Maintain competitive advantage: Solicitations increasingly require current CMMC status at time of award. Prime contractors are already prioritizing CMMC-ready subcontractors in their supply chains.
• Reduce last-minute costs: Gradual implementation is significantly less expensive than compressing remediation into the weeks before an assessment.

Begin implementing the 110 NIST SP 800-171 Rev. 2 requirements now to ensure readiness for the applicable assessment path, whether self-assessment this year or C3PAO certification as Phase 2 approaches.

How an RPO Can Help with CMMC Compliance

A Registered Provider Organization (RPO) is a Cyber AB–registered consulting firm that helps contractors prepare for CMMC, defining scope, closing gaps, and producing the documentation and evidence a C3PAO or DIBCAC assessor will expect. RPOs do not conduct certification assessments themselves. That role is reserved for accredited C3PAOs (Level 2) and DCMA DIBCAC (Level 3). For small and mid-sized contractors that lack in-house cybersecurity depth, an RPO is typically the most efficient way to compress a 6-to-18-month readiness timeline (see the Estimated Cost of CMMC Compliance section above) without overburdening daily operations.

• Strategic guidance: RPOs define CUI scope, conduct gap analyses, and create actionable roadmaps aligned to NIST SP 800-171 Rev. 2, without overburdening daily operations.
• Technical implementation: RPOs support deployment of required controls, MFA, access control, encryption, audit logging, configuration management, and assist with enclave design to reduce scope.
• Assessment Readiness: RPOs guide contractors through readiness reviews, SSP and POA&M development, and evidence preparation. These services identify gaps before the formal assessment, increase the likelihood of achieving Final CMMC Status on the first attempt, and accelerate the overall process.

Important: RPOs provide consulting and implementation support: they do not conduct CMMC Certification Assessments. Only accredited C3PAOs may conduct Level 2 Certification Assessments. Verify credentials at cyberab.org/marketplace before engaging any vendor.

Official CMMC Resources

The DoD continues to publish authoritative implementation materials, assessment guides, scoping guides, and SPRS guidance, through the DoD CIO CMMC resource center at dodcio.defense.gov/CMMC.

Contractors should rely exclusively on current official DoD and Cyber AB sources for compliance planning. Do not rely on vendor marketing, industry blogs, or non-official guidance.

• DoD CIO CMMC Program: dodcio.defense.gov/CMMC: Official program guidance, assessment guides, scoping guides, and implementation updates.
• Cyber AB Marketplace: cyberab.org/marketplace: Find accredited C3PAOs and registered RPOs. Verify assessor and consultant credentials before engaging.
• CMMC eMASS (for C3PAO and DIBCAC assessment results): Accessed through official DoD channels.
• SPRS: sprs.csd.disa.mil: Submit and maintain Level 1 and Level 2 self-assessment scores and annual affirmations for all levels.
• DAU Free CMMC Training: dau.edu/courses/cyb-1010 (CMMC Basics) and dau.edu/courses/cyb-1030 (CMMC Practitioner).
• FedRAMP Marketplace: marketplace.fedramp.gov: Verify CSP authorization status before selecting a cloud platform for CUI.
• NIST SP 800-171 Rev. 2: csrc.nist.gov: The current authoritative standard for Level 2 security requirements.
• NIST SP 800-172 (Feb 2021): csrc.nist.gov: Enhanced requirements applicable to Level 3.