CMMC Phase 1 Is Live: What Happens Now for Defense Contractors

The Effective Date Is Here. Now What?

Two days ago, on November 10, 2025, CMMC 2.0 Phase 1 went into effect. If you're a defense contractor handling Controlled Unclassified Information (CUI) or Federal Contract Information (FCI), this isn't a drill anymore. The Department of Defense started inserting CMMC requirements into solicitations. Third-party assessments are now mandatory for certain contracts. The question isn't whether CMMC is coming—it's what you do about it today.

The vendor ecosystem has been selling CMMC consulting for years, promising turnkey solutions and certification pathways. But here's the reality: compliance is operational, not aspirational. The effective date doesn't mean every contractor needs certification tomorrow. It means the DoD can now require it in specific solicitations, and contractors without it won't be eligible to bid.

Let's cut through the noise and talk about what actually changed on November 10, what Phase 1 means for enforcement, and what contractors should prioritize right now.

What Actually Changed on November 10, 2025

Phase 1's effective date doesn't flip a universal switch requiring every defense contractor to get certified immediately. Instead, it enables the DoD to insert CMMC requirements into solicitations for prioritized acquisitions. Here's what that means:

Solicitation Language Is Now Live Starting November 10, contracting officers can include CMMC clauses in Requests for Proposals (RFPs) and Requests for Information (RFIs). If a solicitation requires CMMC Level 2 certification, you can't bid without proof of third-party assessment. No exceptions, no waivers.

Prioritized Acquisitions Come First The DoD isn't requiring CMMC across all contracts simultaneously. Phase 1 targets prioritized acquisitions—contracts involving critical programs, emerging technologies, or highly sensitive CUI. Think advanced weapons systems, cyber capabilities, AI integration, and next-generation platforms. If you support these programs, CMMC requirements are already in play.

Self-Assessment Is No Longer Sufficient for Level 2 Pre-Phase 1, contractors could self-attest to NIST SP 800-171 compliance and maintain a score in the Supplier Performance Risk System (SPRS). Under CMMC 2.0, Level 2 requires third-party assessment by a CMMC Third-Party Assessment Organization (C3PAO). Self-assessment only applies to Level 1 (basic cybersecurity hygiene for FCI, not CUI).

SPRS Scores Still Matter—For Now Your SPRS score remains relevant during the transition. Contracting officers may use SPRS scores as an interim indicator of cyber hygiene while the CMMC certification ecosystem scales up. A score below 90 signals compliance gaps and could disqualify you from contract consideration even before formal CMMC requirements appear in a solicitation.

No Grandfather Clause for Existing Contracts Existing contracts without CMMC clauses aren't retroactively affected, but modifications and option years may trigger new requirements. If your current contract comes up for renewal or modification, expect CMMC language to appear.

What Contractors Must Do Now

Phase 1 doesn't give you years to prepare. If you support prioritized acquisitions or expect to compete for contracts involving CUI, here's your action plan:

1. Conduct an Honest Gap Assessment

Start with NIST SP 800-171 compliance. All 110 controls. Not the ones that are easy to implement—all of them. If you've been relying on a Plan of Action & Milestones (POA&M) to defer hard controls, understand that C3PAOs won't accept vague commitments. They want evidence: documented processes, technical implementations, and verifiable outcomes.

Key Controls That Trip Up Contractors:

• 3.13.11 (Cryptographic Mechanisms): Are you using FIPS 140-2 validated encryption for CUI at rest and in transit? Consumer-grade encryption doesn't count.
• 3.14.6 (Deny by Exception): Is your network configured to deny all traffic by default, with explicit allow rules? Or are you still operating on "allow by default, block known bad"?
• 3.5.3 (Multi-Factor Authentication): MFA for all users with access to CUI, including privileged and non-privileged accounts. SMS-based codes don't meet NIST requirements.
• 3.1.5 (Privileged Access): Are privileged accounts used only when necessary, with session monitoring and logging?

Hire a qualified assessor or use a reputable CMMC Registered Practitioner (RP) to conduct your gap analysis. Don't rely on vendor marketing decks that promise "90% compliant in 30 days." Compliance is granular, technical, and operational.

2. Prioritize Remediation Based on Risk

Not all gaps are equal. Focus on systemic issues first: access control, logging, encryption, and incident response. These are foundational and affect multiple controls. Don't waste time on low-impact documentation updates while your encryption implementation is non-compliant.

Remediation Hierarchy:

1. Technical Controls: Encryption, MFA, network segmentation, logging
2. Procedural Controls: Incident response plans, access control policies, configuration management
3. Documentation: System Security Plans (SSPs), POA&Ms, evidence artifacts

Budget for this. Remediation isn't cheap. Expect to spend anywhere from $50,000 to $500,000+ depending on your current state, organizational complexity, and scope of CUI handling.

3. Select a C3PAO Early

The C3PAO ecosystem is still scaling up. As of November 2025, there are fewer authorized assessors than there are contractors needing certification. Demand will exceed supply, especially in the first 12-18 months of Phase 1.

C3PAO Selection Criteria:

• Experience: Have they assessed organizations similar to yours in size, scope, and industry?
• Availability: Can they schedule your assessment within your required timeline, or are they booked six months out?
• Cost Transparency: Are fees clearly disclosed, or are they vague about pricing until you're locked in?
• Reputation: Check references. Talk to other contractors who've used them.

Third-party assessments aren't cheap. Budget $15,000 to $150,000+ depending on the complexity of your environment and the number of sites requiring assessment. Multi-site organizations and those with extensive CUI environments will pay significantly more.

4. Understand POA&M Acceptability

The DoD will accept POA&Ms for some controls during the transition, but there are limits. You can't defer critical security controls indefinitely. C3PAOs will require evidence that you're making progress on remediation and have realistic timelines and milestones.

POA&M Red Flags:

• Vague remediation plans without specific technical implementations
• Timelines extending beyond 12 months without justification
• Repeated deferrals of the same controls across multiple assessments
• No documented progress on previously identified gaps

If your POA&M looks like a wish list rather than a project plan, expect pushback from your C3PAO.

5. Maintain Your SPRS Score

Even as CMMC rolls out, SPRS scores remain a contracting officer's tool for evaluating cyber risk. A low SPRS score (below 90) signals non-compliance and can disqualify you from contract consideration before CMMC requirements are even evaluated.

Keep your SPRS score updated, accurate, and defensible. If you claim a score of 98, be prepared to prove it. Contracting officers are increasingly skeptical of inflated self-assessments, especially as CMMC third-party verification becomes the standard.

How Enforcement Will Actually Work

Here's the part most vendors won't tell you: enforcement is messy, uneven, and evolving. The DoD doesn't have unlimited resources to police every contractor, and C3PAOs don't have infinite capacity to assess everyone simultaneously. But that doesn't mean you can ignore CMMC.

Contract-Level Enforcement

CMMC requirements appear in solicitations. If a solicitation requires Level 2 certification, you submit proof of C3PAO assessment as part of your bid package. No proof, no bid evaluation. It's binary.

For existing contracts, enforcement depends on modifications and option years. If your current contract doesn't have CMMC language, you're safe until the next renewal, modification, or competitive re-bid. But don't count on multi-year grace periods. The DoD is under congressional pressure to accelerate CMMC implementation.

SPRS as an Interim Filter

During Phase 1, contracting officers will likely use SPRS scores as a preliminary filter. If two contractors bid on a solicitation and one has a SPRS score of 95 while the other has 65, the higher score signals lower cyber risk. Even if CMMC certification isn't yet required, SPRS provides a comparative measure.

C3PAO Capacity Constraints

The C3PAO ecosystem is still maturing. There aren't enough authorized assessors to certify every defense contractor overnight. This creates a bottleneck: high-priority programs and large primes will get assessed first, leaving small and mid-tier contractors competing for limited assessment slots.

Strategic Implication: Don't wait until a solicitation drops to start the certification process. By then, C3PAOs may be booked months out, and you'll miss the bid window.

Supply Chain Pressure

Large primes are already flowing down CMMC requirements to subcontractors. If you're a sub supporting a prime on a prioritized acquisition, expect the prime to require proof of CMMC compliance as a condition of subcontract award. This isn't DoD enforcement—it's business necessity. Primes can't bid on contracts requiring CMMC if their supply chain isn't certified.

Cost Implications: What to Actually Budget

CMMC isn't a one-time expense. It's an ongoing operational cost. Here's what you'll spend:

Initial Assessment and Remediation

• Gap Assessment: $10,000 - $50,000 (depending on scope and external consultant fees)
• Remediation: $50,000 - $500,000+ (technical controls, tooling, process implementation)
• C3PAO Assessment: $15,000 - $150,000+ (depends on organization size, complexity, number of sites)

Total Initial Cost: $75,000 - $700,000+

For small businesses handling limited CUI in a single-site environment, expect costs on the lower end. For multi-site organizations with extensive CUI environments and complex IT infrastructure, expect six-figure investments.

Ongoing Compliance

CMMC certification isn't permanent. Level 2 requires re-assessment every three years. Between assessments, you'll need to maintain compliance through:

• Continuous Monitoring: Tools, personnel, and processes to ensure controls remain effective
• Annual Self-Assessments: Internal reviews to identify and remediate gaps before the next C3PAO assessment
• Incident Response: Capability to detect, respond to, and report cyber incidents
• Personnel Training: Ongoing cybersecurity awareness and role-based training

Annual Ongoing Cost: $20,000 - $100,000+

This doesn't include the cost of non-compliance: lost contracts, disqualification from bids, and supply chain exclusion.

The Enforcement Timeline: What's Coming

Phase 1 is just the beginning. Here's what to expect over the next 12-24 months:

November 2025 - March 2026: Prioritized Acquisitions CMMC requirements appear in solicitations for high-priority programs. Large primes and critical subcontractors face immediate pressure to certify. C3PAO capacity constraints create bottlenecks.

April 2026 - September 2026: Broader Rollout CMMC requirements expand to additional contract types. Mid-tier contractors supporting multiple primes face certification deadlines. SPRS scores increasingly used as preliminary filters.

October 2026 - March 2027: Phase 2 Transition DoD moves toward Phase 2, which expands CMMC requirements across most contracts involving CUI. Self-assessment remains acceptable only for Level 1 (FCI, not CUI). Supply chain pressure intensifies.

2027 and Beyond: Full Implementation CMMC becomes the default requirement for any contract involving CUI. Contractors without certification are effectively locked out of the defense industrial base.

What This Means for Navy ERP and Financial Systems Work

I work on Navy ERP systems at BSO 60 (U.S. Fleet Forces Command). Here's what CMMC means for financial systems contractors:

CUI Is Everywhere in Financial Systems Navy ERP, SABRS (Standard Accounting Budgeting and Reporting System), CFMS (Consolidated Financial Management System)—all of these handle CUI. Financial data, budget projections, cost data, and procurement information are all controlled. If you support these systems, you're handling CUI, and Level 2 certification will be required.

Audit Readiness and CMMC Overlap Financial Improvement and Audit Readiness (FIAR) initiatives already require rigorous data governance, access controls, and audit trails. CMMC builds on these requirements by adding cybersecurity controls. Contractors who've invested in FIAR compliance are better positioned for CMMC, but don't assume compliance with one equals compliance with the other.

Supply Chain Implications for SAP and ERP Integrators If you're a SAP or Oracle integrator supporting Navy ERP migrations, your subcontractors need CMMC certification too. Every developer, consultant, and third-party tool vendor with access to CUI must meet the same standards. This creates supply chain friction and increases project costs.

Final Reality Check

CMMC Phase 1 is live. This isn't a future compliance requirement to "keep an eye on." Solicitations with CMMC clauses are active right now. Contractors without certification are already being excluded from bids.

The vendor ecosystem will sell you expensive solutions, multi-year consulting engagements, and complex tooling platforms. Some of that is necessary. Much of it isn't. Focus on what matters: technical controls, documented processes, and third-party verification.

If you're a small contractor handling limited CUI in a straightforward IT environment, CMMC is expensive but manageable. If you're a mid-tier or large contractor supporting prioritized acquisitions with complex, multi-site environments, this is a six-figure investment with ongoing operational costs.

Don't wait for a solicitation to drop before starting the certification process. By then, C3PAOs will be booked, remediation timelines will be tight, and you'll be scrambling. Start now: gap assessment, remediation, C3PAO selection, and certification.

The effective date was November 10, 2025. The clock is already running.

Amyn Porbanderwala is Director of Innovation at Navaide and works on Navy ERP systems at BSO 60 (U.S. Fleet Forces Command). He writes about defense technology, AI implementation in government environments, and the operational realities of compliance frameworks like CMMC and FedRAMP.