What defense contractors need to know about CMMC going live

Federal Regulation 48 CFR / DFARS 252.204-7021 officially implements CMMC in DoD contracts

Machined parts

CMMC Phase One has begun, so military contracting officers may now include the requirement for compliance with CMMC Levels 1 and 2 in new contracts.

As of November 10, the Department of Defense (DoD) activated the Cybersecurity Maturity Model Certification (CMMC) program. The US government’s contracting officers can now require CMMC certification as a condition for awarding new contracts.

Without CMMC certification, businesses will no longer be awarded contracts or be able to work with the DoD when CMMC is specified in a solicitation (there is a window of grace and some exceptions). Understanding when this applies and how to prepare is essential to establishing or maintaining a position in the defense market.

What changed November 10

November 10 was the date when:

  • The government’s military buyers can specify CMMC certification requirements in new solicitations
  • When required, contractors must have valid certification to be eligible for award
  • Contractors who award subcontracts must verify their subcontractors have appropriate CMMC certification before awarding them work that involves handling sensitive information – Federal Contract Information (FCI, like contracts and pricing) and/or Controlled Unclassified Information (CUI, like blueprints, sensitive government information)

These requirements don’t apply retroactively to existing contracts. CMMC only becomes enforceable when DFARS 252.204-7021 is written into the contract. And the rollout is a three-year phased implementation, with requirements appearing gradually across different programs and contract types.

For most businesses in or entering the defense space, November 10 means the start of planning – not a compliance crisis. Your urgency will hinge on when CMMC requirements will appear in contracts you pursue.

3-level CMMC compliance infographic

There are three levels of CMMC compliance depending on the sensitivity of the data an organization deals with. Level 1 Foundational cybersecurity for handling FCI. Level 2 Advanced cybersecurity aligned with NIST SP 800-171; includes protections for more sensitive data (CUI). Level 3 Expert cybersecurity includes NIST SP 800-172 rules for handling the most sensitive data.

1. Immediate need?

Is the following similar to your current situation?

  • You’re after a job that specifies CMMC requirements
  • A principal contractor has requested your CMMC status for you to act as a sub

This means you’ll find you have a timeline challenge, as you may find your field’s DoD procurement cycles run 45-90 days from solicitation to award. If you’re not already certified, you may not be able to complete the process in time for this job.

But understanding where you stand will help you decide whether to submit a proposal or pass on it and prepare for the next one. It will also show you how close you are to certification so you can plan for the next similar opportunity with better timelines.

2. Building a competitive position?

Does this resemble your current state?

  • You regularly compete for contracts involving CUI
  • You expect to see CMMC requirements in the next 6-18 months
  • You want certification as a competitive advantage before it’s required

You probably have enough time to prepare properly, but waiting any longer increases the risk of rushed remediation. So schedule a gap assessment now. Typical prep timelines:

  • If you have strong existing NIST 800-171 compliance: 3-6 months to certification
  • or if you have partial compliance with known gaps: 6-12 months
  • or if you’re building a program from scratch: 12-18 months

Starting now should give you time to plan and budget for certification before CMMC appears in contracts you want to pursue.

3. Strategic planning?

Does the following describe your situation?

  • You haven’t seen CMMC requirements in your typical solicitations
  • You’re a subcontractor not yet contacted by prime contractors about certification
  • You estimate 12+ months before CMMC affects your opportunities

You can prepare methodically without pressure, potentially reducing costs through phased implementation.So start with understanding the CMMC level that would apply to your work and what your current posture looks like.

Early assessment allows you to:

  • Budget accurately for future certification costs
  • Identify whether you can phase remediation over time
  • Make informed decisions about infrastructure investments
  • Avoid discovering expensive gaps when you’re under time pressure

About CMMC Certification

CMMC isn’t creating new cybersecurity standards. It’s a system to verify fulfillment of requirements that have existed in defense contracts for ten years. CMMC requires proof through assessment and certification.

You should know that while NIST 800-171 is the foundational cybersecurity framework, CMMC can require businesses to implement more robust measures especially in the protection of CUI.

The steps to compliance look like this:

Scoping and Categorization Define which systems, processes, and data need protection and determine your required CMMC level based on contracts.

Gap Assessment Evaluate your current cybersecurity efforts against your target CMMC level to reveal strengths and gaps.

Policy and Procedures Create or update policies and procedures to show how you meet CMMC requirements.

Remediation Fix security gaps, update documents, gather proof that cybersecurity controls work.

Internal Readiness Assessment A practice assessment before the real one.

Formal Assessment Level 1 needs an internal assessment. Level 2 and 3 require a C3PAO to evaluate technical controls and documentation. Failures require remediation before certification.

Plan of Action & Milestones (POA&M) During the assessment, document any minor remaining gaps and timelines for resolution.

Ongoing Compliance For Level 1 complete annual affirmation. For Levels 2 and 3, maintain certification for three years with continuous monitoring, periodic reviews, incident readiness and annual affirmations; recertification needed every three years.

Why get professional guidance

Since 1987 Bryley Systems has helped New England defense contractors navigate evolving DoD cybersecurity requirements – from DFARS 7012 to NIST 800-171 to CMMC. We build compliance programs that are size- and budget-appropriate for smaller defense contractors and their supply chains.

Professional guidance helps you avoid the three most common and costly mistakes:

Failed assessments from improper scoping Organizations often guess wrong about which systems need protection, leading to failed C3PAO assessments and wasted preparation costs.

Rejected documentation Assessors require specific evidence formats. Without knowing these standards upfront, you’ll spend time creating documentation that gets rejected.

Budget overruns from wrong priorities Fixing all gaps equally wastes resources. Knowing which controls matter most for your certification level prevents unnecessary spending.

Early certification gives you eligibility for opportunities competitors can’t pursue, stronger positioning with prime contractors and faster response times when CMMC requirements begin to appear.

Bottom line

November 10 marked CMMC’s transition from policy to operational program. Requirements will begin appearing in defense solicitations gradually over the three-year rollout.

Your timeline will depend on when CMMC requirements will appear in contracts you’re pursuing. It follows that the contractors who will keep best access to opportunities are those who have prepared systematically.

Want to better understand your CMMC timeline and readiness? Schedule a free consultation with Bryley’s Roy Pacitto. Please complete the form, below, schedule a no-obligation, no-cost call. Or you can email Roy at RPacitto@Bryley.com or reach him by phone at 978.562.6077 x217.

Connect with a Bryley IT expert about DFARs or CMMC