As shown above, Level 2 is aligned with NIST SP 800-171, which many contractors have already been implementing under DFARS 7012. CMMC doesn’t add new controls beyond what’s in 800-171 for Level 2; it adds the requirement of certification. For Level 3, it brings in a subset of NIST SP 800-172 controls on top of 800-171 (to address more sophisticated threats).
Importantly, CMMC Level 1 and Level 2 cover the vast majority of companies. All contractors will need at least Level 1 for FCI. Contractors that handle CUI will need Level 2. Only the very critical defense suppliers (think major weapon system developers, etc.) might ever need Level 3.
Each CMMC certification when achieved will be recorded in the DoD’s SPRS database and given a unique ID. That status is then used in contract award decisions (hence the requirement to list your CMMC UID in proposals via DFARS 7025).
Phased Rollout and Timeline (3-Year Implementation Plan)
The final rule implements CMMC gradually over the next three years (from late 2025 to late 2028) in what the DoD calls a phased rollout
1. Here’s how it breaks down:
- Phase 1: Nov 2025 – Nov 2026 (Year 1) – CMMC requirements will appear in a limited number of new contracts to start. DoD estimates about 1,100 small entities will be affected in this first year2 (in addition to larger primes). During this phase, contract options on existing contracts also come into play: contracting officers are instructed not to extend or exercise options on a contract unless the contractor has a CMMC status posted in SPRS at the required level2. That means even for ongoing projects, if you need to renew, you must have at least a self-assessment (for Level 1 or 2 as required) on record. Some contracts in this phase will require Level 1, and some will require Level 2 (especially if CUI is involved). It’s expected that any Level 2 requirements in this first year might allow self-assessment initially, but that’s not guaranteed – prioritize getting ready for a C3PAO assessment if you handle CUI.
- Phase 2: Nov 2026 – Nov 2027 (Year 2) – The number of contracts with CMMC clauses increases (around 5,500 additional small entities impacted)2. More “medium priority” programs will start including CMMC. By this time, the expectation is that many contractors handling CUI should be getting their third-party Level 2 certifications completed. DoD and the accreditation ecosystem are scaling up assessor capacity to handle the demand. If you haven’t started by Phase 2 and you need Level 2, you’ll be in a rush – because by the end of Phase 3, you’ll definitely need it.
- Phase 3: Nov 2027 – Nov 2028 (Year 3) – Full ramp-up. Most new DoD contracts now include a CMMC requirement. Approximately 18,500 more small entities come under the requirement in this phase2, covering essentially all remaining defense contractors. Level 2 third-party certifications will be common requirements at this point for contracts with CUI. DoD calls contracts that require third-party certification “prioritized” because of the sensitivity – expect that by Phase 3, nearly all contracts involving CUI are “prioritized.” If you’re a subcontractor, virtually any new work from a prime in this timeframe will require you to already have (or obtain quickly) a CMMC cert if the prime contract has one.
- Phase 4: Nov 2028 onward (Beyond the rollout) – CMMC becomes business-as-usual. This is when 100% of the defense supply chain is covered. DoD estimates roughly 209,000 companies will be Level 1, ~118,000 will need a Level 2 certification, a small number (around 6,700) will have Level 2 self-assessed status, and a few thousand will be Level 32. In other words, after 2028, all DoD contracts and subcontracts require at least some level of CMMC, and the split will be about two-thirds of the DIB at Level 1 and one-third at Level 2, with a tiny fraction at Level 32.
This phased approach was designed to give contractors time to adapt, but the clear message from DoD is “don’t wait.” If you wait until 2028 to start, you will have already lost contracting opportunities. By that time, contracting officers will simply skip over non-certified suppliers.
To put it bluntly:
the train has left the station. As of November 2025, if you are not at least preparing your CMMC compliance, you risk being left out. The DoD’s Katie Arrington famously said:
“We expect our vendors to put U.S. national security at the top of their priority list. By complying with cyber standards and achieving CMMC, this shows our vendors are doing exactly that.”1. The Pentagon is serious about this.
Flow-Down to Subcontractors (Supply Chain Requirements)
One of the critical aspects of CMMC is that it doesn’t only apply to prime contractors – it applies
throughout the supply chain, at all tiers1. The final rule and the CMMC program regulations explicitly require primes to
flow down the appropriate CMMC requirement to their subs. Here’s what that means in practice:
- If you are a prime contractor, you must include the CMMC clauses in your subcontracts if those subs will handle any FCI or CUI related to the contract1. You are responsible for ensuring your subcontractors meet the required CMMC level. Before awarding a subcontract, you should verify the sub’s CMMC status (the final rule will have mechanisms for subs to share their CMMC UID with you, likely via SPRS or a certificate). In fact, primes will likely need to list all their subs’ CMMC certifications when bidding major contracts.
- If you are a subcontractor, you must comply with the CMMC level required for the info you handle, just like primes1. There’s no exemption for “I’m just a sub.” For instance, if you only receive FCI from the prime (no CUI), you’ll need at least CMMC Level 1. If the prime is flowing down CUI to you, you’ll need to have Level 2. Moreover, if the prime contract requires a third-party Level 2 certification (Level 2 (C3PAO) status), then your self-assessment at Level 2 won’t be enough – you will also need to obtain a third-party certification at Level 21. This is explicitly stated in 32 CFR §170.23(a)(3): “If a subcontractor will process, store, or transmit CUI… and the prime contract has a requirement for Level 2 (C3PAO), then Level 2 (C3PAO) is the minimum requirement for the subcontractor.”1. In other words, a subcontractor generally needs to meet the same CMMC level as the prime requires for that info. (Notably, even if the prime needs Level 3, subs handling that data can meet Level 2 C3PAO as a minimum1, since very advanced practices might not be expected at lower tiers – but those cases will be rare.)
- Primes cannot ignore a non-compliant sub. If a required sub is not certified, the prime stands to lose the contract award or could be in default of contract requirements. The responsibility flows down as well: primes shall require their subs to comply and “flow down” the CMMC clause1. We anticipate that primes will ask subs for proof of CMMC during teaming and contracting.
The bottom line: CMMC is a shared responsibility across the supply chain. No one gets a free pass. This is especially significant given that an estimated 83% of the defense industrial base are subcontractors, many of them small businesses. The DoD has effectively cast a wide net to capture these companies in the cybersecurity requirement, through the primes. If you’re a small subcontractor to a larger defense company, you should treat CMMC compliance as seriously as a prime would – your future contracts depend on it.
Action Items and Best Practices for Compliance
By now, you should have a sense of the urgency and scope of the CMMC final rule. Here are some actionable steps and best practices to get your company in shape:
- Map Your Data and Determine CMMC Level: Take inventory of the types of information you handle on DoD contracts. Do you only see basic contract info (schedule, SOWs, etc.) or do you handle technical drawings, specifications, or other sensitive data? This will determine if you’re aiming for Level 1 or Level 2. If you have any CUI, plan for Level 2 with third-party certification unless told otherwise. (Level 3 would be explicitly required by the DoD for certain contracts – you’d know if you were in that arena.)
- Ensure NIST 800-171 Controls Are Implemented: For companies needing Level 2, NIST SP 800-171 is your bible. Perform a thorough gap analysis against the 110 controls of 800-171 right now1. For each security requirement, assess if it’s: Implemented, Partially Implemented, or Not Implemented. Common gaps include: multi-factor authentication on all accounts, encrypted data backups, audit log monitoring, incident response plans, etc. Address those gaps by implementing the necessary policies and technical fixes. The goal is to get to a point where you could honestly score yourself highly in an 800-171 self-assessment. (Remember, if you haven’t already, you must post a Basic Self-Assessment score in SPRS per DFARS 252.204-7019 – which remains in effect – this is essentially your score out of 110 indicating compliance with 800-171.) Keeping that SPRS score updated is now not just DFARS 7019 compliance but also part of CMMC readiness2.
- Develop a System Security Plan (SSP) and Plan of Action (POA\&M): Documentation is key. An SSP describes how your company implements each security requirement. A POA&M lists any remaining deficiencies and how/when you’ll fix them. Under the CMMC regime, having an SSP is expected (auditors will want to see it). If you have POA\&Ms (areas not yet fully compliant), prioritize closing them out. The final rule’s DFARS 7025 clause indicates that you cannot hold a “Conditionally Certified” status indefinitely – you get 180 days to remediate and achieve a final certification2. So, aim to resolve POA\&M items within 6 months or sooner. For example, if multi-factor auth isn’t rolled out yet, set a plan to do so in the next few months; if staff training is lacking, schedule training sessions, etc. Showing this progress is important both for internal readiness and to any interim inquiries from DoD.
- Schedule a CMMC Readiness Assessment: If pursuing Level 2, it’s wise to engage a C3PAO or consultancy for a readiness assessment (gap assessment) well before the real audit. This is essentially a practice audit where an expert evaluates your state of compliance and identifies any weak points. Many companies do this 6+ months ahead of the formal certification audit. Given that certification can take time to schedule and complete, starting the process early is crucial – experts note it often takes 9-12 months for a contractor to go from 0 to fully compliant and certified at Level 21. Since starting in 2025, that timeline means you’d want to start no later than early 2026 to be safe for the main wave of requirements.
- Train Your Team and Build Cyber Hygiene Culture: Policies and tech alone won’t suffice; employees play a big role in security. Ensure all personnel are aware of CMMC and their responsibilities (this is actually required – security awareness training is a control in NIST 800-171). Emphasize practices like identifying phishing emails, safe handling of sensitive info, and reporting incidents quickly. A single lapse (like an employee clicking a malicious link) could jeopardize your compliance and security2. Make cybersecurity part of your company culture – from leadership commitment down to daily operations.
- Leverage Available Tools and Assistance: DoD’s Project Spectrum (by OSBP) offers free tools – such as a CMMC Level 1 and 2 self-assessment tool, policy templates, etc. Use these to your advantage as a starting point. Additionally, consider cybersecurity solutions that can help cover technical requirements: for example, endpoint detection and response (EDR) tools, security information and event management (SIEM) systems for log monitoring, and secure cloud services that are FedRAMP-approved if you use cloud storage (FedRAMP moderate aligns with many 800-171 controls). There are also managed service providers (MSPs) specializing in helping companies meet CMMC – they can provide technical solutions like secure network setups, etc., if you don’t have full internal IT capability.
- Stay Updated on CMMC Guidance: Follow official updates from DoD and the Cyber Accreditation Body (the CMMC-AB, now part of the Cybersecurity Assessor and Instructor Certification Organization, CAICO). The implementation details (like how exactly to submit certification info, how the marketplace of assessors is scaling up, etc.) are evolving. Join webinars, subscribe to newsletters (DoD’s Project Spectrum newsletter, for example), and consider industry associations (NDIA, etc.) that share tips on CMMC. Additionally, keep an eye on contract notifications – if the DoD issues a memo or interim instructions on how contracting officers will enforce these clauses, you need to know.
- Plan for the Long Term: CMMC is not a one-and-done effort. Budget for maintaining compliance – this includes periodic re-certifications (every 3 years for Level 2) and continuous improvement. Cyber threats evolve, and the DoD may update CMMC requirements over time. Being proactive and treating cybersecurity as an ongoing business function will pay dividends. Many companies are appointing a CMMC compliance lead or working groups internally to ensure they stay on track even after getting certified.
How EasyITGuys Can Help
Navigating the technical complexities of CMMC compliance can be challenging – but you don’t have to figure it all out alone. EasyITGuys offers specialized services to assist defense contractors in achieving and maintaining CMMC certification. We can help with:
- CMMC Readiness Assessments: Our experts will audit your current security controls against CMMC requirements and identify gaps, providing a clear roadmap to compliance.
- Remediation Support: From implementing multi-factor authentication to encrypting data backups, we can assist in deploying the solutions and policies you need for CMMC. We bring hands-on expertise with the NIST 800-171 control set and can tailor fixes that meet requirements in a cost-effective way.
- Documentation and Process Consulting: Need an SSP or incident response plan? We have templates and will work with you to document your practices properly – a crucial factor in passing a CMMC audit.
- Employee Training: We provide user-friendly security awareness training and can help institute best practices among your staff to ensure everyone is on board with cybersecurity (which auditors love to see).
- Continuous Compliance Management: Even after you get certified, we can monitor and manage aspects of your security (through managed IT/security services) to ensure you remain compliant year after year. This includes periodic check-ups and preparing you for re-certification when the time comes.
- Subcontractor Compliance Strategies: If you’re a prime, we can also advise on flowing down requirements to your subs and tracking their compliance, so your whole supply chain remains secure and eligible.
Contact EasyITGuys to schedule a consultation on CMMC compliance. We’ll bring our technical expertise and understanding of DoD requirements to help safeguard your business. With CMMC now officially here, let us partner with you to achieve compliance efficiently and confidently – so you can focus on your contracts and missions, knowing your cybersecurity bases are covered.
Your company’s future in the defense industry depends on getting CMMC right. With the right approach and the right team of experts supporting you, CMMC compliance is absolutely achievable. EasyITGuys is here to ensure your success in this new era of defense contracting. Reach out today to get started on your CMMC journey!
