November 10, 2025: The Day CMMC Becomes Real for DoD Contractors and Their Subcontractors.

Key Implementation Timeline

Note: In some procurements the Department may implement CMMC requirements earlier than the planned phase. Source: DoD CIO.

Why Subcontractors Are Equally Affected

CMMC requirements flow down. Prime contractors must ensure each subcontractor that handles FCI or CUI meets the appropriate level. One non-compliant subcontractor can place a bid or renewal at risk.

Assessments, POA&M, and Annual Affirmation

Assessment Types

• Self-Assessment: Performed by the Organization Seeking Assessment. Results go to the Supplier Performance Risk System (SPRS).
• C3PAO Certification: Performed by an authorized Certified Third-Party Assessment Organization. Results go to eMASS.
• DIBCAC Certification: Conducted by the Defense Industrial Base Cybersecurity Assessment Center for Level 3.

POA&M Rules

• Not permitted for Level 1.
• Permitted for Levels 2 and 3 with limits in the final rule. All open items must be remediated within 180 days of the conditional status date and then verified in a closeout assessment.

Annual Affirmation

• Required after each assessment and every year thereafter.
• Failure to affirm annually will cause your status to lapse.

Details are drawn from the DoD CIO program description and DFARS CMMC rule. See: DoD CIO and Federal Register.

Immediate Actions to Prepare

1. Identify your level. Confirm whether you handle FCI, CUI, or both.
2. Run a gap analysis. Compare current practices to FAR 52.204-21 for Level 1 or NIST SP 800-171 Rev. 2 for Level 2.
3. Build your System Security Plan (SSP). Document how each requirement is met. Keep evidence current.
4. Create POA&Ms where allowed. Assign owners and due dates. Track progress toward the 180-day closeout.
5. Engage trusted experts. Consider a Registered Provider Organization or a C3PAO for readiness and certification.

Helpful links:
EasyITGuys CMMC Technical Deep Dive,
EasyITGuys Non-Technical CMMC Guide

Technical Deep Dive

NIST Alignment

• Level 1: FAR 52.204-21 safeguards.
• Level 2: 110 controls in NIST SP 800-171 Rev. 2.
• Level 3: Level 2 plus 24 practices from NIST SP 800-172.

Validity and Systems

• Assessments are valid for three years.
• Annual affirmation in SPRS is required to maintain status.
• Self-assessment results are entered in SPRS. C3PAO and DIBCAC results are tracked in eMASS.

Supply Chain

Primes must verify that subcontractors handling FCI or CUI meet the correct CMMC level before award. This protects sensitive information throughout the supply chain and reduces risk to the program.

Upcoming Milestones

• Nov 10, 2025: Phase 1 begins. Self-assessments for Level 1 and some Level 2 solicitations.
• Nov 10, 2026: Level 2 C3PAO certifications required where applicable.
• Oct 31, 2026: All new DoD contracts include CMMC language.
• Nov 10, 2027: Level 3 certifications introduced.
• Nov 10, 2028: Full implementation across applicable DoD solicitations and contracts.

The Bottom Line

CMMC is now enforceable. Early action protects eligibility and reduces risk. EasyITGuys can help with readiness assessments, gap remediation, documentation, and coordination with C3PAOs.

Request a CMMC Readiness Review
Explore the Statement of Work for Ongoing Compliance Services

Official Resources and Further Reading

• DoD CIO – CMMC Official Page
• Federal Register – DFARS CMMC Rule
• CMMC-AB Marketplace (find RPOs and C3PAOs)
• EasyITGuys – CMMC Final Rule Technical Deep Dive
• EasyITGuys – CMMC is Now Official (Non-Technical)