Editor’s Note: Updated November 3, 2025 — This article builds on our original “30 Days to Enforcement” countdown. As the CMMC Final Rule (48 CFR Acquisition Rule) officially enters Phase 1.
The Clock Is Almost Up. On November 10, 2025, the Department of Defense (DoD) will officially implement CMMC Phase 1 through the Final Rule (32 CFR Part 170) marking the beginning of formal CMMC inclusion in DoD solicitations, starting with CMMC Level 2 Self-Assessments.
What Phase 1 Means
Phase 1 focuses on ensuring that DoD contractors handling Controlled Unclassified Information (CUI) have completed or are finalizing their CMMC Level 2 Self-Assessment and reported their score to the Supplier Performance Risk System (SPRS).
The intent of Phase 1 is clear: to establish a baseline of compliance across the Defense Industrial Base (DIB) by verifying that contractors can self-assess and demonstrate their cybersecurity posture against NIST SP 800-171 Rev. 2.
While Phase 1 emphasizes self-assessments, Program Managers (PMs) retain the discretion to require a CMMC Level 2 Certification Assessment through a C3PAO (Certified Third-Party Assessment Organization) if justified by market research or contract-specific risk factors.
In other words, while most contractors will perform a self-assessment, some solicitations may include a requirement for third-party certification (C3PAO) during this phase — depending on the sensitivity of the work and the availability of certified vendors.
What You Should Be Doing Now
If you haven’t already done so, ensure your organization has:
✅ Completed its CMMC Level 2 Self-Assessment and reported your score in SPRS.
🧾 Documented your System Security Plan (SSP) and Plan of Action & Milestones (POA&M) to demonstrate compliance progress.
📈 Begun preparing for CMMC Phase 2 (C3PAO Certification Assessments), which will expand certification requirements and enforcement.
Taking these steps now will help ensure uninterrupted eligibility and readiness for upcoming contract opportunities.
Prime contractors are highly encouraged to contact their Government Program Managers (PMs) or Contracting Officer Representatives (CORs) to confirm which CMMC level will be included in new or modified contracts after November 10, 2025.
For subcontractors, this is equally important. According to 32 CFR Part 170, CMMC requirements flow down from the prime to all subcontractors. Subcontractors should coordinate directly with their prime contractor to confirm whether CMMC Level 1 (FCI) or Level 2 (CUI) applies to their role in the supply chain.
CMMC is no longer “coming soon” — it’s one week away.
Phase 1 represents the beginning of enforceable cybersecurity accountability within DoD contracting. Organizations that act now to complete self-assessments, confirm SPRS reporting, and engage with their contracting chain will be best positioned for success when Phase 2 (C3PAO Certifications) begins in 2026.
Scroll below to read our original “30 Days to Enforcement” post from October 14, 2025, for context on how organizations should be preparing as the CMMC Final Rule approaches enforcement.
The clock is ticking — enforcement begins November 10th.
The countdown is officially on. As of today, the Defense Industrial Base (DIB) is less than 30 days away from the CMMC Final Rule (48 CFR DFARS Acquisition Rule) taking effect on November 10, 2025.
From that date forward, CMMC compliance will be required for all new solicitations and contracts. Whether you’re a prime contractor or a small business supplier, the next few weeks are critical, and they determine whether your organization is ready to bid, ready to certify, and ready to continue doing business.
What Happens on November 10, 2025
According to the CMMC FAQs (September 2025), the revised DFARS 252.204-7021 clause officially takes effect on November 10th, launching Phase 1 of CMMC implementation.
Phase 1: Self-Assessment vs. Certification
During Phase 1, most contractors will perform CMMC Level 1 (FCI) or CMMC Level 2 (CUI) self-assessments, not third-party (C3PAO) certifications.
The DoD’s CMMC FAQs clarify:
This phased rollout gives contractors an opportunity to self-assess, remediate, and prepare for full certification in later phases.
What DoD Contractors Should Be Doing Now
The message is clear: don’t wait until November 10th.
✅ If you’ve completed your self-assessment (NIST 800-171 Gap Assessment) but haven’t begun remediation — start now.
✅ If you’ve submitted your SPRS score, ensure it’s accurate and supported by a current System Security Plan (SSP) and Plan of Action & Milestones (POA&M).
✅ If critical controls like MFA, encryption, or access management aren’t implemented, make them your top priority.
Your Final 30-Day CMMC Readiness Plan
Days 27–20: Validate Your Baseline
Days 19–10: Close Out POA&Ms
Days 9–1: Affirm Compliance
Why Waiting Is Risky
Phase 1 is not a grace period — it’s a qualification period. DoD contractors demonstrating measurable progress will remain competitive; those that delay may be excluded from solicitations requiring compliance evidence.
A valid self-assessment requires:
Final Thought: Treat Phase 1 as the Real Test
While CMMC Level 2 (C3PAO) certifications may not be widespread until Phase 2, organizations that remediate and document their controls now will be months ahead when audits begin.
Your countdown to compliance isn’t just about meeting requirements — it’s about maintaining eligibility and protecting your pipeline.
As stated in the Department of Defense’s CMMC FAQs (September 2025): “If you have completed an assessment but have not started remediation — you should get started.”
Why Choose Peerless?
We help defense contractors get audit-ready — from gap assessments and remediation to documentation and evidence preparation. Our teams align your environment to NIST SP 800-171 and positions you for a smooth certification process.