The CMMC Phased Rollout Has Started: Everything You Need to Know

Starting November 10, 2025, DoW contracting officers can legally begin specifying CMMC status requirements in new solicitations and contracts, including task orders and purchase orders, as a condition of award. 

They will also start specifying CMMC status level requirements. And CMMC Level 2 C3PAO status can and will be required during the first 12 months of the phased rollout known as Phase 1. 

The program office can require certification where it’s applicable, even in Phase 1.  

We’re urging you: Do not bet on getting a waiver. Do not bet on a Level 2 self-assessment being enough, even in Phase 1. 

What CMMC is (and isn’t) 

CMMC isn’t making you do cybersecurity requirements. It’s making sure you did the requirements that have been in contracts for years. 

• CMMC has three levels tied to data types. 

• Level 1 and Level 2 are a verification mechanism for requirements that have existed since 2016. 

• The program lives in two regulations: the policy at 32 CFR Part 170 (effective December 16, 2024) and the contract implementation at 48 CFR (effective today). 

There are two parts in any rule: the long preamble (comment responses, rationale, impact) and the actual rule text (what you must do).  

For contracting: 

• 48 CFR Part 204 tells contracting officers the policy and procedures for including CMMC in solicitations and awards. 

• 48 CFR Part 252 contains the provision and clause you will see in your paperwork. 

You, as a contractor, will mostly see the provision and clause. The rationale and procedures sit upstream in Part 204 and the 32 CFR policy. 

What the contracting officer will do now 

48 CFR 204.7502 and 204.7503 state: 

• “The contracting officer shall include in the solicitation the required CMMC level if provided by the program office or requiring activity.” 

• They “shall not award… to an offeror that does not have a current CMMC status at the CMMC level required by the solicitation.” 

• You must “achieve at the time of award a CMMC status at the level specified… and maintain a current status for the life of the agreement.” 

• They will “check SPRS” for your current status under the relevant CMMC Unique Identifier (CMMC-UID). 

Two big takeaways: 

• The program office determines the level. The contracting officer enforces it. 

• “Current” means your status is valid (CMMC statuses are valid for three years with annual affirmation obligations). 

What shows up in your paperwork 

DFARS 252.204-7025 will clearly state: 

“The CMMC level required by this solicitation is ____.” 

It also states you are ineligible for award if you don’t have: 

• A current status in SPRS at the required level for each relevant system, and 

• A current affirmation of continuous compliance (annual). 

Clause 252.204-7021 adds your flow-down obligations: 

• You must flow down the correct CMMC level to subcontractors that will process, store, or transmit FCI or CUI. 

• Prior to awarding a subcontract, you must ensure the sub “has a current CMMC certificate.” 

On affirmations and conditional status: 

• Annual affirmation is your responsibility. 

• You can be awarded work with a conditional status, but “you must close out those open items… to achieve a status of final within 180 days,” and remember the limits: “no five-point or three-point controls” on your POA&M. MFA and FIPS have specific partial-credit allowances that remain permitted. 

On CMMC-UIDs: 

• You will “provide in the proposal the CMMC-UIDs issued by SPRS for each system” and “update the list when new CMMC-UIDs are generated.” 

• Practical wrinkle for primes: 

“There is no database that the public or the prime can access… it’s up to the prime contractors to figure it out.” 

About waivers and the phased rollout 

CMMC waivers are for entire contracts, not for individual contractors. Once it is applicable to a solicitation, there is no process for organizations to seek waivers. 

Phased rollout text in 48 CFR is minimal and does not restrict which levels can appear in Phase 1. 

There is no explicit prohibition on what level is included during what time of the phased rollout. It says you do what the program office tells you to do. 

Subs also have to meet their prime’s bar when CUI flows. If the prime has a C3PAO requirement and they’re flowing CUI to you, a self-assessment does not qualify you. 

According to estimates in the CMMC rule, 2% of the DIB are going to need Level 2 self-assessments and 35% will have to meet Level 2 C3PAO requirements. Expecting self-assessment to win you enough contracts is a risky bet. 

If you’re a sub, talk to your prime because they are going to be the ones who set your requirements. If you’re a prime, you own supply-chain due diligence. You must collect and validate status, even though DoW hasn’t provided a public verification system. 

Significant change and re-assessment 

New assessments can be triggered by “significant architectural changes or boundary changes, expansions of networks, mergers or acquisitions,” and potentially when “a CAGE code would need to be added.” 

The guidance here is “about as clear as mud,” so your change control should define what “significant change” means for your environment and document it. 

Why waiting for the solicitation is a losing strategy 

We can boil this down to two reasons: 

1. The DOW median time… from solicitation to contract award is typically somewhere around 45 days. 
2. You must have CMMC status at time of award. Waiting for the RFP to drop leaves you with almost no time to implement, assess, and certify. 

Check your government customer’s Long Range Acquisition Forecast; look at anticipated solicitation quarter and anticipated award quarter. Then work backward from those dates to plan budget, implementation, solutions, and assessment timing. 

Zero to assessment-ready for full enterprise transformation is 12 to 18 months. 

Some enclave deployments can be assessment-ready within about five or six months, especially with a tight boundary. 

That does not include the backlog surge for implementers and assessors once Phase 1 begins. Plan for the line. 

Action plan for today 

• Confirm your level based on data handled. 

• Assess against NIST 800-171 and map gaps. 

• Update your SSP and POA&M and understand what can and cannot sit on a POA&M. 

• Plan your assessment path (including C3PAO) and your annual affirmation cadence. 

• Coordinate with primes and subs on flow-down and status validation. 

• Check Long Range Acquisition Forecasts and align your timeline with award windows. 

If you’ve been preparing, you’re in position. If you haven’t, the clock just started. 

The rule does not change anything about what is written at 32 CFR… There are no Easter eggs and no surprises. 

CMMC is now part of doing business with the DoW.  Discover your next steps to CMMC compliance in just 5 minutes with our Pathfinder Tool.

Let us help you get confident, certifiable, and ready.