CMMC Guy LogoTHE_CMMC_GUY
NEWSBLOGCALCULATORPROVIDERSABOUT
←BACK_TO_INTEL
PHASE_1ENFORCEMENTDFARSDOD_CONTRACTS

Phase 1 Is Live: What Changed on November 10, 2025

Mike Torres
Mike Torres
Manufacturing Security Advisor
2025-12-05
9 min read
Share

Advised global manufacturers and machine shops across Asia and US for 7 years. Now helping small shops navigate CMMC compliance without the BS.

SHARE_ON_XSHARE_ON_LINKEDIN
⚠ ⚠ NEXT_STEP

RUN READINESS CHECK

Get your CMMC readiness score + cost estimate. 2 minutes. No signup.

GET_CMMC_UPDATES

Enforcement news, deadline alerts, and compliance tips. No spam.

RELATED_INTEL

Read More

Why Care NOW? Phase 1 Enforcement Already Started
DeadlinesPhase 1DoD ContractsEnforcement

Why Care NOW? Phase 1 Enforcement Already Started

Phase 1 started November 10, 2025 - no grace period. What happens if you're not certified, how contracts are affected, and what 'no cert = no bid' actually means.

Dec 22, 2025•7 min read
What IS CMMC? (And Why Your Shop Needs It)
CMMC BasicsGetting StartedDoD ContractsCompliance

What IS CMMC? (And Why Your Shop Needs It)

No jargon explanation of CMMC for machine shops making DoD parts. What it is, what it costs, and why Phase 1 enforcement started November 2025.

Dec 21, 2025•8 min read
[IMG_PENDING]
CMMC NewsUpdates

Secretary Hegseth Tour: Get Compliant Or Get Left

Secretary Hegseth Tour: Get Compliant Or Get Left Secretary of War Pete Hegseth is walking shop floors in New England this week to inspect the "Arsenal of...

Feb 16, 2026•3 min read

TABLE_OF_CONTENTS

Phase 1 Is Live: What Changed on November 10, 2025

November 10, 2025 wasn't just another date. It's when CMMC enforcement started.

Not "will start." Not "coming soon." Started.

If you handle DoD contracts and haven't paid attention, this is your wake-up call.

What Actually Happened on November 10

The Department of Defense started inserting CMMC requirements into new solicitations and contracts. No fanfare. No grace period. Just... live.

Here's what that means:

DFARS clause 252.204-7021 is now mandatory in nearly every DoD solicitation that involves Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).

If you bid on a contract after November 10 and you see that clause — which you will — you need a CMMC certification at the level specified. No certification = you're ineligible for award.

Period.

"But I Thought Phase 1 Was Just Self-Assessments?"

Sort of. But here's the catch everyone's missing.

Phase 1 (November 2025 - November 2026) allows self-assessments for most Level 2 requirements. But the contracting officer can require third-party assessment (C3PAO) at their discretion.

Translation: Just because self-assessment is allowed doesn't mean it's accepted for YOUR bid.

The DoD memo was clear: program managers can "at its discretion, include the requirement for CMMC Status of Level 2 (C3PAO) in place of Level 2 (Self)."

So if you're counting on a cheap self-assessment to get you through Phase 1, read the solicitation carefully. The government might demand a C3PAO assessment anyway.

What You'll See in New Contracts

Starting November 10, new DoD contracts include specific CMMC language. Here's what to look for:

The DFARS Clause: 252.204-7021

This clause tells you:

  • What CMMC level is required (Level 1, Level 2, or Level 3)
  • Whether self-assessment is accepted or C3PAO is required
  • Your obligation to maintain compliance throughout the contract (not just at award)
  • Flow-down requirements to subcontractors

The CMMC Status Requirement

You'll need to register in the Supplier Performance Risk System (SPRS) and submit proof of your CMMC status.

For Level 1: Annual self-assessment results For Level 2: Either self-assessment OR C3PAO certificate (depends on contract) For Level 3: C3PAO assessment PLUS DIBCAC review

Annual Re-Attestation

This is the part nobody talks about.

You can't just certify once and forget it. The DFARS clause requires you to maintain "current CMMC status" and re-attest at least annually.

If your certification lapses during contract performance, you're in breach. And that opens you up to False Claims Act penalties (more on that in another post).

"I'm a Subcontractor. Does This Apply to Me?"

Yes.

Flow-down requirements mean primes will enforce CMMC on you. If the prime's contract has CMMC requirements and they're passing CUI down to you, you need certification too.

Primes are getting more aggressive about this. Some are already telling subs: "Get certified or we'll find someone else."

What to Do If You See CMMC Language in a Bid TODAY

Step 1: Check the required CMMC level

Look for the DFARS clause. It will specify Level 1, 2, or 3.

Step 2: Check if C3PAO is required or self-assessment is allowed

The solicitation will state "CMMC Level 2 (Self)" or "CMMC Level 2 (C3PAO)."

If it says C3PAO, you can't self-assess. You need a third-party assessor.

Step 3: Check your current status

  • Not certified at all? You're ineligible for this bid.
  • Certified at the wrong level? Also ineligible.
  • Certified but approaching expiration? Better renew before contract award.

Step 4: Decide if you can comply by contract award

Level 1 self-assessment: Can do in 2-4 weeks if you're prepared Level 2 self-assessment: 3-6 months if starting from scratch Level 2 C3PAO: 6-12 months (assessment takes weeks, but prep takes months)

If the contract award is in 30 days and you need Level 2 C3PAO, you're probably not getting this one. Start working on the next bid.

Common Mistakes Right Now

Mistake 1: "I'll deal with it when I win the contract"

No. You need to be certified (or in process with proof of timeline) before award. Some solicitations allow you to be "in process" but you better have a C3PAO assessment scheduled and a realistic completion date.

Mistake 2: "Small shops don't need this yet"

Wrong. No small business exemption. No "I only make a few parts" exemption. If you handle CUI on a DoD contract, you need Level 2. Company size doesn't matter.

Mistake 3: "Phase 1 is just self-assessments so I can do it myself"

Risky. The contracting officer can demand C3PAO at their discretion. If your competitor gets C3PAO and you only have self-assessment, guess who looks more credible?

Plus, self-assessment still means you have to ACTUALLY comply with all 110 NIST 800-171 controls. It's not a free pass. It's just cheaper validation.

Mistake 4: "I'll wait until Phase 2 in November 2026"

By then, C3PAOs will be even more backlogged. Right now there are only 83 certified C3PAOs for 118,000+ contractors who need assessments.

The waiting list is getting longer every week.

Timeline Reality Check

Let's say you're starting from zero today (December 2025):

Level 1 (Self-Assessment):

  • Implement FAR 52.204-21 requirements: 2-4 weeks
  • Self-assess and document: 1 week
  • Submit to SPRS: Same day
  • Total: 3-5 weeks

Level 2 (Self-Assessment):

  • Gap analysis: 2-4 weeks
  • Implement 110 NIST controls: 3-6 months (depends on starting point)
  • Document everything: 2-4 weeks
  • Self-assess: 2 weeks
  • Submit to SPRS: Same day
  • Total: 4-8 months

Level 2 (C3PAO Assessment):

  • Everything above PLUS:
  • Find and schedule C3PAO: 2-8 weeks (depends on availability)
  • C3PAO assessment: 1-3 weeks
  • Remediation of findings: 2-6 weeks
  • Final certification: 1 week
  • Total: 6-12 months

Notice the range? That's because it depends on your current state. If you're already doing most of NIST 800-171, you'll be faster. If you're starting cold, you're looking at the long end.

What Phase 1 Actually Means

Phase 1 isn't a trial period. It's selective enforcement.

The DoD is starting with select contracts — typically those involving sensitive CUI or critical technologies. But it's ramping up fast.

By November 2026 (start of Phase 2), C3PAO assessments become mandatory for most Level 2 contracts. Self-assessment won't be an option anymore except for specific low-risk scenarios.

By November 2028, all applicable contracts will require CMMC. No exceptions.

The Bottom Line

Phase 1 started November 10, 2025. It's not coming. It's here.

If you bid on DoD contracts, you're going to see CMMC requirements. If you're not certified, you're not eligible.

No grace period. No small business exemption. No "I'll deal with it later."

The clock is running.

Next Steps:

Not sure what level you need? Take our 2-minute compliance quiz to find out.

Need to understand what CMMC actually requires? Read our NIST 800-171 controls priority guide.

Already certified but worried about False Claims Act risk? Check out our post on FCA enforcement.