Key CMMC Requirements Starting November 10th, 2025
Beginning November 10th, 2025, all Department of War contracts will require at least CMMC Level 1, with companies handling Controlled Unclassified Information (CUI) needing to meet Level 2.
If your current contract includes DFARS 7012, you will automatically be required to meet a minimum of CMMC Level 2.
This date marks the launch of Phase 1 of CMMC, where contractors at both levels will be required to self-attest to their compliance. At Level 2 this involves:
01
A minimum SPRS score of 88/110.
02
Using a Plan of Action & Milestones (POA&M) for eligible gaps.
03
Reaching 110/110 within 6 months of contract award.
It’s also important to note that self-attestation is not the final step for most organizations. While Phase 1 of the CMMC rollout allows many companies to move forward with self-assessments, 94% of Level 2 companies will eventually need to undergo a third-party audit by a C3PAO to remain eligible for larger or more sensitive defense contracts. Preparing now will help contractors avoid costly delays once third-party reviews become mandatory.
This is a breakdown of small and large entities across CMMC compliance levels under the phased rollout. The 48 CFR linked here showed the following projected distributions of CMMC certifications across the Defense Industrial Base (DIB).
Critical Compliance Points
Scoring is one of the most critical aspects of CMMC compliance. Contractors must achieve at least 88 out of 110 points to qualify for conditional certification, provided any remaining gaps are limited to lower-impact requirements. Under these rules, only 1-point controls may be deferred using a Plan of Action and Milestones (POA&M). In contrast, all 5-point and 3-point controls—which typically cover more critical practices—must be fully implemented before certification can be granted. This structure ensures that companies cannot bypass the most important cybersecurity safeguards.
Enforcement and Risks
01 I’m not ready for CMMC, can I get a waiver?
Some contractors may assume they can rely on waivers to buy time, but waivers are extremely limited and rarely granted. Once a solicitation is published, no certification waivers are available. Only 15 senior DoD officials hold the authority to approve waivers, and even then, waivers can only be issued during the pre-solicitation stage. That means trying to secure a waiver during the solicitation stage is impossible, making proactive compliance the only viable strategy.
02 Can I bid on contracts without CMMC?
Yes, you can technically submit a proposal without having your CMMC certificate in hand. However, the typical 30–60 day period between proposal submission and award is not enough time to achieve compliance from scratch. Contractors who prepare early gain a major competitive advantage. If you are not compliant at the time of award, you risk breach of contract and False Claims Act exposure.
03 What happens if I fall out of compliance with CMMC during my contract?
The consequences of falling short are significant. Contractors who fail to maintain compliance risk not only termination of existing contracts but also loss of eligibility for future awards. Contracting officers also retain discretion in cases where companies fail to reach full compliance within the six-month remediation window, with remedies ranging from financial penalties to outright contract loss.
04 Will anyone check my self assessment for CMMC?
Yes. Although self-assessments are submitted by the contractor, they are subject to review and enforcement. The Department of Justice is actively using the False Claims Act to pursue companies that overstate or misrepresent their compliance status. Inaccurate reporting can lead to financial penalties, reputational damage, and even contract loss. To remain competitive — and protect your business — it’s critical to begin compliance preparations now and ensure your self-assessment is accurate. For examples of small companies the DoW has come after see Morse and AeroTurbine.
.avif)
.webp)
%20(7).png)
.webp){kind=icon}
.avif)
