by Mojave Research

CMMC Phase 1 Is Live: What Defense Contractors Need to Know Now

CMMC 2.0 Phase 1 took effect November 10, 2025. Self-assessments for Level 1 and select Level 2 contracts are now required. Here's what you need to know.

Share

The Clock Is Running

CMMC 2.0 Phase 1 became effective on November 10, 2025, when the DFARS final rule implementing 32 CFR Part 170 took effect. This is not a future compliance milestone — it is the current operating reality for every organization in the defense industrial base. The Department of Defense is now including CMMC requirements in new solicitations and contract awards, and contractors without completed assessments face immediate risk to their recompete pipeline.

Phase 1 requires self-assessments for CMMC Level 1 (Federal Contract Information) and allows self-assessments for a subset of Level 2 contracts (Controlled Unclassified Information). A limited number of Level 2 contracts may require C3PAO third-party assessments at DoD’s discretion. The three-year phased rollout continues with Phase 2 (November 2026), which broadly requires Level 2 C3PAO assessments and may introduce Level 3 DIBCAC assessments, and Phase 3 (November 2027), which makes C3PAO certification universal.

What Is Required Now

Level 1 contractors must complete a self-assessment against the 15 basic safeguarding requirements in FAR 52.204-21 and upload their results to the Supplier Performance Risk System (SPRS). This applies to any organization handling Federal Contract Information.

Level 2 contractors must implement all 110 security requirements from NIST SP 800-171 Rev 2. Depending on the contract designation, this requires either a self-assessment or a third-party assessment by an authorized C3PAO. Assessment results must be posted to SPRS with an accurate score.

Contractors should expect Contracting Officers to verify SPRS scores during source selection. An absent or outdated score is functionally equivalent to a disqualification.

Common Failure Points

Based on our experience supporting defense contractors on CMMC readiness across the Agentic Secure Group ecosystem, these are the failure patterns we see most frequently:

  • Incomplete System Security Plans (SSP). The SSP must document every control implementation across every system in scope. Partial documentation or generic template language will not pass assessment. Assessors are trained to probe for specifics.
  • Undocumented Plans of Action and Milestones (POA&M). Open items are acceptable under specific conditions, but they must be formally documented with realistic timelines, assigned owners, and resource allocations. A POA&M without a remediation path signals systemic weakness.
  • CUI boundary scope creep. Organizations frequently underestimate where CUI resides in their environment. Email, file shares, collaboration tools, backup systems, and even print queues can bring systems into scope. Defining and enforcing CUI boundaries is one of the highest-impact activities for reducing assessment complexity.
  • Inherited control confusion. Cloud service providers may satisfy some controls, but the shared responsibility model means the contractor retains accountability. Misunderstanding what your CSP covers versus what you own is a common source of gaps.

Mojave Research Delivery Model

Our CMMC practice follows a four-step delivery model designed to get contractors from gap identification to assessment-ready status as efficiently as possible:

  1. Gap Analysis. Comprehensive review of your current security posture against NIST 800-171 requirements. We identify every gap, not just the obvious ones, and produce a prioritized findings report.
  2. Remediation Planning. Detailed roadmap with specific technical and procedural actions, timelines, and resource requirements. We map remediation activities to your existing IT roadmap to minimize disruption.
  3. Implementation. Hands-on support for policy development, technical control deployment, SSP documentation, and POA&M management. We work alongside your team, not around them.
  4. Assessment Preparation. Mock assessments, evidence package review, and interview preparation. Our team has direct experience with C3PAO assessment methodology and knows what assessors look for.

Act Now

Contractors without completed assessments risk losing recompete opportunities. Prime contractors are increasingly flowing CMMC requirements down to subcontractors, which means even small businesses deep in the supply chain need to demonstrate compliance readiness.

The Phase 1 window will not last forever. Phase 2 (November 2026) broadens mandatory C3PAO third-party assessments for Level 2 contracts, and Phase 3 (November 2027) makes C3PAO certification universal. Organizations that wait will face longer assessment queues, higher costs, and greater business risk.

Book a CMMC readiness triage with our compliance team. We will assess where you stand, identify your highest-risk gaps, and give you a realistic timeline to assessment readiness — in a single 30-minute session.