Book a Briefing
by Mojave Research

CMMC Phase 1 Is Live: What Defense Contractors Need to Know Now

CMMC 2.0 Phase 1 took effect November 10, 2025. Self-assessments for Level 1 and select Level 2 contracts are now required. Here's what you need to know.

The Clock Is Running

CMMC 2.0 Phase 1 became effective on November 10, 2025, when the DFARS final rule implementing 32 CFR Part 170 took effect. This is not a future compliance milestone — it is the current operating reality for every organization in the defense industrial base. The Department of Defense is now including CMMC requirements in new solicitations and contract awards, and contractors without completed assessments face immediate risk to their recompete pipeline.

Phase 1 requires self-assessments for CMMC Level 1 (Federal Contract Information) and allows Level 2 (Self) status for applicable awards during Phase 1, with DoD able (at its discretion) to require Level 2 (C3PAO) status in place of Level 2 (Self). Phase 2 begins one calendar year after Phase 1 starts; Phase 3 and Phase 4 continue the phase-in over the following two years.

What Is Required Now

Level 1 contractors must complete a self-assessment against the 15 basic safeguarding requirements in FAR 52.204-21 and upload their results to the Supplier Performance Risk System (SPRS). This applies to any organization handling Federal Contract Information.

Level 2 contractors must implement all 110 security requirements from NIST SP 800-171 Rev 2. Depending on the contract designation, this requires either a self-assessment or a third-party assessment by an authorized C3PAO. Assessment results must be posted to SPRS with an accurate score.

Contractors should expect Contracting Officers to verify SPRS scores during source selection. An absent or outdated score is functionally equivalent to a disqualification.

Common Failure Points

These are the failure patterns we see most frequently in CMMC readiness engagements:

  • Incomplete System Security Plans (SSP). The SSP must document every control implementation across every system in scope. Partial documentation or generic template language will not pass assessment. Assessors are trained to probe for specifics.
  • Undocumented Plans of Action and Milestones (POA&M). Open items are acceptable under specific conditions, but they must be formally documented with realistic timelines, assigned owners, and resource allocations. A POA&M without a remediation path signals systemic weakness.
  • CUI boundary scope creep. Organizations frequently underestimate where CUI resides in their environment. Email, file shares, collaboration tools, backup systems, and even print queues can bring systems into scope. Defining and enforcing CUI boundaries is one of the highest-impact activities for reducing assessment complexity.
  • Inherited control confusion. Cloud service providers may satisfy some controls, but the shared responsibility model means the contractor retains accountability. Misunderstanding what your CSP covers versus what you own is a common source of gaps.

Mojave Research Delivery Model

Our CMMC practice follows a four-step delivery model designed to get contractors from gap identification to assessment-ready status as efficiently as possible:

  1. Gap Analysis. Comprehensive review of your current security posture against NIST 800-171 requirements. We identify every gap, not just the obvious ones, and produce a prioritized findings report.
  2. Remediation Planning. Detailed roadmap with specific technical and procedural actions, timelines, and resource requirements. We map remediation activities to your existing IT roadmap to minimize disruption.
  3. Implementation. Hands-on support for policy development, technical control deployment, SSP documentation, and POA&M management. We work alongside your team, not around them.
  4. Assessment Preparation. Mock assessments, evidence package review, and interview preparation. Our team has direct experience with C3PAO assessment methodology and knows what assessors look for.

Act Now

Phase 2 begins November 10, 2026 (one calendar year after Phase 1 start). Read our Phase 2 countdown briefing for the full timeline and what it means for Level 2 contracts. The phase-in continues through Phase 3 and Phase 4 over the following two years.

The contractors who wait face compressed timelines, scarce assessment slots, and higher costs. MRI has a Registered Practitioner on staff and is onboarding engagements now.

Book a readiness triage. We’ll tell you where you stand, what your highest-risk gaps are, and what a realistic path to assessment-ready looks like — in 30 minutes. See our full capabilities for procurement details, CAGE code, and NAICS coverage.

Sources