The contractors clearing CMMC assessments six months into Phase 1 aren’t the ones with the most controls implemented. They’re the ones whose evidence held up when an assessor pulled the thread.
That sentence would have read like a minor procedural footnote in the run-up to November 10, 2025. The consensus going into Phase 1 was that the 110 NIST 800-171 controls were the constraint. Build the program, document the controls, walk into the room. Six months on, that framing has held up poorly. The actual binding constraint turned out to live one layer down, in the evidence trail under each control, and in the assessor capacity available to look at it.
This is a retrospective on the first six months. What the industry expected, what the contracts actually said, what assessors have been flagging, what’s worked better than predicted, and what the pattern means for Phase 2 in November.
What the Industry Expected Going In
The consensus view in late 2025 was easy to summarize. Phase 1 would be a controlled rollout. Solicitations would start carrying Level 1 and Level 2 (Self) clauses on a selective basis. Most contractors would have time. The risk-bearing decision was whether to start preparation now or wait for a specific solicitation to force the question. The implicit assumption underneath all of that was that the work, once a contractor committed to it, was bounded and well-understood. Hire a consultant, run a gap assessment, remediate the 110 controls, post a score to SPRS, move on.
That model had been the operating mode of the defense industrial base since DFARS 252.204-7012 went live in 2017. The CMMC final rule was new. The work it required was not. Most contractors approached Phase 1 the way they had approached the prior eight years of NIST 800-171 self-attestation, which is to say with a spreadsheet, an MSP, and a plan to “be ready by the time it actually mattered.”
The piece of the consensus that proved most wrong was the assumption that preparation effort and assessment outcome were closely coupled. Many contractors did the control work. Far fewer survived the part that came after.
What Contract Language Has Actually Looked Like
The contract patterns over Phase 1’s first six months have followed the policy outline more closely than the rollout cynicism predicted. Solicitations have appeared with CMMC clauses. The DoD selected which programs got tagged, and the selection has been weighted toward contracts that handle CUI in volume. That tracks the rule’s intent.
What’s been instructive is the language inside those clauses. The clauses don’t just say “the contractor shall hold a Level 2 self-assessment.” They specify when the assessment must be current, where the score must be posted, what level of detail SPRS expects, and what happens to a contractor whose score drifts mid-contract. Procurement officers, working with rules they hadn’t operationalized before November, wrote increasingly specific language as they encountered ambiguity in the early implementations.
The other pattern in contract language is the speed with which it propagated downstream. Primes that had been gradually working toward CMMC compliance got faster when prime contracts started carrying flow-down language. A subcontractor’s first encounter with CMMC requirements wasn’t always a DoD solicitation. Often it was an email from the prime saying that the subcontract’s terms had been updated and the subcontractor had ninety days to provide evidence of their compliance posture. That language wasn’t always precise, but it was always urgent.
For contractors who had assumed they were far enough down the supply chain to wait, the flow-down was the wake-up. Phase 1 didn’t have to touch your specific solicitation to touch your business. The tier-three subcontractor making a single component for a single subsystem got the same flow-down clause the prime received, just transmitted two contractual layers later, often with less guidance about what it meant.
A second contract-language pattern worth naming is how procurement language handled the gap between solicitation and award. The early solicitations sometimes treated CMMC posture as a pre-bid condition, sometimes as a pre-award condition, and sometimes as a post-award certification that had to be in place by start of performance. The variance wasn’t malicious. It was procurement officers writing language under time pressure, with no settled template. The variance mattered for contractors planning their assessment schedule against a target solicitation. The bid date and the award date and the start-of-performance date could each carry a different proof requirement, and the contractor’s compliance calendar had to map onto all three.
The Assessor Capacity Story
The assessor side of Phase 1 has played out the way the capacity arithmetic predicted, only faster. DIBCAC commentary through the first half of the rollout has tracked C3PAO throughput closely. Practitioner retrospectives circulating in the C3PAO community through Q1 and Q2 of 2026 have shown a consistent pattern: C3PAOs are operating at or near capacity for the contractors who are ready to assess, and the queue is forming behind contractors who haven’t yet completed readiness.
The constraint isn’t the number of Authorized C3PAOs. It’s the number of qualified assessment teams those C3PAOs can field. A C3PAO with the certification but without enough lead assessors and team members at the required experience level can hold the letter on the wall without scheduling many assessments. The pattern across the first six months has been that scheduling backs up to the next available qualified team, not to the next available C3PAO.
What this has meant for contractors is that “we’re CMMC-ready” has not been a complete plan. The complete plan has included a scheduled assessment date on a specific assessor’s calendar. Contractors who got that date locked in early are progressing. Contractors who finished their internal readiness in March or April are quoting summer or fall start dates.
The capacity constraint is one of two reasons Phase 2 preparation cannot be treated as a future problem.
The Evidence-Quality Reckoning
The second reason, and the real surprise of Phase 1, has been the evidence layer. This is the part of the rule that nobody put in slides going into November.
A contractor walks in with the 110 controls implemented. The implementation is real. The technology is configured, the policy is written, the training has been delivered. The assessor pulls a control at random and asks for the evidence behind it. What gets produced is a screenshot from eight months ago, a policy document with the wrong revision number, an email thread that establishes intent but not execution, and a configuration export that doesn’t match the live state. The control was implemented. The evidence didn’t survive contact with an assessor.
This is the failure mode that has shown up consistently across early assessment feedback. Practitioner-published lead-assessor checklists, public discussions from C3PAO practitioners through the spring, and the kind of post-assessment forensics contractors have been sharing in industry forums all point to the same thing. Assessors are flagging evidence quality more often than they’re flagging missing controls. The technical posture isn’t the problem. The proof of it is.
There’s a structural reason. Evidence assembled after the fact, from email folders, screenshot archives, and consultant notes, doesn’t hold together when an assessor traces a control to its supporting artifacts. The traces don’t match. The dates don’t line up. The artifacts contradict each other because they were captured at different points in time, by different people, against different versions of the environment. A self-assessment can survive this. A third-party look cannot.
The contractors clearing assessments are the ones who treated evidence as a byproduct of their work, not an output of their preparation. The work happens. The evidence is captured at the moment the work happens. The artifact lives in a system, not in a folder, and the system enforces the link between the action and the proof.
This pattern explains why some assessments that looked likely to clear on the strength of the contractor’s technical posture stalled, and why some assessments that looked closer to the line cleared cleanly. The technical posture and the evidence posture aren’t the same posture. A contractor with mature security and immature evidence discipline arrives with the right answers and the wrong proof. A contractor with the discipline to capture evidence as part of routine operations arrives with answers and proof that match.
The shift in mindset is small in words and large in practice. The work no longer ends when the control is implemented. It ends when the control is implemented and the proof of implementation is recorded in a place an assessor can pull it from, with a date, an owner, and a traceable connection to the requirement it satisfies. Anything short of that is preparation, not completion.
What’s Worked Better Than Expected
A few things have outperformed the late-2025 consensus.
The first is partner readiness. The RPO and consultant community spent 2024 and 2025 building muscle that turned out to be exactly the muscle Phase 1 needed. The advisors who survived the early rollout and learned from it are now running engagements faster, with cleaner handoffs to assessors. The gap between “we have a consultant” and “we have an assessor-ready package” closed.
The second is the SPRS infrastructure. Whatever criticism the score-posting workflow deserved before November, it has performed adequately under Phase 1 load. Contractors are getting scores in. Procurement is reading them. The pieces fit together, if not gracefully.
The third is the absence of mass enforcement actions. Phase 1 has not produced a wave of False Claims Act suits against contractors with weak scores. The legal exposure is real and it’s growing, but the early enforcement narrative has been corrective rather than punitive. That has bought the supply chain a few extra months to fix what’s broken.
None of these wins are cause for relaxation. They’re the conditions under which the harder thing, Phase 2, becomes possible.
What Phase 1 Tells Us About Phase 2
Phase 2 begins November 10, 2026. The contract language stops treating Level 2 self-assessment as adequate proof on the solicitations that require C3PAO certification. The full discussion of that mechanic is in the Phase 2 countdown piece, but the retrospective angle is simpler.
Phase 1 surfaced the binding constraint. Phase 2 forces every contractor who deferred preparation to confront it under deadline. The capacity arithmetic, which has already produced multi-month assessor queues at Phase 1 demand, gets worse. The evidence-quality reckoning, which has been a difficult but recoverable conversation under self-assessment, becomes a credentialing failure under third-party review.
The contractors who are positioned to clear Phase 2 are the ones who applied the Phase 1 lessons in real time. They scheduled the assessment. They captured evidence in flow. They didn’t optimize for the most controls implemented. They optimized for the cleanest trace from each control to its supporting proof.
That is a different operational discipline than what most of the industrial base was running on twelve months ago. Six months hasn’t been long enough to change it everywhere. It’s been long enough to make clear what needs to change.
The lesson from the first six months isn’t “do more controls.” It’s “make every action end in evidence that can survive a stranger reading it.” The contractors who internalize that distinction now have six more months of Phase 1 to operationalize it before Phase 2 stops giving them a choice.
For background on the original Phase 1 launch and what it changed in contract language, see Pentagon Sets CMMC Start Date. For the assessor capacity arithmetic in detail, see the CMMC bottleneck. For the evidence-trail mechanics that have driven the Phase 1 failure pattern, see the evidence gap and the audit reality check. For where the contractor base actually stands, see the CMMC readiness statistics.
The next six months will determine which contractors carry that lesson into Phase 2 with the work already done, and which ones learn it twice.
References · 4 official sources
| Source | What it covers | Type |
|---|---|---|
| 32 CFR Part 170 (CMMC Program Rule) | 32 CFR Part 170 — codifies the four-phase implementation that began 16 December 2024; Phase 1 is the current operating window | Regulation |
| DFARS 252.204-7012 (Safeguarding Covered Defense Information) | DFARS 252.204-7012 — the underlying CUI obligation that has been in force since 2017 and shaped the pre-Phase-1 contractor posture | Regulation |
| DFARS 252.204-7021 (CMMC Level Requirements) | DFARS 252.204-7021 — adds CMMC level requirements to procurement; the clause language that propagated through prime-to-sub flow-downs during Phase 1 | Regulation |
| NIST SP 800-171 Rev 2 | NIST SP 800-171 Revision 2 — the 110 requirements that Level 2 self- and certification-assessments evaluate | Standard |