Pentagon Sets CMMC Start Date: What November 2025 Means for Your…

The speculation is over. The DoD has confirmed that CMMC enforcement begins with the 48 CFR rule taking effect, initiating Phase 1 in late 2025. Solicitations will start including CMMC requirements as a condition of contract award. For the 250,000+ companies in the defense industrial base, the compliance clock that’s been ticking in theory is now ticking in contract language.

What does this actually change for contractors? Less than some fear, more than most are prepared for.

What Phase 1 Means

Phase 1 is a controlled rollout, not a cliff. The DoD won’t flip a switch and require CMMC certification on every contract simultaneously. Instead, CMMC requirements will appear in select solicitations, starting with contracts that the DoD designates for inclusion.

During Phase 1, the DoD will begin including CMMC Level 1 self-assessment and Level 2 self-assessment requirements in applicable solicitations and contracts. This means contractors will need to demonstrate compliance status before award. The key word is “applicable.” Not every contract will carry a CMMC clause on day one.

But “not every contract” isn’t the same as “not your contract.” Contractors who assume they have time because Phase 1 is limited are making a bet on which solicitations get tagged first. If a contract you’re pursuing is among them, you either have the required status or you don’t.

The Phase Timeline

The enforcement rollout follows a phased approach:

Phase 1 introduces CMMC Level 1 and Level 2 self-assessment requirements in select solicitations. Contractors bidding on these must have their assessment completed and results posted to SPRS before award.

Phase 2 adds Level 2 C3PAO certification requirements. This is where independent third-party assessment becomes a contract condition. If your contract requires Level 2 (C3PAO), a self-assessment won’t satisfy the requirement. You need an Authorized C3PAO from The Cyber AB Marketplace to evaluate your environment.

Phase 3 extends the requirement to Level 3, affecting contractors handling the most sensitive CUI categories and requiring government-led assessment on top of C3PAO certification.

Phase 4 is full implementation. Every applicable DoD contract carries the requirement.

The transition between phases depends on rulemaking and rollout decisions that the DoD controls. What contractors need to understand is that each phase builds on the previous one, and the preparation for later phases starts now.

Why the Window Is Shorter Than It Looks

Here’s where most contractors miscalculate. They see “Phase 1” and think they have years. The math doesn’t support that.

A contractor starting from scratch today needs 12 to 18 months to reach Level 2 assessment readiness. That’s not a conservative estimate. That’s the timeline for an organization that moves with purpose: scoping the CUI boundary, running the gap assessment, remediating controls, building documentation, collecting evidence, and conducting a readiness review before engaging a C3PAO.

If Phase 2 begins even 12 months after Phase 1, contractors who haven’t started preparation are already behind schedule. And that’s assuming everything goes smoothly, that your MSP can support the timeline, that procurement cycles for security tools land on time, that documentation doesn’t stall because nobody is assigned to write it.

In practice, contractors who start with more than a year of runway spend substantially less and experience far less organizational disruption than those who compress the work into six months or fewer. The preparation doesn’t compress well. The work is sequential, and bottlenecks in early phases cascade into later ones.

What Contractors Should Do Now

If you haven’t started preparation: The best time was a year ago. The second best time is this week. Begin with scoping. Identify where CUI lives in your environment. Define the boundary. Everything else builds from there.

Already mid-preparation? Check your timeline against the enforcement phases. Are you tracking toward the assessment type your contracts will require? If you’ve been building toward self-assessment but your contracts may require C3PAO certification, the effort doesn’t reset, but the standard of evidence and documentation rigor increases.

Not sure where you stand relative to the enforcement timeline? Check your readiness to see how your current compliance posture maps against the requirements.

Think your contracts won’t be affected in Phase 1? You might be right. But the contractors who consistently come out ahead in CMMC preparation are the ones who didn’t wait for their specific solicitation to include the clause. They built the compliance program while they had time, not while they were racing a contract deadline.

Among contractors we’ve supported, the ones who started before enforcement pressure hit spent dramatically less on total preparation and reported far less organizational strain than those who started under deadline. That pattern will only intensify as enforcement expands.

The Supply Chain Effect

Phase 1 doesn’t just affect prime contractors bidding on DoD solicitations. It triggers a cascade through the supply chain.

When a prime’s contract requires CMMC, that requirement flows down to every subcontractor handling CUI. Primes don’t wait for the subcontract to be written to verify compliance. They’re building supply chains now based on which subs can demonstrate readiness. If you’re a subcontractor and your prime hasn’t raised CMMC with you yet, that conversation is coming. The question is whether you’ll be ready for it or scrambling when it arrives.

We’re already seeing primes include CMMC status verification as a standard element in teaming agreements and subcontract award decisions. Not just for contracts that currently require it, but proactively for programs they expect will require it within 12 months.

What This Doesn’t Change

The underlying security requirements haven’t changed. CMMC Level 2 maps to the same 110 NIST 800-171 Rev 2 requirements that DFARS 252.204-7012 has required since December 31, 2017. If you’ve been implementing those controls faithfully, Phase 1 adds a verification mechanism for Level 2, not new technical obligations.

What Phase 1 adds is accountability. Self-reported SPRS scores now carry real contractual weight. False or inflated scores increase the practical risk of False Claims Act scrutiny, particularly as the enforcement infrastructure makes score accuracy more visible.

The enforcement start date also doesn’t change the C3PAO capacity landscape. The number of Authorized C3PAOs and qualified assessors hasn’t kept pace with the number of contractors who will need assessments. That’s a scheduling constraint that Phase 1 will expose, not create. Contractors who wait until their solicitation includes the clause will find themselves competing for limited assessor availability with everyone else who waited.

The Position Worth Taking

CMMC enforcement beginning isn’t a surprise. It’s been in motion since the initial rulemaking. What’s changed is that the abstract obligation is now a concrete timeline with contractual consequences.

Contractors who treat this as a compliance checkbox will spend more, take longer, and face more disruption than those who treat it as a security program they maintain continuously. The contractors who are ready for Phase 1 didn’t prepare for Phase 1. They built compliance programs that happen to be ready whenever the enforcement date lands.

That’s the only preparation strategy that scales.

Deep Fathom supports defense contractors and their compliance advisors in building programs that don’t depend on knowing the exact enforcement date. The platform manages gap assessment, remediation, documentation, and evidence continuously, so your readiness posture is current regardless of when CMMC requirements appear in your solicitations.

Related reading:

Pentagon Sets CMMC Start Date: What November 2025 Means for Your Contracts