CMMC Phase 1 is 7 Weeks Away

Written By Glenn Haggard

As the clock ticks down to November 10, 2025, defense contractors face a pivotal moment: the official start of Cybersecurity Maturity Model Certification (CMMC) Phase 1. This phase marks the DoD’s (Department of Defense) initial rollout of mandatory cybersecurity requirements into solicitations and contracts, focusing on self-assessments for Levels 1 and 2. With only about seven weeks left, procrastination is no longer an option. Non-compliance could mean exclusion from future DoD contracts. As someone who’s worked in GRC for years and now runs a veteran-owned consultancy, I know most SMEs underestimate how quickly compliance deadlines arrive.

I founded Gruntworks Technology, a Service-Disabled Veteran-Owned Small Business, after years of working in governance, risk, and compliance for enterprises. I’ve seen first-hand how security gaps snowball when teams delay preparation. The good news? With the right plan and the right guidance, contractors can position themselves for success in Phase 1 and beyond.

CMMC is a unified framework designed to safeguard sensitive data shared with contractors and subcontractors, addressing longstanding vulnerabilities in the defense supply chain. Unlike previous self-attestation models, CMMC enforces verifiable cybersecurity practices through tiered maturity levels. Phase 1 emphasizes foundational self-assessments, providing a grace period before third-party audits ramp up in later phases. For many small to medium-sized enterprises (SMEs) (which comprise over 139,000 potential Level 1 contractors) this is the entry point to compliance. Wait too long, and you’ll find yourself scrambling, spending more, and possibly losing out on bids you thought you’d win.

Understanding CMMC Phase 1: The Basics and Implications

Phase 1, effective November 10, 2025, allows contracting officers to insert CMMC clauses into new solicitations and contracts. It primarily targets:

  • Level 1 Self-Assessments: Required for contracts involving FCI only. This level mandates adherence to 15 basic security controls outlined in FAR Clause 52.204-21, such as access control, identification, and media protection. Contractors must affirm annually that these controls are in place via the Supplier Performance Risk System (SPRS).

  • Level 2 Self-Assessments: For contracts handling CUI, aligning with NIST SP 800-171's 110 controls. While third-party assessments (via C3PAOs) will become mandatory in Phase 2, Phase 1 permits self-assessments with DoD oversight.

The rollout is phased to minimize disruption: Phase 1 covers a subset of contracts, expanding through 2028. However, primes must flow down requirements to subcontractors, amplifying the urgency for the entire supply chain. Failure to comply could result in bid rejections, contract terminations, or legal liabilities, especially as cyber threats like ransomware target defense ecosystems.

Step 1: Determine Your CMMC Level and Scope Your Environment

The first critical action is to classify your organization's required maturity level based on contract types. Review active and prospective DoD agreements to identify FCI or CUI handling. Tools like the DoD's CMMC scoping guidance can help delineate your compliance boundary, which is the systems, networks, and processes in scope.

Assign a dedicated compliance lead or team immediately. This individual (or team) should coordinate with IT, legal, and leadership to map assets: servers, endpoints, cloud environments, and even remote work setups. For SMEs, this might involve simple spreadsheets; larger firms may need automated tools. Over-scoping can inflate costs, while under-scoping invites audits and penalties.

Step 2: Conduct a Gap Analysis and Self-Assessment

With scope defined, perform a thorough gap analysis against the relevant controls. For Level 1, use the FAR 52.204-21 checklist to evaluate your 15 controls. Level 2 requires a deeper dive into NIST 800-171, assessing domains like access control, incident response, and system integrity.

Leverage free resources from the DoD CIO website, including the CMMC-101 guide, to document your current state. Identify deficiencies — perhaps weak multi-factor authentication or inadequate training — and prioritize remediation. Engage third-party consultants if internal expertise is lacking; many offer readiness assessments tailored to Phase 1 timelines.

Pro tip: If you engage outside help, make sure they’re certified by Cyber-AB. That’s the path I’m on right now, so I know how important it is to stay current.

Document everything meticulously. Self-assessment scores must be submitted to SPRS with affirmations, serving as your compliance proof. This step alone can take weeks, so start now to avoid last-minute scrambles.

Step 3: Implement Controls and Build Processes

This is where the rubber meets the road, where policy turns into actual controls. Implement missing controls: deploy endpoint detection tools, enforce least-privilege access, and establish incident response plans. For cloud users, ensure FedRAMP-authorized services align with CMMC.

Develop policies for ongoing maturity: training programs, continuous monitoring, and POA&Ms (Plans of Action and Milestones) for unresolved gaps. Integrate CMMC into your broader cybersecurity strategy -  don't treat it as a checkbox exercise. Test your setup with tabletop exercises or mock audits to simulate real-world scenarios.

Budget wisely: Costs for CMMC readiness vary widely depending on size and scope. Some small contractors can get started for around $5,000 for basic Phase 1 Health Checks while more complex Level 2 prep can run into six figures. Seek DoD resources like the CMMC Accreditation Body (Cyber-AB) for certified assessors.

Common Pitfalls and How to Avoid Them

Many contractors underestimate supply chain ripple effects, assuming primes handle everything, but flow-down clauses make subcontractors equally accountable. Others bet on Phase 1 as a "free pass," ignoring that self-assessments must be defensible and could trigger deeper scrutiny.

Avoid siloed efforts and stay informed via DoD updates as timelines could shift, but preparation builds resilience.

Resources and Next Steps

Tap into official DoD portals for templates and webinars. Organizations like the Cyber-AB offer marketplace directories for C3PAOs, even if not yet required in Phase 1. Consider partnerships with compliant MSPs specializing in Microsoft Government Cloud for streamlined implementation.

In conclusion, CMMC Phase 1 isn't just regulatory hoop-jumping, it's a safeguard for national security and your business viability. With seven weeks left, start your gap analysis, document your controls and rally your team.

At Gruntworks, my mission is to help SMEs and defense contractors cut through the jargon and get ready without wasting time or money. Whether it’s a readiness health check, an SSP/POA&M package, or a training session for your staff, I can help you navigate CMMC with confidence.

If you’d like to explore how we can get your organization Phase 1 ready, let’s talk. Schedule your free 15-minute readiness consult by emailing me at glenn@gruntworks.tech, and I’ll get you on the calendar. Future contracts could depend on it, and I’d be glad to guide you through.

Glenn Haggard