CMMC is no longer a future requirement. It is not a pilot program. It is not something that applies only to large prime contractors. As of November 2025, CMMC requirements are written into active DoD solicitations, and if you're bidding on contracts that involve Controlled Unclassified Information, the compliance clock is running right now.

Here's what's actually happening, and what it means for your business.

The Two Phases You Need to Understand

Phase 1: Live as of November 2025

Phase 1 applies to contracts requiring CMMC Level 1 (basic safeguarding of Federal Contract Information) and some Level 2 contracts. At Level 1, contractors can still self-attest, meaning you sign off that you meet the 17 basic practices. But that signature now carries legal weight under the False Claims Act. A senior official at your company is on record. If that attestation turns out to be false, the liability is personal, not just corporate.

Phase 2: Begins November 2026

Phase 2 is where the stakes jump significantly. Most contracts involving CUI will require third-party certification by an authorized C3PAO (Certified Third-Party Assessment Organization). Self-attestation is no longer enough. An actual assessor has to walk through your environment, evaluate your controls, and issue a certification. No certification, no contract award. No exceptions, no grace periods.

The math that should concern you: There are approximately 338,000 contractors in the Defense Industrial Base. There are roughly 88 authorized C3PAOs nationwide. Assessment calendars are already filling. The contractors who start now get access to assessors, lower costs, and time to close gaps before a contract is on the line.

What "Non-Compliant" Actually Costs You

The consequence isn't a fine or a warning letter. The consequence is simple: you can't win the contract. If a solicitation includes a CMMC requirement and you don't hold the appropriate certification or attestation on file, you are disqualified at the bid table. There is no "we're working on it" clause. There is no provisional award while you catch up.

For contractors who derive a significant portion of revenue from DoD work (and most small DIB contractors do), that's an existential risk, not an administrative inconvenience.

What You Should Do Right Now

The first step is knowing where you actually stand. Most contractors genuinely don't know. They have a rough sense that they're "mostly compliant" based on practices that were never formally evaluated. That rough sense is not sufficient anymore.

A gap assessment gives you a clear, honest picture of your current posture against CMMC requirements: which controls you meet, which you don't, and what the path to certification actually looks like for your specific environment. That information is what everything else is built on.

The contractors who move first are in the best position. That's not a sales pitch. It's the arithmetic of 338,000 contractors and 88 assessors. The queue has a front and a back.