Beginning today, November 10, 2025, Department of Defense (“DoD”) contractors may begin to see Cybersecurity Maturity Model Certification (“CMMC”) clauses included in contracts, solicitations, contract modifications, the exercise of contract options, or performance extensions. As a result, CMMC compliance will be a prerequisite for contract award or modification for some defense contractors. 

November 10 also marks day one of the first of the DoD’s four CMMC phases. During Phase 1, the DoD will include the requirements for CMMC Level 1 Status with a self-assessment and CMMC Level 2 Status with a self-assessment in contracts where contractors are expected to handle Federal Contract Information ("FCI") or Controlled Unclassified Information ("CUI"). At its discretion, the DoD may also include the requirement for CMMC Level 2 Status with a CMMC Third-Party Assessment Organization (“C3PAO”) assessment. The next CMMC phase, Phase 2, is expected to begin on November 10, 2026. 

CMMC is a framework for assessing a contractor’s information security protections. CMMC Level 1 applies to defense contractors that handle FCI and incorporates the 15 basic safeguards set forth in Federal Acquisition Regulation (“FAR”) 52.204-21, Basic Safeguarding of Covered Contractor Information Systems. FCI is information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government. Importantly, CMMC Level 1 Status must be final for award. In other words, contractors that must achieve Level 1 CMMC Status as a condition of contract award may not have outstanding plans of action and milestones and must have implemented the 15 basic safeguards set forth in FAR 52.204-21.

Defense contractors that handle FCI and receive a contract or contract modification with a CMMC Level 1 clause will be expected to:

• Self-assess, achieve, and maintain compliance with CMMC Level 1 (the 15 basic safeguards of FAR 52.204-21);

• Flow down the CMMC Level 1 requirements to relevant contractual instruments (except for contractual instruments solely for the acquisition of Commercial off-the-shelf (COTS) items, i.e., unmodified goods sold in substantial quantities in the commercial marketplace);

• Affirm continuous compliance with the CMMC Level 1 requirements for each relevant information system and for each required CMMC Level 1 self-assessment; and

• Report the results of each CMMC Level 1 self-assessment of any relevant contractor information system.

CMMC Level 2 applies to defense contractors that handle CUI and incorporates the 110 security controls set forth in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Rev. 2. CUI is information the Government creates or possesses, or information an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Governmentwide policy requires or permits an agency to handle using safeguarding or dissemination controls. 

Defense contractors that handle CUI and receive a contract or contract modification with a CMMC Level 2 clause will be expected to:Self-assess (or as applicable undergo a C3PAO assessment of), achieve, and maintain compliance with CMMC Level 2 (the 110 security controls of NIST SP 800-171 Rev. 2);

• Flow down CMMC requirements to relevant contractual instruments (except for contractual instruments solely for the acquisition of COTS items);

• Affirm continuous compliance with the CMMC Level 2 requirements for each relevant information system and for each required self-assessment or C3PAO assessment; and

• Report the results of each CMMC Level 2 self-assessment of any relevant contractor information system.

The DoD predicts that CMMC will impact more than 300,000 defense contractors, more than two-thirds of which are expected to be small businesses. And, the typical timeframe for CMMC compliance is expected to range from six to twelve months. Therefore, DoD contractors that have not done so already should begin getting CMMC compliant now by:

• Assessing utilization of their own information systems to process, store, or transmit FCI or CUI pursuant to a Government contract;

• Identifying contractor information systems used to process, store, or transmit FCI or CUI;

• Considering whether subcontractors or non-COTS vendors handle or will handle FCI or CUI;

• Identifying any likely CMMC certification level based on the nature of the information currently handled or likely to be handled in the future;

• Planning for management of the flow down of any applicable CMMC requirements to subcontractors and non-COTS vendors; and

• Assessing whether an enclave strategy is feasible and advisable.

Nelson Mullins has assembled a Task Force to support clients in preparing for CMMC compliance. Our team brings together expertise in federal contracting, privacy, and cybersecurity. Ask us how the Nelson Mullins Team can help defense contractors get CMMC ready.