top of page
Search

CMMC What You Need To Know

CMMC has shifted from a long‑anticipated regulatory concept to an immediate operational requirement. For years, contractors operated under a self‑attestation model that varied widely in quality and rigor. That era is over. With the final rule published and the phased rollout underway, CMMC is now a pre‑award gate: if you are not compliant, you cannot bid. Period hard stop. 


At its core, CMMC is about protecting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). 


Level 1: Covers basic safeguarding for organizations that only touch FCI. 

Level 2: Applies to the vast majority of contractors handling CUI and requires full alignment with NIST SP 800‑171. 

Level 3: Is reserved for the most sensitive environments and incorporates enhanced controls from NIST SP 800‑172. 


The level you need is determined by the data you touch, not your size or revenue. This is a data‑driven compliance regime, not a maturity model based on organizational complexity.


The deadlines are non‑negotiable. Phase 1 began on November 10, 2025, requiring Level 1 and Level 2 self‑assessments before award. Phase 2, beginning November 10, 2026, introduces mandatory third‑party assessments for Level 2 contracts involving critical CUI. Phase 3, starting November 10, 2027, brings Level 3 assessments into scope. By November 10, 2028, CMMC is fully enforced across all DoD solicitations. These dates determine who stays eligible for work and who is sidelined.


A critical part of readiness is understanding the forms and documentation contractors must complete. Every organization must maintain a System Security Plan (SSP) that accurately describes its environment, controls, and boundaries. A Plan of Action and Milestones (POA&M) is required for any gaps, with strict limits on what can remain open at assessment time. Scoping documentation, asset inventories, network diagrams, and CUI data flows is mandatory for all levels. Most importantly, contractors must submit a current NIST SP 800‑171 assessment score and annual affirmation into the Supplier Performance Risk System (SPRS). 


For Level 2 third‑party assessments, firms must prepare a full evidence package for their C3PAO. 


Level 3 organizations must manage all artifacts through eMASS. None of this is optional, and none of it can be assembled reactively.


The strategic reality is clear: CMMC is not an IT project. It is a contract‑eligibility requirement that touches governance, procurement, subcontractor oversight, and executive accountability. Organizations that treat CMMC as a checkbox exercise will struggle.


Give a call we can assist in your readiness. 

 
 

Recent Posts

See All
Scamming - Public Service Announcement

A text arrived on my phone this morning. Final Warning. Today’s date. Massachusetts Department of Transportation. License suspension if I don’t pay by end of day. A code citation. Five escalating cons

 
 

Timcke Risk Management, LLC

660 Massachusetts Ave

6th Floor, Boston, MA 02118

 

© 2025 by Timcke Risk Management, LLC

 

bottom of page