The DFARS acquisition rule (48 CFR) took effect November 10, 2025, authorizing DoD contracting officers to include CMMC requirements in new solicitations. Phase 1 focuses on Level 1 and Level 2 self-assessments. Third-party C3PAO assessments become broadly required approximately one year after Phase 1 begins (late 2026). Full enforcement across all applicable contracts is projected by November 2028. Contractors who have not started the process risk losing bid eligibility before full enforcement arrives, C3PAO scheduling backlogs are already a real constraint.

Level 1 applies to contractors handling only Federal Contract Information (FCI), requires 17 basic security practices, and allows annual self-assessment. Level 2 applies to most contractors handling Controlled Unclassified Information (CUI), it maps to all 110 practices in NIST SP 800-171 Rev 2 and requires third-party assessment by a C3PAO for most covered contracts. Level 3 applies to contractors supporting the highest-priority DoD programs, requires government-led assessment, and incorporates additional controls from NIST SP 800-172. Most defense contractors fall under Level 2.

A gap assessment evaluates your environment against all 110 NIST SP 800-171 practices across 14 control families: Access Control, Awareness and Training, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System and Communications Protection, and System and Information Integrity. The assessment includes document review, technical evaluation, and staff interviews. For a small to mid-size organization, a thorough gap assessment typically takes 3-6 weeks and produces a scored findings report with a prioritized remediation roadmap.

The Supplier Performance Risk System (SPRS) is where contractors must post their NIST SP 800-171 self-assessment scores. Scores range from -203 to +110. Contracting officers review SPRS scores when evaluating bids, a missing entry or a very low score raises immediate flags during source selection. Submitting an inaccurate score carries False Claims Act exposure; multiple DoD contractors have faced civil enforcement actions for inflated self-assessments. Maintaining an accurate, current, documented SPRS score is a priority action regardless of where an organization is in the formal CMMC certification process.

Yes. DFARS clause 252.204-7021 requires prime contractors to flow CMMC requirements down to any subcontractor that will process, store, or transmit CUI as part of performing a covered contract. A subcontractor does not need to contract directly with DoD to be in scope, if the prime passes CUI to the sub, the sub is subject to the same CMMC level required by the prime's contract. This is one of the most common compliance gaps in the defense supply chain: subcontractors assuming the prime's certification covers them. It does not.

A System Security Plan (SSP) is the primary documentation artifact for CMMC Level 2. It must describe the system boundary, the categories of CUI in scope, how each of the 110 NIST SP 800-171 practices is implemented (or planned for implementation via POA&M), hardware and software inventory, network diagrams, user roles and access levels, and interconnections with external systems. C3PAO assessors evaluate the SSP for completeness and internal consistency, then test it against observed system configurations, audit logs, and workforce practices. An SSP written to satisfy a checkbox rarely survives formal assessment scrutiny.

POA&Ms are permitted at CMMC Level 2 for both self-assessments and C3PAO assessments, but with significant constraints. All items on a POA&M must be remediated within 180 days of the CMMC Status Date. Certain high-priority controls are not deferrable, they must be fully implemented before a certification can be issued. Contractors who enter an assessment with unresolved critical controls risk a conditional certification or a failed outcome. POA&Ms should be used for genuine close-out items, not as a strategy to defer foundational controls.

If your MSP accesses, stores, processes, or transmits CUI as part of managing your environment, the MSP's systems and practices fall within your CMMC assessment boundary. A C3PAO assessor will evaluate whether your MSP meets the security requirements that apply to your environment, and if the MSP can't demonstrate compliance, those gaps appear in your assessment results, not theirs. Selecting an MSP with CMMC-aligned security practices and the ability to produce supporting documentation is a compliance decision, not just a vendor preference.

A failed C3PAO assessment means no certification is issued, which blocks award of contracts requiring Level 2 certification until gaps are remediated and a follow-on assessment is completed. Contracts in process may be affected depending on the timing relative to award. Under DFARS 252.204-7021, contractors must achieve the required CMMC level before contract award, not after. A failed assessment also results in a revised SPRS entry reflecting the deficient posture, which contracting officers can see during source selection for other bids. The downstream effects extend beyond the specific assessment that triggered the failure.