CMMC is Now Mandatory -
Are You Ready for DoD Contracts?
As of November 10, 2025, CMMC compliance becomes a requirement for many DoD solicitations and contracts. If your organization handles FCI or CUI, now is the time to act.
CMMC is Now Contractually Mandatory
— What Every DIB Contractor Needs to Know —
What Changed: From Policy to Contract Requirement
- The regulatory foundation for CMMC has been in place since December 2024 with the adoption of 32 CFR Part 170, establishing the CMMC Program (levels, scoping, cyber hygiene standards, required assessments).
- As of November 10, 2025, a final rule amending the DFARS under 48 CFR makes CMMC compliance a binding requirement for applicable DoD contracts and solicitations. Going forward, contracting officers may — and in many cases will — include CMMC clauses (e.g. DFARS 252.204-7021) in contract solicitations and awards that involve handling of sensitive information.
Who Must Comply — And When
What kinds of contracts trigger CMMC requirements?
Any contract, task order, or delivery order where the contractor’s information systems will process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).
Contracts exclusively for commercially available off-the-shelf (COTS) items remain exempt.
Contracts exclusively for commercially available off-the-shelf (COTS) items remain exempt.
What about subcontractors?
Subcontractors are subject to the same compliance obligations — their required level depends on what kind of information they handle (FCI vs CUI). Contractors must vet and verify subcontractors’ CMMC status when flow-down obligations are invoked.
When does this apply?
- Phase 1 — starting November 10, 2025: Solicitations and contracts can include CMMC Level 1 or 2 self-assessments (and in some cases C3PAO-assessed Level 2) as a condition for award.
- Phase 2 (from ~Nov 10, 2026): C3PAO-assessed Level 2 becomes more common, depending on contract sensitivity.
- Phase 3 (from ~Nov 10, 2027): Higher-level certifications (e.g., Level 3) may be required for the most sensitive contracts.
- Full implementation by late 2028 — at that point, every applicable DoD contract is expected to include CMMC requirements (outside COTS-exempt contracts)
What Compliance Requires — Not Just a Checkbox
CMMC doesn’t create brand-new security controls — it formalizes and enforces controls many contractors may already be obligated to implement under previous clauses like DFARS 252.204-7012 and FAR 52.204-21.
What’s new is how compliance is verified:
- Contractors must maintain a documented CMMC status for each information system used in contract performance — and that status must be current, with periodic reaffirmations or reassessments depending on level.
- For Level 1: annual self-assessment and affirmation of compliance.
- For Level 2: either self-assessment or third-party assessment (by a C3PAO), with continuous compliance and periodic reassessment.
- For Level 3 (if required): assessments by the government’s DIBCAC, with full audit-style evaluation.
Additional obligations:
- Contractors must scope all information systems used for the processing/storage/transmission of FCI or CUI.
- Subcontractors must be assessed and certified (or self-assessed) at the required level before being used in contract performance.
- Contractors must maintain evidence of compliance over time. “Continuous compliance” must be affirmed periodically, not just at the time of award
What This Means for DIB Contractors — And Why You Should Act Now
- If you plan to bid on DoD contracts that involve FCI or CUI, you must have a current CMMC status in the Supplier Performance Risk System (SPRS) — otherwise you may be disqualified from award. 2
- For subcontractors and suppliers at any tier: the same compliance obligations apply if they handle FCI or CUI.
- Because the rule rolls out in phases and contract-level CMMC requirements are at the discretion of the contracting office, you must monitor solicitations carefully — don’t wait until contract award to begin compliance efforts.
- For many contractors, compliance will require: system scoping, documentation (SSPs, POA&Ms, procedures, policy), technical implementation (controls, encryption, logging, access management), evidence collection, and possibly third-party certification.
In short: CMMC is a business enabler — or a gatekeeper. Without compliance, you may lose eligibility for new work or renewals.
How We at AG Grace Can Help
You Get — and Stay — Compliant
Given these new realities, many contractors are scrambling to:
- Define their system boundaries and scope FCI/CUI processing assets
- Build System Security Plans (SSPs), Policies & Procedures, and Control Traceability Matrices
- Implement required controls (access control, encryption, logging, patch/ configuration management, identity/authentication, incident response, etc.)
- Collect objective evidence for compliance and readiness
- Prepare for self-assessment or third-party assessment (C3PAO or DIBCAC)
- Onboard subcontractors and ensure supply-chain compliance
That’s where AG Grace excels. With decades of experience in federal cybersecurity, compliance, and risk management, we provide:
- Comprehensive CMMC readiness assessments
- Documentation, process/policy development, and remediation planning
- Implementation support for technical controls and secure architecture
- Integration of cloud secure licensing (e.g., GCC High), hardened environments, and secure workflows
- Supply chain compliance support — including subcontractor vetting and flow-down compliance
- Training and certification preparation for internal staff (CMMC readiness, audit support, ongoing compliance)
If you are not yet ready — or you want to lock in your compliance before bid — let AG Grace guide you.