Introduction

On November 10, 2025, the Cybersecurity Maturity Model Certification (CMMC) officially went live. For defense contractors, this is more than a policy update—it’s a call to action. Understanding the phased rollout and preparing early will be critical to maintaining eligibility for DoD contracts.

CMMC is designed to protect sensitive DoD information across the defense industrial base. Cyber threats are evolving, and the DoD is taking proactive steps to secure its supply chain. Contractors who start preparing now will avoid last-minute compliance challenges and position themselves competitively for future contracts.

The Four Phases of CMMC Implementation

CMMC Implementation will follow a phased approach with Level 1 and 2 self-assessments now required where applicable per contract requirements. Please refer to the graphic below released by the Department of War CIO for a visual. In 2026, 2027, and 2028 respectively, solicitations will roll out CMMC requirements into their language, requiring CMMC certification as a condition for contract award. This phased rollout will continue until November 2028, at which point all DoD contracts will require applicable CMMC controls as a contract reward condition. The goal of the phased approach is to allow time for providers and assessors alike to review, understand, and implement CMMC requirements without unnecessary ramp-up issues and impacts to defense contractors. As such, the first year of the rollout is designed to focus on the required Self-Assessments (Level 1 or Level 2).

What Do the CMMC Levels Mean?

CMMC requirements are broken down into multiple levels, each of which vary when it comes to the number controls and assessment type required to ensure compliance.

For example, CMMC Level 1 only requires a self-attestation assessment, whereas CMMC Level 3 requires a Government-led assessment. The table below provides an overview of each CMMC level.

Next Steps for Contractors

Every agency customer is different. Be sure that you understand the requirements set forth by your agency customers. This will help your team determine which CMMC level (1, 2, or 3) applies to your current and future contracts. This may require a conversation with your agency sponsor to clarify expectations. Likewise, every contract is different. Be sure you review and understand contract language closely as it will set relevant expectations and timeline details. Once you’ve determined your agency and contract requirements,  build a plan for certification at the appropriate level. CMMC Subject Matter Experts from a third party or outside organization are valuable resources your team can use to assist in building a certification roadmap and project plan. During this planning phase, be sure to engage with a certified C3PAO (if pursuing CMMC Level 2) or government assessment entity (if pursuing CMMC Level 3). The CMMC accreditation Body maintains a marketplace providers can leverage to review the certified CMMC assessors and make the decision on which assessor to engage with: https://cyberab.org/marketplace  

Call to Action

The clock is ticking. Start your CMMC journey today to ensure uninterrupted eligibility for DoD contracts.

InfusionPoints has extensive experience with CMMC and is ready to help Cloud Service Providers (CSPs) and defense contractors with:

• Documentation for compliance
• Security monitoring and continuous oversight
• Compliance strategy tailored to your organization

For guidance on assessments, certification, and compliance strategies, reach out to InfusionPoints or visit the official DoD CMMC website.