5 Things Federal Contractors Must Know About CMMC

The DoD’s long-anticipated Cybersecurity Maturity Model Certification (CMMC) rule entered Phase 1 of its implementation on November 10, 2025. This phase only impacts Level 1 and Level 2 contractors, requiring alignment with CMMC rules and self-assessments of your program. New Phases will be introduced in November 2026, 2027 and 2028.

Each new Phase of CMMC ups the ante for Level 2 and Level 3 contractors, making requirements more complex and requiring Certified Third-Party Assessment Organizations (C3PAO) to perform assessments. Nearly 338,000 contractors in the DIB will be impacted by these new CMMC requirements, most of which will be Level 2 contractors.

In a survey released in September 2025, nearly half of the respondents indicated they weren’t prepared for CMMC compliance, and 42% of the contractors surveyed indicated they lacked visibility into their supply chain. If initial compliance is difficult, maintaining continual compliance over the years will surely be a juggling act. And when you have a C3PAO assessing you in coming years, the scrutiny will just become more intense.

Five CMMC facts you need to know now

We have assembled five essential truths every contractor should know about their CMMC responsibilities to help you prepare for today and for future phases of CMMC.

1. Your contracts require it.

CMMC certification and contract eligibility go hand in hand. Without certification, you can’t get work in the DoD. Further, if you are awarded a contract and fail your certification, you could lose your contract. There is no way around this. If you want contracts in the DoD, you must be certified. And if you are a prime contractor with subcontractors who handle protected information, you need to be sure your supply chain is in compliance too.

2. Not all levels are created equal.

There are three levels of organizations that have to comply with CMMC. Level 1 is comprised of companies that handle and manage Federal Contract Information (FCI). They need to comply with the 15 security requirements of FAR 52.204-2 and conduct an annual self-assessment. Levels 2 and 3 are for those who handle and manage Controlled Unclassified Information (CUI). Level 2 must comply with the 110 NIST SP 800-171 security requirements. Whether you are able to self-certify at Level 2 or need a third party is dependent on contract requirements. Level 3 organizations will have to comply with the 110 controls in NIST 800-171, plus an additional 24 from NIST 800-172. All Level 3 organizations will need third-party certification.

3. You can’t do this alone.

CMMC requirements are too resource-heavy for multi-system environments and can’t be managed by manual means alone. Auditors expect measurable, repeatable proof. And, over time, manual methods can’t keep up with demands. It’s just not sustainable. You need some form of automated help to do part—or most—of the job for you.

4. You need to maintain continual readiness.

The DoD expects you to always be up to date with your security requirements, so staying compliant between assessments is just as critical as passing them. That is nearly impossible to maintain manually and difficult to maintain using disparate automation tools. A unified automation solution like ConfigOS—one that scans, remediates, monitors and reports, all from the same solution—keeps you continually compliant with very little human intervention.

5. You need to start now.

Delaying your CMMC certification means losing opportunities until your program is up to speed. Early adopters will win more work as a result, gaining a competitive advantage and becoming trusted contractors in the eyes of the DoD. Everyone prefers partners who are ready, as opposed to those who are struggling to catch up. Again, unified automation will get you to the finish line faster, eliminating months of manual work along the way and scaling to suit future needs and requirements.

Work smarter, not harder, with ConfigOS.

CMMC is no longer something off in the distance. It’s live and impacting contracts as we speak. Automation is the key to quickly and affordably establishing compliance—in fact, it is usually more cost-effective than the methods contractors are using today. Automation is also key to maintaining a compliance advantage effortlessly moving forward.

SteelCloud’s ConfigOS is the only unified solution for fully automating the NIST standards associated with Level 2 and Level 3 compliance. It is proven across the DoD and is the solution they use to comply with their own mandates. Many in DoD cybersecurity know us by name. Feel free to ask them about SteelCloud’s ConfigOS.

For more about CMMC, download our free ebook, CMMC for Dummies or request a demo of ConfigOS.