What is CMMC Phase 1?

The DoD has made it official—the CMMC requirement for those in the Defense Industrial Base (DIB) went into effect on November 10, 2025. What that means is that CMMC certification via self-assessments will be required for Level 1 and Level 2 contractors in order to respond to DoD contracts moving forward.

The requirement impacts contractors and subcontractors that process, store or transmit certain types of government information. And this first phase of the CMMC requirement rollout marks a turning point in the DIB: Compliance with CMMC Level 1 and Level 2 requirements now directly impacts your eligibility for new work in the DoD.

What CMMC Phase 1 compliance looks like

CMMC Phase 1 requires self-assessments for prime contractors and subcontractors at the first two levels of CMMC. These organizations will not just need to provide annual affirmation they are in compliance, but they also need to submit a verified self-assessment for certification. Prime contractors are also responsible for overseeing the compliance of their subcontractors.

Level 1 and Level 2 organizations comprise the bulk of DIB contractors affected. In fact, most will find themselves in the Level 2 category:

• Level 1 CMMC. Level 1 organizations store and manage Federal Contract Information (FCI). These organizations need to do annual self-assessments to prove they are in alignment with the 15 basic security controls from Federal Acquisition Regulation (FAR) 52 204-21.
• Level 2 CMMC. Level 2 is comprised of organizations that handle Controlled Unclassified Information (CUI). They also need to do self-assessments to show they are aligned with the 110 security controls in NIST SP 800-171. In a later phase, Level 2 organizations will be required to do third-party assessments every 3 years. For now, it’s just the self-assessments.

Challenges for CMMC Phase 1 compliance

The challenges for CMMC are similar to any compliance program—FAR and 800-171 require a lot of time and effort to implement. In fact, NIST 800-171 is the most challenging of the two, requiring the implementation of 7x more security controls than Level 1.

Level 2 organizations are usually not prepared to address compliance, maintenance and reporting manually with the staff they have on hand. There just aren’t enough hours in a day. And there is complexity in applying controls across multiple environments.

Since most of you are already deep in this process, you know all the roadblocks caused by resource constraints and the requirements themselves. Implementing security controls can “break” applications or necessitate turning off functionality, requiring focused remediation when done manually. Regardless, the show must go on if you want to maintain your contracts. Failure to comply can result in losing your contract or being responsible for False Claims Act liability.

How to comply with less effort and more confidence

As early as late next year, Level 2 organizations will need to submit to third-party assessments. This means little tolerance for errors and brownie points for those with a track record of flawless compliance.

Using a unified automation solution—one that scans, remediates, reports and maintains continuous compliance in a single, integrated application—is the path of least resistance to NIST SP 800-171 implementation and CMMC compliance.

ConfigOS is the only unified automation solution proven to meet 800-171, CIS Benchmarks, STIG and other mandated government frameworks. ConfigOS enables rapid baseline configuration and continuous monitoring and remediation to maintain your certification readiness and protect your DoD contracts. It tells others in the DoD that you use the same level of rigor to make your systems compliant that they use.

CMMC certification now determines eligibility in the defense marketplace. In Phase 2 in November 2026, third party assessment will be required for Level 2 contractors. The process is just going to get harder and more granular. To learn how you can avoid a lot of the pain associated with compliance moving forward, contact SteelCloud and see how the industry’s leading unified solution can simplify compliance for you.