November 10th marked an important milestone: the Cybersecurity Maturity Model Certification (CMMC) is now officially in effect. CMMC requirements can now be added to Department of Defense (DoD) contracts and solicitations. For the Defense Industrial Base (DIB), this begins a new chapter where cybersecurity readiness is not optional; it’s a contractual expectation. Having a current CMMC Status (a final or conditional CMMC certification) is now a condition of award for contracts that contain the DFARS 252.204-7021 clause.

The Four-Phase Rollout

The DoD is introducing CMMC through a phased approach to help contractors adapt and allow assessment capacity to scale.

Phase 1: November 2025-November 2026
During phase 1, to be contract-eligible organizations must complete a NIST 800-171 self-assessment, although the DoD may discretionarily require a C3PAO assessment for those with Level 2 requirements. For Level 2, a score of 110 is required, although a conditional certification can be granted with a score of 88 if all mandatory controls are scored as “MET”. All POA&M items must be remediated and verified within 180 days, or else the conditional certification will be rescinded.

Phase 2: November 2026-November 2027
Those with Level 2 requirements must complete a C3PAO assessment.

Phase 3: November 2027-November 2028
Those with Level 3 requirements must complete a DIBCAC assessment. Renewal of an option period for a Level 2 contract requires passing a C3PAO assessment.

Phase 4: November 2028 and beyond
CMMC requirements will apply to all DoD contracts.

Preparation Requires Time and Investment

Meeting CMMC requirements isn’t quick or simple. Implementing controls, fixing gaps, gathering evidence, documenting processes, and preparing for assessments require planning, resources, and sustained effort. Even organizations that follow NIST SP 800-171 often discover extra work is needed to pass a formal assessment.

How FutureFeed Helps

FutureFeed reduces the time, cost, and risk of becoming—and staying—CMMC compliant by providing:

• A centralized system of record for policies, evidence, tasks, and documentation
• Automated workflows and clear requirement mapping
• Real-time insight into status, gaps, and readiness
• Long-term support to maintain compliance between assessments

With CMMC now active, the organizations that prepare early will be best positioned to retain and win DoD business. FutureFeed can help make that journey faster, easier, and more predictable.