CMMC enforcement started in November 2025. If your company handles federal contract information and you haven’t done a self-assessment yet, you’re already behind. The Department of Justice has made it clear that saying you comply when you don’t is a legal problem, not just an administrative one.
Key Highlights
- The Department of Defense has begun enforcing the Cybersecurity Maturity Model Certification (CMMC), making compliance a concrete requirement for the Defense Industrial Base.
- Phase 1 began in November 2025, requiring contractors handling Federal Contract Information (FCI) to complete a CMMC Level 1 self-assessment.
- The Department of Justice is actively enforcing cybersecurity standards, with significant financial penalties and criminal charges for non-compliance under the False Claims Act.
- CMMC Level 1 covers 17 foundational security practices representing basic cyber hygiene to protect contract information.
- With Phase 2 mandating third-party assessments starting in November 2026, the window for self-assessment and remediation is narrowing.
Understanding CMMC 2.0 Compliance in 2026
The CMMC 2.0 framework gives the Department of Defense a cleaner way to verify that its supply chain is following sound cybersecurity practices. The requirements align with NIST SP 800-171, and your CMMC compliance status connects directly to your ability to win a contract award. There are three levels. Level 1 (Foundational) covers basic security for Federal Contract Information (FCI). Level 2 (Advanced) and Level 3 (Expert) require stronger controls for the more sensitive Controlled Unclassified Information (CUI).
Getting ready starts with knowing which level applies to your defense contracts. From there, you put the appropriate security controls in place. Level 1 only requires an annual self-assessment now, which matters for small businesses that don’t have a full compliance team. That said, the Federal Acquisition Regulation clauses embedded in new contract requests make these requirements non-negotiable. Know what’s expected, and keep the enforcement dates in front of you.
Key Dates: Phase 1, Phase 2, and What “Live” Means for You
The CMMC Final Rule is in effect. The phased rollout of enforcement has officially started, and when we say “live,” we mean CMMC requirements are appearing in new government contracts right now. Your ability to bid on those contracts depends on meeting them.
Phase 1 enforcement started in November 2025. Contractors seeking work that involves only Federal Contract Information must complete a CMMC Level 1 self-assessment and submit an annual affirmation. For smaller contractors, this is the immediate priority. Phase 2, on the other hand, introduces third-party assessments for certain Level 2 contracts and starts in November 2026. That sounds far off. It isn’t.
According to Accorian’s 2026 CMMC readiness analysis, only about 1% of contractors are currently considered audit-ready. That gap matters because the remediation window between now and Phase 2 is the same window you have to fix things before a third party is checking your work.
| Phase | Start Date | Requirement for Small Contractors |
|---|---|---|
| Phase 1 | November 2025 | Annual Level 1 self-assessment for contracts with FCI. |
| Phase 2 | November 2026 | Third-party assessments begin for some Level 2 contracts. |
Who Needs to Meet CMMC Level 1 Requirements
If your organization works with, stores, or transmits Federal Contract Information as part of a Department of Defense contract, CMMC Level 1 applies to you. This covers the entire Defense Industrial Base: prime contractors working directly with the DoD, and subcontractors who receive work further down the supply chain. FCI, in short, is contract information created specifically for the government that isn’t intended for public release.
In practical terms, if your work touches any non-public contract data, you need at minimum a Level 1 baseline. Beyond that, you must report your CMMC compliance and your self-assessment score to the Supplier Performance Risk System (SPRS). If you can’t demonstrate that you meet the foundational requirements, you lose eligibility for new DoD work. For companies whose revenue depends on federal contracts, that’s not a paperwork problem. It’s a business continuity problem.
Core Requirements of CMMC Level 1 Compliance
CMMC Level 1 is about basic cyber hygiene. Specifically, it’s built around protecting unclassified information through 17 security controls drawn from FAR 52.204-21. These practices fall into categories including access control, identification and authentication, and physical protection. None of them are exotic. Most are things a reasonably organized company should already be doing.
To meet the requirements, you implement the controls and document them in a system security plan. That plan is essentially your compliance map, showing how each of the 17 practices is being met in your actual environment. One thing worth noting: at Level 1, there are no plans of action allowed for incomplete items. Either the control is in place or it isn’t. That distinction is different from how higher CMMC levels handle gaps, and it catches some contractors off guard.
The 17 Foundational Security Practices Explained in Plain Language
These 17 practices aren’t complicated. They’re the kind of baseline security requirements that reduce obvious risk without creating significant operational friction. Taken together, they cover who can access your systems, how you handle sensitive information, and how you protect your physical environment. Think of them as the floor, not the ceiling.
A few of the more commonly misunderstood ones are worth spelling out:
- Limit access to systems based on job function. Not everyone needs access to everything.
- Assign unique IDs so each user has their own login. Shared accounts create accountability gaps.
- Control what goes on public-facing systems. Be deliberate about what information is externally visible.
- Handle media properly. USB drives, hard drives, and similar media containing sensitive data need to be sanitized or destroyed before disposal.
- Secure physical spaces. Server rooms and areas where contract data is handled need physical access controls.
- Escort visitors in controlled areas and keep logs of who comes and goes.
- Monitor your network perimeter. Watch what’s coming in and going out, specifically for malicious code and unauthorized traffic.
The full list is available in the CMMC Level 1 self-assessment guide, and it’s worth reading through with your actual environment in mind rather than in the abstract.
What’s Changed in Level 1 Under CMMC 2.0
The simplification under CMMC 2.0 is real. The biggest shift for Level 1 is the move away from required third-party audits. Annual self-attestation replaced that model entirely. Your company assesses itself against the 17 requirements, and a senior company official submits an annual affirmation confirming compliance. For small businesses that previously faced expensive third-party assessments, this change matters quite a bit.
The tradeoff, however, is that responsibility now falls squarely on you. The Department of Justice has been explicit about this. DOJ enforcement under the False Claims Act has escalated considerably: $52 million in FCA cybersecurity recoveries in 2025 alone, representing more than a tripling from the prior year. The Swiss Automation settlement, where a small contractor paid $421,000 for falsely certifying compliance, is a concrete example of what happens when attestation doesn’t match reality. There’s also been a first criminal case tied to cyber-related FCA fraud. Taken together, self-attestation is not a lower bar. It’s a different kind of accountability.
Best Practices for Achieving and Maintaining CMMC Level 1
Getting to Level 1 is only part of the work. Staying there requires treating cybersecurity as ongoing rather than periodic. The practical starting point is a gap analysis: compare your current environment against all 17 required practices and identify what’s missing. That gives you a clear remediation path before your self-assessment, rather than discovering gaps after the fact.
From there, the system security plan needs to be a living document. Update it when your systems change. Since plans of action aren’t permitted at Level 1, everything has to be working before you submit your annual affirmation. A common failure point is documentation: companies implement the controls but don’t maintain the evidence to show it. Collecting and organizing that evidence as part of your regular risk management process, then, saves significant time when assessment cycles come around.
Training Staff and Establishing a Culture of Cybersecurity
Your people are where most security failures actually happen. Building a real information security culture means going beyond a once-a-year training session. Everyone in the organization should understand their role in protecting Federal Contract Information, know how to spot phishing attempts, and be clear on how FCI gets handled day to day. That training, moreover, needs to be grounded in your system security plan rather than general awareness content pulled from somewhere else.
The structural pieces reinforce the cultural ones. Individual user accounts instead of shared logins, consistent physical access logs, and clear escalation paths for anything that looks suspicious: these aren’t just compliance checkboxes. They’re habits that make the annual affirmation process easier and keep your organization genuinely more secure. When security practices are embedded in daily work rather than treated as an audit exercise, they actually hold.
Partnering with Experts for Successful CMMC Compliance
For small contractors without a dedicated IT or compliance team, CMMC requirements can feel overwhelming. Working with CyberGlobal Philadelphia gives you a concrete path forward. We start with a gap assessment that shows you exactly where your environment stands against the 17 Level 1 requirements. From there, we help close the gaps, build the documentation trail, and make sure your assessment results are accurate and supportable.
We also help you think through subcontractor compliance, which is something that gets missed more often than it should. If a subcontractor in your supply chain isn’t meeting CMMC requirements, that creates exposure for you as the prime. Our team understands how the Defense Federal Acquisition Regulation Supplement applies at different tiers and can help you make sure your obligations extend appropriately. Ultimately, losing DoD contract eligibility because of a gap that was fixable is the outcome we’re working to help you avoid.
Frequently Asked Questions
What happens if my organization is not ready for a CMMC Level 1 assessment?
If you’re not ready and submit an affirmation anyway, you’re creating False Claims Act exposure. If you don’t submit, you lose contract eligibility for any DoD work requiring CMMC. The remediation window is open now. Use it before new Federal Acquisition Regulation clauses make the gap harder to close.
How long does it take to complete a Level 1 self-assessment?
Timing depends entirely on your current state. If your system security plan is current and your evidence is organized, a few days is realistic. Starting from scratch takes weeks. Either way, working through every assessment objective against your real environment takes time that most small contractors underestimate.
Is there a cost associated with CMMC Level 1 self-assessment for small businesses?
The DoD doesn’t charge a fee for self-attestation. The real costs are internal: staff time, documentation work, and entering your results into the Supplier Performance Risk System. Many contractors also budget for outside help, especially if a gap assessment turns up controls that need remediation before the annual affirmation can be submitted.