CMMC in 2025: What Phase 1 Means for DoD Contractors (and What To Do Now)

The quick take

CMMC is rolling out via a 4-phase plan over ~3 years. Phase 1 starts 60 days after the final 48 CFR acquisition rule is published and begins with self-assessments appearing in select solicitations. Plan now so you’re not scrambling when the clause lands in your RFP.

Where we are in the process

• Program structure: DoD will phase in requirements—starting with self-assessments and ramping to full certification requirements. ‍
• Rule status: DoD sent the final 48 CFR rule to OIRA on July 22, 2025, signaling contract language could start showing up as early as Q4 2025, then expand during the three-year rollout. ‍

What Phase 1 likely requires

• Level 1/Level 2 self-assessments for some awards (Contracting Officers have discretion to include Level 2 certification in certain cases).
• Reporting to SPRS and attention to POA&Ms so you can show credible progress.

30-day action plan

1. Confirm scope: Identify where FCI/CUI lives; map data flows and systems.
2. Close the gaps: Align to NIST 800-171 practices for Level 2; prioritize access control, logging, vulnerability/risk management.
3. Tighten evidence: Centralize policy/procedure docs, screenshots, configs, and log samples.
4. Prep for the clause: Socialize DFARS 252.204-7021 requirements with executives and subs; build contract-by-contract readiness. ‍
5. Book help early: Capacity for assessors and consultants will tighten as solicitations go live.

How Privaxi helps

• Readiness sprints (gap analysis, remediation roadmap, evidence pack setup)
• Compliance as a Service (ongoing patch/vuln cadence, control health checks, artifact collection)
• C3PAO prep (mock interviews, artifact reviews, assessor Q&A run-throughs)

Need a 30-day plan? Talk to us about CMMC readiness and Compliance as a Service (formerly CAMP).

Book a call today!

‍