CMMC Assessment Checklist
If you think you are ready for a CMMC assessment, use this resource to test where you actually are before contacting a professional.
.jpg?ext=.jpg)
Six CMMC Considerations for Phase 1
We are now in Phase 1 of the CMMC phased implementation. Effective November 10, 2025, contracting officers can start including CMMC clause requirements in solicitations. Officially, during Phase 1, organizations that handle, transmit, or store Controlled Unclassified Information (CUI) must complete a CMMC self-assessment and report scores into SPRS. However, many prime contractors and larger contractors are asking their supply chains to complete a third-party assessment by a C3PAO (CMMC Third-Party Assessor Organization). They want their supply chains to be fully secure as soon as possible.
Six Actions to Take Now that CMMC is Real
Here are six key points for organizations in the Defense Industry Base to consider now.
-
Clarify your data flows: Does your organization handle FCI? Does it process, store or transmit CUI? Knowing which category you fall into determines whether you need Level 1 or Level 2 readiness (or higher).
-
Conduct a gap analysis now: If you haven’t assessed yourself against the relevant standard (e.g., NIST SP 800-171 Rev 2 for CUI) you should begin immediately. You can utilize our CMMC Assessment Checklist as a way to get the self-analysis started.
-
Develop your System Security Plan (SSP) and POA&M: Document how you meet controls, where you have gaps, and your plan to remediate them. Good documentation is foundational.
-
Choose your readiness route and certification path: While Phase 1 may allow self-assessment for Level 2, the market signal is clear: third-party certification (via a C3PAO) is becoming standard. Treat readiness as though certification will be required.
-
Engage supply-chain awareness: Even if you are a subcontractor, you may be asked by a prime contractor to demonstrate CMMC readiness. The flow-down of requirements is real.
-
Build a culture of continuous compliance: The rule is not “get it done once and be done.” Annual affirmations, maintenance of compliance, and readiness for future phases are part of the journey.
CMMC and the C3PAO Ecosystem
The C3PAO enters the picture as the entity authorized to conduct independent assessments. If you need CMMC level 2 or level 3, you will need a CMMC third-party assessment.
The number of authorized C3PAOs continues to increase. However, there are still many more contractors and organizations than there are assessors. It is important to schedule an assessment as soon as you can even if you are not assessment-ready right now. Make sure you reserve time on the calendar of your selected C3PAO.
The Full Roll-Out Path for CMMC
Phase 1 is the beginning of the CMMC roll out. There are two phases yet to come:
- Phase 2 (expected ~11/10/2026) will more broadly require certification rather than self-attestation.
- Phase 3 (around 11/10/2027) and Phase 4 (~11/10/2028) will drive full adoption across all applicable contracts.
Thus, while Phase 1 allows for some flexibility, it is not a pause on action. In fact, it should be viewed as the launch window. Organizations that delay preparation now will face compressed timelines later when certification becomes mandatory.
Questions About CMMC?
What questions can we answer for you today? If you would like to ask questions about a pending assessment or if you’d like us to quote your assessment for you, please contact us today.