The CMMC Implementation Conference (CEIC West) brought together leaders from across the cybersecurity and defense landscape. As a Cyber-AB Registered Practitioner Organization, we keep a pulse on all the latest CMMC insights: the time to prepare for Cybersecurity Maturity Model Certification (CMMC) compliance is now.
Here’s what government contractors, especially small to mid-sized businesses—need to know.
-
The Clock Is Ticking on DFARS 252.204-7021
According to CEIC West, the final rule for DFARS 252.204-7021 is expected to drop between June and July 2025. Once it does, the CMMC requirements it enforces will become mandatory in new contracts. That means your eligibility to win or keep DoD work will depend on being CMMC-compliant.
If your team is treating CMMC as a “someday” problem, it’s time to rethink.
-
CMMC Phase I Begins September 2025
CMMC Phase I is expected to go live between August and September 2025. From that point forward, any new contract will require one of the following:
- CMMC Level 1 Self-Assessment (for handling only Federal Contract Information, or FCI)
- CMMC Level 2 Self-Assessment (for Controlled Unclassified Information, or CUI)
- CMMC Level 2 Certification Assessment (conducted by a C3PAO)
Contracts awarded after September 2025 may include CMMC requirements. Contractors must prepare now to avoid losing eligibility for DoD contracts..
-
Conditional Level 2 Status: Not a Free Pass
If you’re aiming for Level 2 certification but aren’t quite ready, you may qualify for Conditional Level 2—but it’s not easy. To earn this temporary status:
- You must score 80% or higher (at least 88 out of 110 NIST SP 800-171 requirements)
- Submit your score and documentation to SPRS
- Have zero open POA&Ms on critical controls
You need to be nearly audit-ready just to start the 180-day clock.
-
180 Days to Full Compliance
Once you’re granted Conditional Level 2, you’ll have 180 days to:
- Fully implement all 110 controls
- Close out remaining POA&Ms
- Pass a follow-up closeout assessment
If you miss the deadline? You’re ineligible to perform on the contract.
-
It’s Not Just About New Contracts
Existing contracts with future option years or subcontract renewals can still be impacted retroactively. If your subs aren’t compliant, your prime contract could be in jeopardy.
Ask your team: Are we ready to prove compliance at all levels of our supply chain.
-
No Grace Period After the Final Rule Hits
For contracts awarded after DFARS 7021 becomes final, you must prove compliance before award. There is no 180-day grace period.
That means waiting until fall 2025 could lock you out of the next round of awards.
-
Questions You Should Be Asking Now
If you’re not already asking these internally, you should be:
- Sales: Are we pursuing contracts that close after September 2025?
- Production: Are our systems ready to operate in a compliant environment?
- Supply Chain: Are our vendors documented and compliant?
-
What You Need Now: A Trusted Guide
This isn’t just a cybersecurity project, it’s a business survival strategy. Compliance takes planning, coordination, and expertise across IT, legal, HR, and operations.
At Alluvionic, we make CMMC compliance approachable and achievable. We simplify complex requirements, manage implementation efficiently, and keep your business moving.
