TL;DR: CMMC enforcement now begins through defense contracts, with Level 1 or Level 2 self-assessments required at award for many suppliers and an estimated 65% of the DIB affected, according to Secureframe. The practical issue is no longer policy familiarity but contract eligibility, evidence readiness, and assessment throughput.
NHIMG editorial — based on content published by Secureframe: CMMC Deadline 2025, Phase 1 is now live and enforcement begins
By the numbers:
- As of the October CyberAB Town Hall, only 431 organizations had achieved a final CMMC Level 2 certification.
- Only 1% of DIB organizations felt fully prepared for upcoming CMMC assessments, according to CyberSheath.
Questions worth separating out
Q: What breaks when CMMC readiness is treated as an IT-only project?
A: It breaks the link between technical controls and the contractual obligations they are meant to satisfy.
Q: When should contractors prioritise CMMC work over other compliance projects?
A: Contractors should prioritise CMMC when they handle FCI, ECI, or CUI and expect to bid on or renew DoD work.
Q: What do teams get wrong about CMMC evidence collection?
A: They treat evidence as a pre-audit deliverable instead of an operating process.
Practitioner guidance
- Map contract scope to identity scope Tie each CMMC contract or solicitation to the systems, users, service accounts, and vendors that can access FCI, ECI, or CUI.
- Validate evidence before the assessment window opens Check that SSPs, POA&Ms, and SPRS scores reflect current control state, not last quarter's assumptions.
- Reduce third-party access uncertainty Inventory all vendors and partners with access to in-scope data or systems, then confirm whether their entitlements are necessary, current, and documented.
What's in the full article
Secureframe's full blog covers the operational detail this post intentionally leaves for the source:
- Step-by-step CMMC Level 1 and Level 2 readiness checklists for organizations that need to prepare for assessment.
- The full 48 CFR and DFARS rulemaking timeline, including the November 10 enforcement milestone and phased rollout dates.
- Detailed guidance on evidence generation, SSP and POA&M production, and SPRS score management.
- Secureframe's automation workflow examples for continuous monitoring, remediation tracking, and auditor access.
👉 Read Secureframe's analysis of CMMC Phase 1 enforcement and readiness requirements →
CMMC Phase 1 is live: what defense contractors must do now?
Explore further
Contract-linked compliance changes the identity governance problem from periodic review to continuous proof. CMMC Phase 1 means many suppliers must demonstrate control implementation at the moment of award, not after the fact. That shifts attention toward evidence quality, scope accuracy, and entitlement governance across users, vendors, and systems. For defense suppliers, identity governance is now part of contract viability, not just audit preparation.
A question worth separating out:
Q: Who is accountable when CMMC readiness gaps delay certification?
A: Accountability sits with the programme owner and the control owners who must ensure the environment, evidence, and documentation stay consistent. In practice, compliance cannot be treated as a documentation-only task. Governance needs named owners for scope, evidence quality, remediation tracking, and final assessment readiness.
👉 Read our full editorial: CMMC Phase 1 changes defense supply chain compliance timing