Sum IT Up: CMMC News Roundup

Episode: CMMC Phase 1: What Comes Next?

Date: November 13, 2025
Host: Summit 7

Episode Overview

In this episode, the Summit 7 hosts dive into the landscape of the Department of Defense's Cybersecurity Maturity Model Certification (CMMC) as Phase 1 of its official rollout goes live in November 2025. With CMMC now a condition for contract award, the hosts reflect on how the program reached this point, examine the latest certification and assessment trends, decode the real meaning of CMMC Levels 1-3 for contractors, and share their predictions for what organizations should expect—and prepare for—in the pivotal first phase.

Main Discussion & Key Insights

The "New Normal": CMMC Is Here

• CMMC Status as a Contract Condition
  As of November 2025, CMMC status is now required for new DoD contracts.
  "CMMC status is now officially and will forever be a condition of contract award." (A, 00:07)
• The rollout coincided with a government shutdown, creating a staggered start but quickly normalizing as agencies re-open.

Certification Growth & Ecosystem Expansion

• Rapid Certification Growth Despite Voluntary Phase

  • As of October 2025: Over 450 Level 2 CMMC certifications issued (both final and conditional statuses).
  • This marks a 280% increase since May 2025.
  • Projections: ~700 Level 2 certs by end of 2025 and over 1,000 by Q1 2026 if current trends persist.
  • "You went from zero level two certifications to over 450... without it being required." (A, 03:58)

• Assessment Capacity & C3PAO Growth

  • End of 2025:
    • ~1,400 Certified Practitioners
    • ~700 Certified Assessors
    • ~400 Lead Assessors (the main bottleneck for assessment teams)
    • ~100 C3PAOs (Certified Third-Party Assessment Organizations)
  • "400 teams or 300 teams or even 200 assessment teams is a lot of teams in terms of initial capacity..." (A, 05:17)
  • Addressed the argument that government-run assessments alone (e.g., DIBCAC) could never scale to necessary capacity.

Understanding CMMC Levels and Requirements

• Level 1: For contractors not handling Controlled Unclassified Information (CUI).

  • Indicates compliance with FAR clause 52.204-21—unchanged since 2016.
  • Self-attestation of compliance; essentially affirmation, not imposing new requirements.
  • "All CMMC level one status is saying is you are telling the government, yes, we super duper are complying..." (A, 07:05)

• Level 2: For those handling CUI.

  • Requires NIST SP 800-171 compliance (via DFARS 252.204-7012).
  • Level 2 status confirms the contractor has implemented these controls.

• Level 3: For high-priority contractors handling critical CUI (selected requirements from NIST SP 800-172, under 32 CFR 170.14).

  • Expected to become more relevant in Phase 2 (November 2026 onward), but may appear earlier in some contracts depending on DoD discretion.

• Phase 1 Focus: Official guidance suggests only Level 1 and Level 2 (mostly self-assessments), but:

  • DoD or primes can require Level 2 certification (third-party assessment) at their discretion even in Phase 1.
  • Contractors must be vigilant; requirements will only be clear when a solicitation is published—don't assume extra time.
  • "By the time you find out... it's too late for them to change it. So plan accordingly." (A, 12:10)

Predictions for Phase 1

1. Few Assessment Failures, Many False Starts (A, 14:54)

• Many companies will initiate assessments before they're truly ready ("false starts"), resulting in a significant portion told to come back later rather than outright failing.
  • Roughly 25-40% of companies in voluntary assessments during the market rollout were not assessment-ready.
  • "...we want you to pass, but we can't just let you pass. Right." (A, 16:19, quoting a C3PAO)

2. Early Adopters Gain Competitive Advantage (A, 17:33)

• The contractors who proactively achieve certification will win more business with fewer obstacles.
• Those delaying certification risk missing out, getting left behind, or even disappearing from the supply chain.
  • "Early adopters... are easy to do business with, they don't ask for special treatment..." (A, 17:19)

3. No New Federal Subsidies or Offsets for CMMC Compliance (A, 18:35)

• Costs of compliance and assessment are expected to be built into contractor rates.
• No indication of forthcoming appropriations or tax breaks to offset these expenses.
  • "No subsidies, no appropriations, no cost offsets, no tax breaks, no assistance whatsoever." (A, 18:35)
• Contractors should not rely on hypothetical future funding.
  • "Did you submit a bid that was artificially low? Did we pay you for the thing you said you were going to do and you're not doing it?" (A, 19:27)

4. Accelerated/Unexpected Requirement Levels (B, 22:00)

• Level 2 and even Level 3 requirements may appear in contracts before their official phase-in dates, especially considering recent memos (e.g., Golden Dome).
  • "Level two certification appearing, even level three certification appearing in contracts... I think it's going to be more common than people expect." (B, 22:15)

5. C3PAO Expansion (B, 24:43)

• Number of authorized C3PAOs expected to double (from ~100 to ~200) by end of Phase 1.

6. Prime Contractors Will Accelerate CMMC Demands (B, 26:08)

• Primes are expected to require their subs to certify faster than the DoD's phased schedule.
  • "Prime contractors are going to put the gas pedal down to the floor, I believe." (B, 26:46)

7. No Waivers Early On (B, 27:56)

• Waivers for CMMC requirements will be extremely rare and unlikely in Phase 1, given tight timelines and the desire not to start with exceptions.
  • "I don't think they're going to kick off the program with making concessions for people..." (B, 28:01)
• Some "bending" (e.g., substituting self-assessment) may occur in certain solicitations or components—but contractors should not count on this.

Notable Quotes & Memorable Moments

• On Rapid Growth:
  "You went from zero level two certifications to over 450. We should end the year somewhere around 700 or more. And that's without it being required." (A, 03:58)

• On Assessment Preparation:
  "It's so egregious that they can't even take your money." (A, 16:01, on companies unready for assessment)

• On Strategy:
  "Early adopters... are easy to do business with... It makes it easier for your customer to give you the work." (A, 17:19)

• On No Federal Assistance:
  "No subsidies, no appropriations, no cost offsets, no tax breaks, no assistance whatsoever." (A, 18:35)

• On Requirement Surprises:
  "Level two certification appearing, even level three certification appearing in contracts... I think it's going to be more common than people expect." (B, 22:15)

• On Risk of Waiting for Subsidies:
  "That is an astronomically unlikely scenario. I wouldn't bet my company or the livelihoods of my employees on that being how it plays out." (A, 20:46)

• On Prime Contractors:
  "Prime contractors are going to put the gas pedal down to the floor, I believe." (B, 26:46)

Important Segment Timestamps

• CMMC Now Required for Contracts (00:02–01:30)
• Certification Numbers & Assessment Capacity (01:30–06:17)
• CMMC Levels Explained (06:17–13:08)
• Analogy: Phase 1 as a Community 5K (13:08–14:27)
• Predictions for Phase 1 (14:53–22:45)
• Potential Emergence of Level 3 in Phase 1 (22:45–24:43)
• Assessment Capacity & Market Growth (24:43–26:04)
• Prime Contractors' Accelerated Demands (26:08–27:56)
• Waivers and Self-Assessment Practices (27:56–30:03)

Tone and Takeaways

The conversation is candid, filled with real-world observations from years of watching (and helping shape) CMMC's evolution. The hosts use humor and analogies (“Phase one is the community 5k”; “Alex Honnold in Free Solo”) to underline the challenging, competitive, and sometimes unpredictable landscape defense contractors now face. Their message: Be proactive, do not assume you'll have more time or help, and expect surprises as CMMC’s first phase rapidly transforms defense contracting cybersecurity.

Bottom Line:
Phase 1 is a proving ground—those who prepare and certify early will thrive, while laggards risk being left behind. DoD and primes may impose higher requirements faster than expected, and there will be few exceptions or safety nets. Prepare accordingly.