Podcast Summary: Sum IT Up: CMMC News Roundup

Episode: CMMC Requirements Are Starting To Show Up
Host: Summit 7
Date: October 23, 2025

Main Theme & Purpose

This episode explores the early and decisive appearance of CMMC (Cybersecurity Maturity Model Certification) requirements in new Department of Defense (DoD) contracts and solicitations, ahead of the November 10, 2025 effective date. Hosts break down real-life examples from recent notices on SAM.gov, dispelling myths about the gradual rollout and clarifying how different levels of CMMC (Levels 1 and 2) are already being demanded across various contract types, including some unexpected areas. The goal is to showcase what defense contractors and their supply chains need to be ready for—now.

Key Discussion Points & Insights

1. The CMMC Effective Date and Immediate Enforcement

The final CMMC rule was published on September 10, 2025, and becomes effective November 10, 2025. (00:02)
Despite the ongoing government shutdown slowing SAM.gov activity, requirements are already surfacing.
“The regulation officially goes into effect on November 10th of 2025, at which point all new DoD solicitations and contracts will include at least CMMC Level 1 status requirements.” – A (00:13)

2. Debunking Myths About the "Phased Rollout"

Many believe that only CMMC Level 1 (self-assessments) will appear at first, with Level 2 arriving later.
Multiple notices demonstrate Level 2 requirements immediately for certain contract types.
“We’ve been shouting from the rooftops for a long time now…there is no prohibition on CMMC Level 2 status being a requirement and it’s totally up to DoD’s discretion...” – A (05:06)
“The belief is I’m only going to have to self-assess, I’m only going to have to do level one. The very first solicitation that we talk about. Bam.” – B (04:34)

3. Real-World Examples of CMMC in Solicitations

a. Navy (Naval Sea Systems Command) – Semiconductor Manufacturing RFI

Timestamp: 01:37–04:46

Requirement: CMMC Level 2 for companies responding to an RFI on domestic microelectronics foundry capability.
Driven by ITAR and export-control needs; Level 2 is explicitly mentioned in the notice.
Notable Quote:
- “If you’re doing microelectronics manufacturing…they’re straight up saying it’s going to be CMMC level 2…So this is a Navy Sea Systems Command RFI and they say it right there…” – A (02:44)
- “Right out of the gates, we see a contradiction to what everybody seems to think. The phased rollout begins…But here the very first solicitation…says not only is it level two…” – B (03:48)

b. US Special Operations Command (USSOCOM) – Administrative Support RFP

Timestamp: 05:25–07:53

Requirement: CMMC Level 1 as a pass/fail criterion for general management consulting services post-effective date.
Subcontractors/team members also need to be certified—entire supply chain qualifying is mandatory.
Notable Quote:
- “Prime offerors are encouraged to ensure that team members...have also completed this requirement as a prime offeror will be disqualified...” – A (06:56)
- “…if your entire supply chain has to be in order. And if it’s not in order you’re not going to get awarded this contract. You’ll just be disqualified.” – B (07:53)

c. U.S. Army Corps of Engineers – Construction Contracts

Timestamp: 08:14–13:54

Multiple notices, including construction of facilities for intercontinental ballistic missile systems (GBSD) and base housing in Japan, require CMMC Level 2 or Level 1 as a precondition.
For large construction projects (e.g., GBSD at F.E. Warren AFB), Level 2 will be enforced at the anticipated contract award in FY27.
Requirements such as asking companies to document their present CMMC certification status as early as a year before anticipated contract award.
Notable Quotes:
- “If you’re going to be making buildings that go around intercontinental ballistic missiles…you’re going to probably need CMMC level two at a minimum.” – A (10:43)
- “Everybody always applies CMMC requirements automatically to…I make a part for a missile…are we going to see this pop into this construction? One is, people don’t realize the importance of protecting maybe the blueprints…” – B (11:19)
- “They’re not saying you don’t need a Level 2 cert until FY27 because of the phased rollout. They’re saying you need a Level 2 cert in FY27 because that’s when we’re going to award the contract.” – A (12:49)

4. Army Corps of Engineers – Japan District Blanket Requirements

For all solicitations after November 10, 2025: “If your company is not certified at level one or higher, you will not be eligible to receive a contract award.” – A (15:04)
The government is setting expectations: No time for waivers, exceptions, or delays.
Notable Moment:
- “We’re seeking to minimize all of the nonsense during the bidder inquiry period. Due to strict timelines, our ability to fully analyze these requests…is often limited.” – A (16:16)

5. Other Notices & Broader Implications

Timestamp: 17:04–18:50

Even less traditional DoD work such as turbine generator replacement, housing renovation, roofing, and fuel storage is requiring at least Level 1 CMMC.
A government shutdown has delayed the flooding of such notices, but when government reopens, there will be a surge—tight timelines, little leniency.

6. Advice for Defense Contractors

Timestamp: 18:58–19:35

Contractors should not wait for CMMC requirements to show up in solicitations to begin preparations.
The phased rollout does not mean only Level 1 will apply—examples prove otherwise.
If you're not ready, you will be left behind as RFPs accelerate post-shutdown.

Memorable Quotes & Moments

“The nuclear option here is, do you have it or not?…You’re going to need this certification if you want an award, period.” – A (16:28)
“The cardinal sin of running a business is being difficult to do business with. And so the government is saying…We don’t want to spend time going back and forth with people over this requirement.” – A (16:34)
“For everybody out there that says we’re going to wait until we see it in a solicitation to believe that it’s real—here’s a couple of examples from different components, different industries, different levels, different stuff. You’re going to see the requirement in this solicitation—don’t be fooled.” – A (18:58)
“We’re getting close to single digits here from the start of the phase rollout.” – A (19:35)

Key Takeaways

CMMC requirements are active and real—don’t expect a slow, level-1-only rollout.
Level 2 is being demanded right away for high-impact sectors (e.g., microelectronics, defense infrastructure), not just basic Level 1.
The entire supply chain must conform; primes are disqualified if their subs aren’t certified.
Large construction and non-traditional contractors are also in scope—blueprints and facility specs can be Controlled Unclassified Information (CUI).
Government shutdowns may delay postings, but not requirements or deadlines.
Prepare before you see it in an RFP, or risk missing opportunities.

Podcast Summary: Sum IT Up: CMMC News Roundup

Episode: CMMC Requirements Are Starting To Show Up
Host: Summit 7
Date: October 23, 2025

Main Theme & Purpose

Key Discussion Points & Insights

1. The CMMC Effective Date and Immediate Enforcement

The final CMMC rule was published on September 10, 2025, and becomes effective November 10, 2025. (00:02)
Despite the ongoing government shutdown slowing SAM.gov activity, requirements are already surfacing.
“The regulation officially goes into effect on November 10th of 2025, at which point all new DoD solicitations and contracts will include at least CMMC Level 1 status requirements.” – A (00:13)

2. Debunking Myths About the "Phased Rollout"

Many believe that only CMMC Level 1 (self-assessments) will appear at first, with Level 2 arriving later.
Multiple notices demonstrate Level 2 requirements immediately for certain contract types.
“We’ve been shouting from the rooftops for a long time now…there is no prohibition on CMMC Level 2 status being a requirement and it’s totally up to DoD’s discretion...” – A (05:06)
“The belief is I’m only going to have to self-assess, I’m only going to have to do level one. The very first solicitation that we talk about. Bam.” – B (04:34)

3. Real-World Examples of CMMC in Solicitations

a. Navy (Naval Sea Systems Command) – Semiconductor Manufacturing RFI

Timestamp: 01:37–04:46

Requirement: CMMC Level 2 for companies responding to an RFI on domestic microelectronics foundry capability.
Driven by ITAR and export-control needs; Level 2 is explicitly mentioned in the notice.
Notable Quote:
- “If you’re doing microelectronics manufacturing…they’re straight up saying it’s going to be CMMC level 2…So this is a Navy Sea Systems Command RFI and they say it right there…” – A (02:44)
- “Right out of the gates, we see a contradiction to what everybody seems to think. The phased rollout begins…But here the very first solicitation…says not only is it level two…” – B (03:48)

b. US Special Operations Command (USSOCOM) – Administrative Support RFP

Timestamp: 05:25–07:53

Requirement: CMMC Level 1 as a pass/fail criterion for general management consulting services post-effective date.
Subcontractors/team members also need to be certified—entire supply chain qualifying is mandatory.
Notable Quote:
- “Prime offerors are encouraged to ensure that team members...have also completed this requirement as a prime offeror will be disqualified...” – A (06:56)
- “…if your entire supply chain has to be in order. And if it’s not in order you’re not going to get awarded this contract. You’ll just be disqualified.” – B (07:53)

c. U.S. Army Corps of Engineers – Construction Contracts

Timestamp: 08:14–13:54

Multiple notices, including construction of facilities for intercontinental ballistic missile systems (GBSD) and base housing in Japan, require CMMC Level 2 or Level 1 as a precondition.
For large construction projects (e.g., GBSD at F.E. Warren AFB), Level 2 will be enforced at the anticipated contract award in FY27.
Requirements such as asking companies to document their present CMMC certification status as early as a year before anticipated contract award.
Notable Quotes:
- “If you’re going to be making buildings that go around intercontinental ballistic missiles…you’re going to probably need CMMC level two at a minimum.” – A (10:43)
- “Everybody always applies CMMC requirements automatically to…I make a part for a missile…are we going to see this pop into this construction? One is, people don’t realize the importance of protecting maybe the blueprints…” – B (11:19)
- “They’re not saying you don’t need a Level 2 cert until FY27 because of the phased rollout. They’re saying you need a Level 2 cert in FY27 because that’s when we’re going to award the contract.” – A (12:49)

4. Army Corps of Engineers – Japan District Blanket Requirements

For all solicitations after November 10, 2025: “If your company is not certified at level one or higher, you will not be eligible to receive a contract award.” – A (15:04)
The government is setting expectations: No time for waivers, exceptions, or delays.
Notable Moment:
- “We’re seeking to minimize all of the nonsense during the bidder inquiry period. Due to strict timelines, our ability to fully analyze these requests…is often limited.” – A (16:16)

5. Other Notices & Broader Implications

Timestamp: 17:04–18:50

Even less traditional DoD work such as turbine generator replacement, housing renovation, roofing, and fuel storage is requiring at least Level 1 CMMC.
A government shutdown has delayed the flooding of such notices, but when government reopens, there will be a surge—tight timelines, little leniency.

6. Advice for Defense Contractors

Timestamp: 18:58–19:35

Contractors should not wait for CMMC requirements to show up in solicitations to begin preparations.
The phased rollout does not mean only Level 1 will apply—examples prove otherwise.
If you're not ready, you will be left behind as RFPs accelerate post-shutdown.

Memorable Quotes & Moments

“The nuclear option here is, do you have it or not?…You’re going to need this certification if you want an award, period.” – A (16:28)
“The cardinal sin of running a business is being difficult to do business with. And so the government is saying…We don’t want to spend time going back and forth with people over this requirement.” – A (16:34)
“For everybody out there that says we’re going to wait until we see it in a solicitation to believe that it’s real—here’s a couple of examples from different components, different industries, different levels, different stuff. You’re going to see the requirement in this solicitation—don’t be fooled.” – A (18:58)
“We’re getting close to single digits here from the start of the phase rollout.” – A (19:35)

Key Takeaways

CMMC requirements are active and real—don’t expect a slow, level-1-only rollout.
Level 2 is being demanded right away for high-impact sectors (e.g., microelectronics, defense infrastructure), not just basic Level 1.
The entire supply chain must conform; primes are disqualified if their subs aren’t certified.
Large construction and non-traditional contractors are also in scope—blueprints and facility specs can be Controlled Unclassified Information (CUI).
Government shutdowns may delay postings, but not requirements or deadlines.
Prepare before you see it in an RFP, or risk missing opportunities.

wavePod

CMMC Requirements Are Starting To Show Up

Powered by Wave AI

Summary

Podcast Summary: Sum IT Up: CMMC News Roundup

Main Theme & Purpose

Key Discussion Points & Insights

1. The CMMC Effective Date and Immediate Enforcement

2. Debunking Myths About the "Phased Rollout"

3. Real-World Examples of CMMC in Solicitations

a. Navy (Naval Sea Systems Command) – Semiconductor Manufacturing RFI

b. US Special Operations Command (USSOCOM) – Administrative Support RFP

c. U.S. Army Corps of Engineers – Construction Contracts

4. Army Corps of Engineers – Japan District Blanket Requirements

5. Other Notices & Broader Implications

6. Advice for Defense Contractors

Memorable Quotes & Moments

Key Takeaways

Summary

Podcast Summary: Sum IT Up: CMMC News Roundup

Main Theme & Purpose

Key Discussion Points & Insights

1. The CMMC Effective Date and Immediate Enforcement

2. Debunking Myths About the "Phased Rollout"

3. Real-World Examples of CMMC in Solicitations

a. Navy (Naval Sea Systems Command) – Semiconductor Manufacturing RFI

b. US Special Operations Command (USSOCOM) – Administrative Support RFP

c. U.S. Army Corps of Engineers – Construction Contracts

4. Army Corps of Engineers – Japan District Blanket Requirements

5. Other Notices & Broader Implications

6. Advice for Defense Contractors

Memorable Quotes & Moments

Key Takeaways