Sum IT Up: CMMC News Roundup, September 4, 2025

Episode: Defense Contractors are Betting Their Companies on THIS Assumption About CMMC Phase 1
Host: Summit 7 Team (Jacob, Daniel)
Main Theme:
Examining widespread assumptions among defense contractors that only Level 2 self-assessments—NOT certification assessments—will be required during the first 12 months (“Phase 1”) of the CMMC phased rollout, challenging this belief by reviewing the primary policy sources and discussing what contractors should realistically expect.

Episode Overview

The hosts analyze whether Department of Defense (DoD) policy guarantees that only Level 2 self-assessments will be enforced during CMMC Phase 1, or whether discretionary Level 2 certification assessments could be required from the onset. They systematically review the relevant rules, memos, and guidance documents, clarifying the risks contractors take if they bet their company on the wrong interpretation.

Key Discussion Points & Insights

1. Background: The CMMC Phased Rollout and Current Contractor Sentiment

• Rulemaking Watch: Everyone’s awaiting the publication of the 48 CFR CMMC final rule, which will trigger CMMC implementation in Four 12-month “phases.”
  • Central Question: In those first 12 months, will contractors only be allowed to self-assess, or might some have to complete a Level 2 certification assessment (C3PAO-audited) as a condition of contract award?
• Common Contractor Belief: Many believe only self-assessments are required in Phase 1.
• Hosts’ Position: Policies do not guarantee that and contractors risk losing business if they assume so.
  • "I would feel very guilty if I led someone to a conclusion and they ended up holding the bag... needing to get a Level 2 certification assessment." — Jacob [00:47]

2. Analysis of CMMC Policy Documents

A. 32 CFR 170 – The CMMC Program Rule (December 2024)

• Key Section: 170.3, Paragraph E (Applicability)
  • DoD will use a phased approach to include CMMC requirements in contracts.
  • In Phase 1, DoD “intends” to require either Level 1 self-assessment or Level 2 self-assessment for applicable contracts.
  • Crucially: Rule language states DoD may at its discretion require Level 2 C3PAO certification in lieu of self-assessment.
• Ambiguity:
  - “Discretion” is undefined.
  - “Who” exercises it is only later clarified (program managers).
  - “Applicability” remains vague.
  • "At this point, it's pretty obvious someone's getting a level two certification assessment." — Jacob [10:06]

B. DoD Memo – January 2025: Implementing the CMMC Program

• Purpose: Guidance for PMs on determining required CMMC assessment level for contracts.
• Key Assertion:
  • At the conclusion of the phase-in period, contracts will require various levels as appropriate.
  • Memo does not prohibit Level 2 certifications in Phase 1.
• Attachment 1: Provides a guide for PMs on level assignment:
  • If contract involves certain CUI types (e.g., Controlled Technical Information, DCI, NUCLEAR-related info):
    • Level 2 certification (C3PAO) is minimum requirement.
  • If contract involves only FCI:
    • Level 1 self-assessment.
  • Level 2 self-assessment requirements for other types of CUI.
  • "If you have those types of data...the applicable requirement at a minimum...is CMMC Level 2 certification as spelled out in Attachment 1..." — Jacob [19:30]

C. DoD Memo – July 2025: Resources for Implementing CMMC

• Restates key points:
  • PMs “should include CMMC selfassessment requirements in applicable solicitations and contracts.”
  • Specific note: ‘In some procurements DoD may implement CMMC requirements in advance of the planned phase.’
• No change or clarification: The same ambiguity persists.
  • "Spoiler alert. There isn't [a clear answer]." — Jacob [24:45]

D. Preamble & Public Comment Responses in the Rule

• DoD acknowledged that “a majority” (but not all) Phase 1 contracts would only require self-assessment.
• PMs will be monitored for their use of discretion (suggesting it will indeed be exercised in at least some cases).

3. Practical Implications & Advice

• Prime-Sub Relationship:
  • Even if policy for primes is ambiguous, primes may flow down stricter requirements to subs at their own discretion, potentially from day one.
• Unpredictability:
  • PMs might require certification wherever sensitive CUI is involved.
  • "I'm becoming more inclined that I will get a certification because they're going to have a little cheat sheet on their desk...Navy? Oh, we're doing this. Okay, perfect. Certify even during phase one." — Daniel [24:21]
• Backlogs & Timing:
  • Even in the best case (pure self-assessment), delays in starting preparation could mean missing out once certification becomes required as backlogs for C3PAO assessments grow.
  • Large primes will likely push certification requirements to their supply chain preemptively.

4. Memorable Quotes and Moments

• "People are looking at this in an absolute way, they're saying there will be zero Level 2 self assessments. But to your point, we don't know what discretion means. We don't know what applicability means."
  — Jacob [08:13]

• "The DoD is a little upset at the DIB, quite honestly. They didn't do the DFAR 7012 thing...Congress said go do this CMMC thing and make sure it doesn't happen again."
  — Daniel [15:59]

• "If you're going to make a bet that you're not going to get a certification requirement, you're taking a big risk because you could be wrong."
  — Jacob [12:14]

• "You gotta play business roulette with this. Make an appropriate level decision of risks that you think you can handle. But don't come back to Jacob, don't come back to me and say Summit 7 said I can self attest forever."
  — Daniel [34:02]

• "There is no explicit policy anywhere that…says…there will only be Level 2 self assessments during the first 12 months..."
  — Jacob [29:45]

5. Concluding Advice

• There is genuine risk in assuming only self-assessments will be allowed in Phase 1. Actual requirements will depend on the contract, the data, program manager decisions, and prime contractor preferences.
• No DoD-issued policy document grants a blanket moratorium on Level 2 certifications for Phase 1.
• Contractors should read and interpret the guidance independently, and make an informed, risk-based decision, not simply follow prevailing industry sentiment.
  • "If you make the wrong decision during phase one, that could be the last decision that you make for that company. And we don't want to see that happen to anybody." — Jacob [34:38]

Timestamps for Key Segments

• [00:02–02:54] — Setting up the central question; widespread assumptions in the industry
• [02:54–11:21] — Dissecting the 32 CFR rule and meaning of “discretion” and “applicability”
• [11:21–14:19] — Prime/sub contract dynamics and the risks for subs
• [14:19–22:21] — Deep dive into January Memo and Attachment 1: What triggers Level 2 certification requirement?
• [22:22–24:39] — Anecdotal evidence and projections on how PMs and primes might act; practical risk assessment
• [24:39–29:45] — Review of July Memo and persistent lack of definitive answers; summary of ambiguity
• [29:45–34:38] — Consequences of betting on the wrong interpretation; advice and “business roulette” analogy

Final Word

Read the rules and memos yourself, don't rely on industry consensus, and make proactive, risk-based business decisions.
All referenced memos and rules are linked in the episode description.

For further questions, the hosts encourage direct outreach or Friday “hotline” participation.