• Cycore Insights
  • Posts
  • CMMC Implementation - What Defense Contractors Need to Know Right Now

CMMC Implementation - What Defense Contractors Need to Know Right Now

Author

Kevin Barona
November 25, 2025

Happy Thursday!

Welcome to Cycoresecure.com, your go-to partner for transforming security and compliance into effortless processes. Whether you're a startup or a growing tech company, we provide services to tackle your biggest security challenges, freeing you to focus on scaling your business with confidence. Let's secure your future together!

Make sure to follow our Cycore LinkedIn page and subscribe to receive updates on current events, trends, and industry news that matter to you

In Today's Rundown

Let’s dive right in.

You're reading the Cycore Insights newsletter.

Get exclusive coverage of cybersecurity and privacy delivered once a week.

As of November 10, 2025, the Department of Defense began officially incorporating CMMC assessment requirements into defense contracts. This isn't a future deadline. It's happening now.

If you're a defense contractor or subcontractor handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), this marks a fundamental shift in how you win and maintain DoD business.

Let's talk about it.

What Changed on November 10th?

The DFARS rule took effect, allowing contracting officers to insert CMMC clauses into new solicitations and contracts. This means:

  • New DoD solicitations now require CMMC Level 1 or Level 2 status at time of award

  • Award eligibility is directly tied to having a current CMMC status at the required level in the Supplier Performance Risk System (SPRS)

  • Contractors without the appropriate CMMC status won't be eligible for contract awards, extensions, or option exercises

Only 0.5% of 80,000 Companies Have Level 2 Certification

As of October 2025, only 431 organizations had achieved Level 2 certification.


That's just 0.5% of roughly 80,000 companies.


Independent research shows similar trends:


Fewer than 50% of defense contractors have completed foundational documentation like a System Security Plan (SSP) or Plans of Action & Milestones (POA&M)


The average SPRS score remains at 60, far below the required 110

The Timeline: A Four-Phase Rollout

The DoD is implementing CMMC over four years:

  • Phase 1 (Now - November 2026): Level 1 or Level 2 self-assessments required at award

  • Phase 2 (November 2026 - November 2027): Level 2 C3PAO certifications required at award

  • Phase 3 (November 2027 - November 2028): Level 2 certifications extend to option exercises; Level 3 requirements introduced

  • Phase 4 (November 2028 onward): Full implementation across all covered contracts

What Most Teams Get Wrong

The biggest misconception we're hearing: "CMMC is adding new requirements."
CMMC requirements have existed since 2017 under DFARS 7012, and they regulations haven't changed since 2016.

What's changed is verification. The DoD is now requiring proof that you're implementing what's been contractually required for years.

What You Need to Do Now

If you handle FCI or CUI in any capacity:

  • Understand your requirement level - Review your contracts to determine whether you need Level 1 or Level 2 compliance

  • Conduct a gap analysis - Map your current state against NIST 800-171 requirements and identify documentation gaps

  • Build your evidence package - This isn't just about having controls in place. You need documented proof: policies, procedures, configuration screenshots, audit logs, and test results

  • Register in SPRS - Each contractor system that processes, stores, or transmits FCI or CUI must have a CMMC unique identifier (UID) in SPRS

  • Plan your assessment timeline - Organizations typically need 6-12 months to prepare for a CMMC assessment

The Bottom Line

CMMC requirements can be added to any DoD contract, RFP, or RFI effective November 10, 2025.
If you're waiting for "official" notification or hoping this won't affect your contracts, you're already behind. Procurement cycles don't pause for compliance preparation.

 Ready to discuss your CMMC readiness? Schedule time with our team.

Anthropic disclosed that a state-sponsored Chinese threat actor leveraged the company’s AI coding tool Claude Code to automate a global cyber-espionage campaign. It targeted about 30 global organizations across tech, finance, chemical manufacturing, and government. Roughly 80–90% of the operation - from recon to credential harvesting to lateral movement - was executed by the model, with the hackers disguising themselves as a legitimate security firm to bypass guardrails.

 

It’s one of the clearest signs yet that AI isn’t just assisting attacks but running them at scale.

Cycore at Events

Our team is on the move! Find us at top industry events around the world.

  • Black Hat EMEA, December 2-4, Saudi Arabia: Meet Jai Sisodia, Managing Director at Cycore, at Black Hat EMEA, one of the largest infosec conferences in the world. If you want to talk AI-driven threat detection, privacy engineering, and how enterprises can harden their operations in a world of increasingly automated attacks, send him a message on LinkedIn.

  • Tech Basel Miami AI Summit, Wednesday December 3, Miami: Meet Kevin Barona, CEO & Founder Cycore, at Tech Basel Miami AI Summit. If you want to talk AI deployment and innovation, send him a message on LinkedIn.

Let's Build Trust

Work with us or follow along:

  1. Cycore, builds enterprise-grade security, privacy and compliance programs for the modern organization. Partner with us.

  2. Follow us on LinkedIn for security, privacy & compliance updates!

  3. How else can we help? Feedback? Have a question? Reply to this email.

  4. Know someone who would like this email? Forward it to a friend...

Your security & compliance ally,
Cycore Team