CMMC Phase 1 is here: what smaller defense suppliers should do first

Practical first steps for smaller defense suppliers as CMMC Phase 1 brings Level 1 and Level 2 self-assessment requirements into applicable procurements.

EST
EdgePoint Strategy Team
Cybersecurity Leadership
January 5, 2026
ShareLinkedInTwitter

CMMC has moved from preparation to procurement. The Department of Defense began Phase 1 on November 10, 2025, and says the first twelve months will focus primarily on Level 1 and Level 2 self-assessments in applicable solicitations. Phase 1 runs through November 9, 2026. The department plans a four-phase rollout over three years. The DoD CMMC site maintains the current phase and implementation dates.

For a smaller defense supplier, the immediate risk is not simply “failing CMMC.” It is spending scarce time and money without first understanding which information, systems, contracts, and assessment level are actually in scope.

Read the solicitation and the flowdown

CMMC requirements are tied to the information a contractor system processes, stores, or transmits and to the level stated in the solicitation or contract. The current DFARS provision provides a place for the contracting officer to specify Level 1 Self, Level 2 Self, Level 2 C3PAO, or Level 3 DIBCAC. Acquisition.gov publishes the current DFARS CMMC clauses and definitions.

Do not rely on a general statement from a customer that “everyone needs Level 2.” Ask for the applicable clause, required level, and the information expected to flow to your company. If you are a subcontractor, document what the prime contractor is asking you to receive and protect.

This is a contract and information-handling question before it becomes a technology question. Involve the person who understands the work statement, not only IT.

Separate FCI from CUI

Federal contract information, or FCI, is information provided by or generated for the government under a contract that is not intended for public release, with limited exceptions in the federal definition. Controlled unclassified information, or CUI, requires safeguarding or dissemination controls under law, regulation, or government-wide policy.

The difference affects the assessment level and the systems in scope. Level 1 addresses basic safeguarding of FCI. Level 2 applies the CUI protection requirements incorporated into CMMC.

Start with examples of the information your people actually handle: drawings, specifications, purchase information, inspection records, emails, portal downloads, and files received from a prime. Determine who identifies CUI and how markings or contract terms communicate that status. Do not declare information out of scope simply because a file lacks a clear label. Resolve uncertainty with the contracting party.

Draw the information path

Before buying tools, sketch how covered information enters, moves through, and leaves the company.

Include email, file shares, cloud storage, endpoints, shop-floor workstations, removable media, backups, supplier exchanges, and any managed service provider that can access the environment. Mark the people and locations involved. A plain diagram reviewed by operations, contracts, and IT is more useful than a polished network chart that misses how work gets done.

Then ask where the boundary can be made smaller without disrupting the contract. A dedicated environment for covered work may be easier to protect than every device and application in the company. It can also create awkward handoffs and duplicate processes. Scope reduction is a design decision, not a paperwork exercise.

Confirm what is already recorded

Check the Supplier Performance Risk System, or SPRS, for existing assessment records associated with the company and relevant systems. Identify who can access the record, which CAGE codes and system security plans it covers, when it was submitted, and whether the underlying environment still matches the assessment.

Do not treat an old score as an inherited fact. The DFARS framework requires a current CMMC status at the required level for relevant contractor information systems, and CMMC includes affirmations of continuing compliance. The DoD CMMC overview briefing explains annual affirmation and the relationship between conditional and final status.

Leadership should know who will serve as the affirming official. That person is making an organizational statement, not approving an IT checklist.

Assess evidence, not intention

For every applicable requirement, record the practice, owner, system, and evidence. Policies alone are not evidence that a practice happens. A configured control with no repeatable operating process is also incomplete.

Useful evidence might include settings, access reviews, training records, tickets, logs, diagrams, and records of tested procedures. Evidence will vary by requirement. The point is to show what the organization does and how it knows the practice continues.

This review often finds ordinary operating gaps: former employees still listed in groups, shared accounts on production equipment, unclear approval for remote access, or backups that have not been restored in a test. Fix the underlying practice. Avoid building a folder of screenshots that describes a condition no one will maintain.

Be careful with remediation plans

CMMC permits limited use of plans of action and milestones for some Level 2 and Level 3 items, subject to scoring and timing rules. It does not allow them for Level 1. Conditional status must be resolved within the allowed period, which the DoD overview describes as no more than 180 days for eligible items.

Do not assume every missing practice can be deferred. Check the current rule and assessment guidance for the required level. Prioritize gaps that change architecture or require vendor lead time, since they are harder to close under deadline.

A practical first month

In the first thirty days, a smaller supplier should be able to produce five things: a list of affected contracts, a working distinction between FCI and CUI, an information-flow diagram, a defined assessment boundary, and a gap register tied to evidence.

That work may reveal that the company needs outside assessment or technical help. It may also reveal that a narrower, well-run environment is enough. Either result is better than purchasing a bundle before scope is understood.

CMMC requirements and contract language can change, so use the current DoD and acquisition sources when making a compliance decision. EdgePoint can help suppliers organize scope and remediation when needed, but contract counsel and the relevant contracting party should resolve legal or contract interpretation.

Tags

CMMCdefense supplierscybersecurityNIST SP 800-171
Related

More from this series.

// Start the conversation

Ready to transform your strategy?

Let's discuss how EdgePoint Strategy can help your manufacturing business leverage technology for competitive advantage.