CMMC Assessment Checklist
Are you ready for your CMMC assessment? Check yourself against this resource to measure where you are in the compliance process.
.jpg?ext=.jpg)
CMMC News: CMMC is Live and Has a Timeline
The 48CFR rule changed to “published to the Federal Register” on September 10, 2025 with an effective date of November 10, 2025. 4CFR is the update to DFARS for CMMC requirements and starts the four-phase implementation of CMMC assessment and certification requirements for contract awards and options.
What is the CMMC phased rollout?
Phase 1 (November 10, 2025 – November 9, 2026): All contracts with a CMMC requirement (DFARS 252.204-7012) for Levels 1, 2 & 3 CUI must conduct a self-assessment and self-affirmation of their score in SPRS. Cautionary note, if the Department of Defense determines an entry into SPRS is incorrect, regardless of the reason, the organization’s leadership may be subject to the False Claims Act.
Phase 2 (November 10, 2026 – November 9, 2027): All new contracts with level 2 CUI will require a 3rd party CMMC assessment and report to SPRS prior to contract award. This includes both primes and subcontractors.
Phase 3 (November 10, 2027 – November 9, 2028): All existing contracts awarded prior to November 10, 2026 with CMMC Level 2 CUI will require 3rd party CMMC assessment and report to SPRS prior to exercising options or extensions.
Phase 4 (November 10, 2028 – November 9, 2029): All CMMC Level 3 CUI contracts will require a CMMC Level 2 - 3rd CMMC assessment with results reported to SPRS, and a DIBCAC assessment of level 3 (NIST SP 800-172) controls prior to contract award, extension, or option execution.
Remember, these phases and dates are for Department of Defense prime contracts, but your prime can mandate CMMC compliance sooner than these dates.
Smithers is Ready
A third-party assessment by an authorized C3PAO (CMMC Third-Party Assessor Organization) significantly reduces the risk of self-assessment and self-affirmation by confirming the validity of the organization’s score, and is potentially being a discriminator against other bidders who are still self-assessing.
There is no longer any question. CMMC is here. It is time to ask your team, “are we ready for a CMMC third-party assessment and who you will choose as your C3PAO?” Smithers is an authorized C3PAO with over 30 years of ISO auditing experience and 100 years in business as proof of our strength. Contact us today to talk about your CMMC timetable.