By Payam Pourkhomami, President & CEO of OSIbeyond
CMMC Phase 1 officially began on November 10, 2025, but many defense contractors are still unsure if they’re fully ready for it. The confusion is understandable considering the years of delays and evolving requirements. Adding to the pressure, major defense primes like Lockheed Martin, Boeing and Northrop Grumman have already issued directives to their supply chains, making CMMC compliance a condition of continued partnership.
This article breaks down exactly what Phase 1 requires, how long preparation realistically takes, what compliance will cost and how to navigate the assessment process without expensive missteps.
What CMMC Phase 1 Requires
Phase 1 of the CMMC program runs from November 10, 2025 through November 9, 2026, and the DoD estimates that approximately 65% of the Defense Industrial Base will be affected. During this initial year, the Department of Defense is primarily focused on self-assessment requirements rather than mandatory third-party certifications. However, some contracts may still require third-party certifications.
All applicable solicitations will include the appropriate CMMC self-assessment requirement based on the type of information the contractor will handle:
- Federal Contract Information, or FCI: Contractors must complete a Level 1 self-assessment against 17 basic safeguarding requirements and enter results into the Supplier Performance Risk System (SPRS).
- Controlled Unclassified Information, or CUI: Contractors must complete a Level 2 self-assessment demonstrating compliance with all 110 NIST SP 800-171 controls and submit results to SPRS.
A common misconception is that Phase 1 requires third-party certification from a C3PAO. For most contractors, it does not. However, contracting officers retain discretion to require Level 2 C3PAO assessments for high-risk programs even during Phase 1. The DoD projects approximately 135 C3PAO assessments will occur in Year 1, a small fraction of the roughly 80,000 contractors who will eventually need Level 2 certification.
Prime Contractors Are Not Waiting
While Phase 1 provides a runway before mandatory third-party assessments begin in Phase 2, it is not a grace period to delay preparation because major defense primes are not giving their suppliers the luxury of waiting. The period during Phase 1 should be used for preparation for formal assessment prior to the start of phase 2.
Lockheed Martin is requiring all suppliers to document their applicable CMMC status in SPRS and frames compliance as essential to maintaining uninterrupted business operations. For contractors handling CUI, the company urges them to pursue C3PAO certification now since some fiscal year 2026 contracts may already include that requirement. The company’s supplier notice makes clear that additional documentation requirements are coming.
Similarly, Boeing is strongly encouraging suppliers to begin preparing for Level 2 certification immediately rather than waiting for contract requirements to appear. “As a condition of winning a contract award, suppliers handling FCI and CUI (excluding commercial-off-the-shelf procurements) will be required to have the specified CMMC level (1-3) certification identified in the customer/Boeing solicitation,” states the company’s supplier letter.
Finally, Northrop Grumman’s announcement makes it clear that neither contracting officers nor prime contractors may waive or deviate from CMMC requirements. Non-compliant subcontractors simply will not receive purchase orders.
How Long CMMC Preparation Actually Takes
Defense contractors often underestimate the time required to achieve CMMC compliance.
- For Level 1 certification, contractors should expect a preparation timeline of 3 to 6 months to implement the 17 basic safeguarding requirements, document policies and procedures and complete the self-assessment process.
- Level 2 certification requires significantly more effort, typically taking 6 to 12 months to complete. The timeline accounts for implementing all 110 NIST SP 800-171 controls, developing comprehensive documentation including a System Security Plan, conducting gap assessments, remediating deficiencies and preparing for formal assessment.
Any provider promising CMMC compliance in a shorter timeframe should be approached with caution, especially if they claim it can be done in days rather than months.
As I discussed in a previous article on CMMC compliance outsourcing, while significant portions of CMMC compliance work can be delegated to qualified partners, governance decisions, policy development and legal obligations remain your responsibility. These internal tasks require time and attention from your leadership team, so even if your provider is moving efficiently on the technical side, you should not rush through your own responsibilities.
What CMMC Compliance Will Cost
Implementation costs vary based on several factors, including the size of your organization, the complexity of your IT environment, whether you need a full migration to government cloud or just an enclave deployment and how many security gaps need to be addressed.
As a point of reference, OSIbeyond has developed fixed-price CMMC solutions to illustrate the costs that small to mid-sized contractors can expect:
| Solution Type |
| GCC Enclave Deployment & CMMC Implementation |
| GCC Full Migration & CMMC Implementation |
These figures exclude C3PAO assessment fees and GCC licensing costs. For contractors pursuing Level 2 C3PAO certification, formal assessment fees typically range from $40,000 to $60,000, with most companies paying around $50,000. GCC licensing costs vary based on your user count and the specific Microsoft 365 Government plan required.
Other qualified MSPs and RPOs should be charging in a similar range. If a provider is quoting significantly higher, they may be overcharging. Conversely, pricing that seems too good to be true usually reflects the quality of work you will receive.
What the CMMC Assessment Process Looks Like
CMMC certification has two major stages:
- Preparation: During preparation, you implement the required security controls, develop documentation like your System Security Plan and make sure your environment meets all requirements.
- Assessment: An authorized third party evaluates your environment and either certifies you or identifies deficiencies.
The preparation stage is handled by RPOs (Registered Practitioner Organizations) and MSPs (Managed Service Providers), while the assessment stage is handled by C3PAOs (Certified Third-Party Assessor Organizations):
- RPOs are registered with the Cyber AB to provide CMMC consulting services. They focus on compliance guidance, gap assessments, documentation development and advising you on how to meet requirements. However, they typically do not handle the technical implementation or ongoing IT management.
- MSPs provide hands-on technical services including cloud migrations, security tool deployment, system configuration and ongoing IT and security management. A CMMC-certified MSP has achieved its own Level 2 certification, which means it has been through the process itself and operates a compliant environment. Reference the MSP Collective for a list of CMMC Level 2 Certified MSPs.
For most contractors, partnering with a certified MSP is the more efficient path to CMMC implementation because they can handle both the technical implementation and the compliance documentation in a coordinated effort. MSP can also be RPO’s at the same time.
- C3PAOs conduct the formal assessment that leads to certification. Once you are ready, they evaluate your environment against CMMC requirements and issue your certification. There are currently only around 80-100 authorized C3PAOs serving an estimated 80,000 contractors who will eventually need Level 2 certification. Many C3PAOs are already booked 6–12 months in advance, and this bottleneck will only intensify as Phase 2 approaches. For this reason, it’s important to engage a C3PAO 6–12 months before your target assessment date once you have partnered with a qualified MSP, who can recommend C3PAOs they have worked with successfully.
A failed or paused assessment is an expensive mistake. C3PAO fees typically run $40,000 to $60,000, and if your assessment is halted because controls are not fully implemented or documentation is incomplete, you will likely pay again for a second assessment. For this reason alone, it’s risky to attempt CMMC preparation without expert guidance.
Conclusion
CMMC Phase 1 is not a waiting period despite being focused on self-assessments. Major primes are already requiring compliance from their supply chains, and C3PAO schedules are filling up at alarming rates. Contractors who understand their requirements, partner with a qualified MSP and book their C3PAO assessment early will be positioned to compete when Phase 2 makes third-party certification mandatory starting November 10, 2026.
OSIbeyond is a CMMC Level 2 certified MSP with a team of experienced assessors and practitioners who have guided many defense contractors through the compliance process. Schedule a consultation to discuss how we can help you achieve CMMC compliance before your competitors do.
