Section D: Implementation

D-Q1.  How will the DoD implement CMMC? 

D-A1. Beginning November 10, 2025, the Department will implement CMMC requirements in 4 phases over a three-year period, as described in 32 CFR 170.3(e). The phased implementation plan is intended to address ramp-up issues, provide time to train the necessary number of assessors, and allow companies the time needed to understand and implement CMMC requirements. 

It will also minimize financial impacts to defense contractors, especially small businesses, and disruption to the existing defense supply chain. The first 12 months of implementation focus primarily on CMMC Level 1 and 2 self-assessments.
 

D-Q2.  How can businesses best prepare for CMMC?

D-A2. Whether a company has previously been awarded a defense contract that includes DFARS clause 252.204-7012 or is brand new to defense contracting, the best way that company can prepare for CMMC is by carefully conducting a self-assessment of their contractor-owned information system(s) to make sure they have implemented the necessary cybersecurity measures to comply with each requirement of FAR clause 52.204-21 (for FCI) or DFARS clause 252.204-7012 (for CUI). 

If the self-assessment identifies any unmet requirements, companies should take corrective action to address those gaps and fully implement the necessary security measures before initiating a CMMC assessment.
 

D-Q3.  Will CMMC apply to non-U.S. companies?

D-A3. Yes. When CMMC requirements are identified in Department solicitations, they will apply to all companies performing under the resulting contract, whether domestic or international.
 

D-Q5.  Can non-U.S. citizens or organizations be part of the CMMC Ecosystem, e.g., C3PAOs? 

D-A5. Yes. Individuals and organizations that meet all requirements established under the Title 32 CFR CMMC Program rule are eligible, as appropriate, to apply to be members of the CMMC Ecosystem, regardless of nationality or country of origin.

D-Q6. Starting November 10, 2025, does Department policy require Program Managers to include CMMC Level 2 (C3PAO) in a solicitation if the contractor will handle CUI from the Defense Organizational Index Grouping?

D-A6. No. during Phase 1, the Department’s intent is that all solicitations focus on including the right CMMC self-assessment requirement, which means CMMC Level 1 when only FCI will be processed/stored/transmitted and CMMC Level 2 (Self) when any CUI will be processed/stored/transmitted in contractor-owned information systems. 

While it is true that the phases are codified in 32 CFR Part 170 with language that provides PMs some discretion to include CMMC Level 2 (C3PAO) requirements in solicitations during Phase 1, it is not required. Practically speaking, this means the policy allows for (and the Department anticipates) that during Phase 1, there will be some solicitations issued that only include a CMMC Level 2 (Self) assessment requirement, even in cases when the CUI to be shared comes from the Defense Organizational Index Group. 

PMs may also discuss with their Contracting Officer the possibility of including the CMMC clause with the requirement to have a CMMC Level 2 (Self) assessment at the time of award but specifying that a CMMC Level 2 (C3PAO) assessment will be required at the time of any option period exercise. 

PMs should only make use of the discretion provided in 32 CFR 170.3(e) to include a CMMC Level 2 (C3PAO) assessment during Phase 1 when, informed by adequate market research, there is reason to believe that enough qualified offerors (including their subcontractors) exist to provide for adequate competition to meet the solicitation requirement.

This information is sourced from the official Cybersecurity Maturity Model Certification Program Frequently Asked Questions, Revision 2.2. January 2026, published by the Department of War (DoW) CIO. You can access the full document here.