CyberSec Insight

Solo-authored blog, free security tools, defense-sector focus.

Back to blog

CMMC Mandatory by DoD: What the November Timeline Means for Contractors

Nov 10, 2025 · 2 min read

The Department of Defense has made it official: CMMC is mandatory for defense contractors. With the rollout tied to the 32 CFR Part 170 rule and phased contract requirements, the November timeline is a hard deadline for a lot of the defense industrial base (DIB). If you're still treating CMMC as optional, it's time to shift. Here's what I'm telling teams I work with.

DoD CMMC mandatory timeline: get ready now

Why the DoD made CMMC mandatory

CMMC exists to protect Controlled Unclassified Information (CUI) and the supply chain. The DoD can't rely on self-attestation alone anymore. Contractors have to demonstrate a defined level of maturity (Level 1, 2, or 3) through assessments. No CMMC, no contract for covered work. It's that simple.

What "mandatory" actually means for you

  • New and renewed contracts will include CMMC requirements. If your contract involves CUI or other sensitive DoD information, you'll need the right CMMC level before award or by a specified phase-in date.
  • Level 1 (Foundational) applies when you handle Federal Contract Information (FCI). Assessment is self-attestation with annual affirmation.
  • Level 2 (Advanced) is where most defense contractors land when CUI is involved. You need a third-party assessment from a C3PAO or, during the transition, Joint Surveillance Voluntary Assessment Program (JSVAP) with the DoD.
  • Level 3 (Expert) is for the most sensitive programs.

November is a key date in the phased rollout. Missing the window doesn't just delay one contract; it can affect your ability to bid on future work and your standing in the DIB.

What to do before and after November 10

  1. Confirm your level. Map your contracts and data to see whether you need Level 1, 2, or 3. Scoping drives everything else.
  2. Close gaps. Run a CMMC gap assessment against NIST SP 800-171 (for Level 2) and the CMMC Assessment Guide. Fix the biggest risks first: identity, access, logging, and asset inventory.
  3. Lock in evidence. The DoD and C3PAOs want ongoing evidence, not a one-time snapshot. Build your SSP, POA&Ms, and policies so they stay current and auditable.
  4. Plan for assessment. If you need Level 2, line up a C3PAO or understand the JSVAP path. Slots fill up; booking early reduces last-minute pressure.

CMMC mandatory by DoD isn't a rumor it's the new rule. Use the November timeline as the trigger to get your program in shape, align with 32 CFR Part 170, and keep your place in the defense supply chain.