What Is CMMC?

The DoD introduced CMMC in 2020 to ensure companies protect sensitive information when working on government contracts. The program requires contractors handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) implement adequate cybersecurity practices to protect the defense industrial base. Prior to CMMC, DoD contractors were required to self-attest compliance with National Institute of Standards of Technology (NIST) Special Publication 800-171 – a set of cybersecurity requirements issued by NIST, a federal agency that sets technical standards to help improve innovation, security, and quality across industries.

CMMC originally introduced a robust five-level security framework that employed third-party assessments to verify cybersecurity maturity. However, after industry and stakeholder feedback, DoD simplified the model to three levels in November 2021, aligning it more closely with NIST SP 800-171 to ease compliance. The resulting CMMC 2.0 is more flexible, particularly for small- and medium-sized businesses.

November 10: The Start of a Three-Year Rollout

As of this September, the Department of Defense published new rules in the Federal Register that provide new contract requirements for CMMC in the Defense Federal Acquisition Regulation Supplement (DFARS). This rule formally integrates CMMC 2.0 into defense contracts, under Title 48 of the Code of Federal Regulations (CFR), and becomes effective on Monday, November 10, 2025. The official rollout will be a 3-year process for all Government Contractors to become compliant. By the fourth year, every DoD contractor must be fully compliant.

Beginning November 10, contracting officers will include the new CMMC requirements in new solicitations and contracts, making cybersecurity a formal part of doing business with DoD. In the meantime, underlying cybersecurity responsibilities remain in effect and continue to apply. These two clauses will now appear in all DoD are 252.2014-7021 and 252.204-7025.

November 10, 2025 is a milestone that marks the official transition from planning to execution. It signals to all defense contractors, especially small and medium-sized businesses, that CMMC compliance is no longer optional. As cyber threats grow in scale and sophistication, CMMC is a critical safeguard to ensure the resilience and security of the supply chain that supports our national defense.

*Please note that above requirements only apply to contracts and modifications issued by the Department of Defense (DoD) and it’s specific DoD agencies.

How to Prepare for CMMC:

To give you a head start, we are offering a FREE CMMC Level 1 webinar on October 8. This training will break down what CMMC means, how the rollout affects your business, and the practical steps you can take right away to prepare. You will also learn how Norcal APEX counselors can work with you one-on-one to identify your CMMC level, assess your readiness, and build a plan to close any gaps.

---

---

Until then you can find more advice and resources to support your business below:

• Keep your NIST SP 800-171 implementation current.
• Make sure your Supplier Performance Risk System (SPRS) score is up to date.
• Map out which CMMC level applies to your business.
• Identify and begin closing any cybersecurity gaps.
• Connect with free resources to support this transition:
  • DoD Office of Small Business Programs (OSBP) tools
  • Project Spectrum tools and training
  • Norcal APEX Accelerator webinars and counseling

Norcal APEX Accelerator is committed to helping Northern California businesses navigate the new CMMC requirements with confidence. Compliance is now a critical part of doing business with the Department of Defense, but you do not have to face these changes on your own. Our team of procurement specialists provides no-cost counseling, training, and resources designed to help small and medium-sized businesses succeed in the federal marketplace.

---

If you are looking for help with Federal government contracting or want no-cost help to find contracting opportunities, please contact your Norcal APEX Accelerator counselor for assistance or apply for services today!

---