The theoretical phase of the Cybersecurity Maturity Model Certification (CMMC) is over. As of November 10, the “Enforcement Era” has officially begun with the activation of Phase 1. For Department of Defense (DoD) contractors, compliance is no longer a future goal—it is a present-day barrier to entry. If you want to bid, you must have your house in order. 

This guide demystifies the recent updates to 48 CFR, explains the critical DFARS clauses now in effect, and offers expert insights on navigating self-assessments and prime contractor requirements in this new landscape. 

The Regulatory Shift: What Changed on November 10? 

The updates to 48 CFR—specifically parts 204, 212, 217, and 252—are now officially in effect, activating the program defined in 32 CFR part 170. This transition marks the shift from preparation to execution. 

The “No Bid” Reality 

The most immediate impact comes from DFARS 252.204-7025. This is the enforcement mechanism that changes the stakes entirely. Under this clause, contractors cannot be awarded a contract without the appropriate CMMC status in place. It effectively turns compliance into a “go/no-go” gate for new business. 

The Supporting Clauses 

To navigate this era, you must understand the framework built by these key clauses: 

• 252.204-7012: This remains the foundational requirement to safeguard Controlled Unclassified Information (CUI) using NIST SP 800-171. 

• 252.204-7019: This clause mandates the requirement to report your assessment score via the Supplier Performance Risk System (SPRS). 

• 252.204-7021: This is the clause that formally enforces CMMC levels as a specific contract requirement. 

Navigating Phase 1: The Era of Self-Assessment 

While the long-term goal for many organizations involves third-party verification, Phase 1 primarily focuses on Level 1 or Level 2 self-assessments. 

The Focus is on Self-Attestation 

During this initial rollout, the immediate hurdle for most contractors is self-attestation. However, this is not a “check the box” exercise. The self-assessment process is rigorous and requires you to adhere strictly to the assessment objectives found in NIST SP 800-171A. 

The SPRS Requirement 

Compliance in theory is insufficient; you must translate your status into data the DoD can see. You are required to submit a passing score to the Supplier Performance Risk System (SPRS). 

System vs. Company 

A common misconception is that CMMC compliance applies to the entire company. In reality, compliance is tied to a specific information system. When you submit your score to SPRS, you receive a Unique Identifier (UID) for that specific system boundary. 

Expert Tip: Ensure the UID you use when bidding on a contract matches the specific system that will perform the contract work. Misalignment here can lead to compliance failures during the award process. 

New Clarifications: DoD FAQs and NIST Updates 

Recent updates from the DoD and NIST have clarified several gray areas that have long plagued contractors. 

Encrypted CUI is Still CUI 

The DoD recently released FAQs clarifying that encryption does not make CUI “disappear” from scope. If data was CUI before it was encrypted, it remains CUI after encryption. This distinction is vital for determining the boundaries of your secure environment. 

Media Sanitization Updates 

NIST has updated SP 800-88 Rev 2, which governs media sanitization. Organizations that have struggled with how to logically destroy data should review the new purge methods outlined in this revision to ensure their data destruction policies are up to date. 

Rev 2 vs. Rev 3 

Confusion remains regarding which version of NIST SP 800-171 applies. While the DoD has released guidance for Rev 3 Organizationally Defined Parameters (ODPs), DoD contractors must currently assess against Rev 2. 

Expert Insight: Forward-thinking companies can build systems compliant with Rev 3 standards but must map their controls back to Rev 2 to ensure no gaps exist during current assessments. 

Expert Insights: Are You Actually Ready? 

Readiness is not about hope; it is about evidence. As NeoSystems’ Ed Bassett notes, “If you don’t know for sure that you are ready, you are not ready.” 

The Confidence Test 

If you cannot point to the specific evidence for every assessment objective, you are not prepared for an assessment—whether it is a self-assessment or a third-party audit. You should have a high degree of confidence in your documentation and implementation before you submit your score. 

Configuration Management is King 

Of all the requirements, Configuration Management is often the steepest hill to climb. It is not a one-time setup but a daily discipline that must operate even during emergencies. Every change to your system must be accounted for, documented, and approved. 

Continuous Monitoring 

“Monitoring” goes beyond having a 24/7 Security Operations Center (SOC). True continuous monitoring requires assessing the continued effectiveness of all 110 controls. This ensures that your compliance posture does not drift over time due to operational changes or negligence. 

Handling Primes 

Prime contractors are increasingly pushing subcontractors for Level 2 compliance, even in cases where CUI flow-down is not immediately present. Primes are de-risking their supply chains to protect their own eligibility for awards. 

Strategy: Instead of arguing applicability, consider building a small, compliant enclave. This allows you to satisfy Prime requirements and secure future work without overhauling your entire corporate infrastructure. 

Technical Hurdles: Windows 10 and Cloud Infrastructure 

Two specific technical challenges are currently front of mind for compliance teams. 

The Windows 10 Problem 

Windows 10 is reaching its end-of-support. Using an operating system that cannot receive security patches will cause a failure in multiple controls, specifically those related to secure baselines and patching. Contractors must have a plan to migrate to a supported OS or document a rigorous justification and mitigation strategy for isolated systems. 

The VDI Solution 

For organizations looking to minimize the scope of their local hardware, Microsoft 365 GCC High combined with Virtual Desktop Infrastructure (VDI) offers a compliant path. However, this is contingent on maintaining strict keyboard-video-mouse (KVM) separation to ensure that local devices do not process or store CUI, keeping them out of scope. 

Embrace the Enforcement Era 

The rules are set, and the “Enforcement Era” is not a drill. The transition from “should do” to “must do” has occurred. 

Actionable Steps: 

• Verify your SPRS score: Ensure it is current, accurate, and tied to the correct information system.  

• Review your System Security Plan (SSP): Check it against the latest DoD FAQs, especially regarding encryption and scope. 

• Understand and define any “significant changes”: If you are a dynamic, growing company, understand what constitutes a “significant change” in your environment to manage risk and avoid reassessment triggers. 

DoD contractors should view CMMC compliance not just as a regulatory hoop, but as a competitive advantage in a supply chain that is shedding non-compliant vendors.