The CMMC Deadline is Approaching: What You Need to Know

Updated on: Oct 21, 2025 13 Minute Read

The Cybersecurity Maturity Model Certification (CMMC) rule is final, and the CMMC deadline is set. Starting November 10, 2025, contracting teams may include CMMC in new solicitations. A three-year phase follows, ending November 10, 2028, when CMMC applies wherever contractor systems handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). This timeline affects awards, option exercises, and data sharing across the defense industrial base.

CMMC compliance timeline

You can act on a few points immediately. Contracting personnel will check the Supplier Performance Risk System for a current status at the required level. Level 1 relies on annual self-assessments. Levels 2 and 3 rely on three-year assessments, with annual affirmations. Conditional status may be used for a limited period while plans of action and milestones close. COTS-only awards are excluded. Flowdown applies when subcontractors will handle FCI or CUI.

What is Federal Contract Information?

Federal Contract Information (FCI) is information not intended for public release that is provided by or generated for the government under a contract, and not classified. The focus is on basic safeguarding within contractor systems that handle this information. Level 1 aligns with this definition, and the assessment is a self-assessment posted in the SPRS.

Contractors that only handle FCI should plan for Level 1. If the work expands to include CUI, a higher level may apply. Review scope changes to avoid gaps between requirements and posted status.

The definition stays consistent across solicitations, yet the assessment timing and evidence may vary by program.

Use the FCI definition to confirm Level 1 scope and avoid accidental higher-level exposure.

What is Controlled Unclassified Information?

Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls and is not classified. Programs handling this information commonly require Level 2. The assessment path may be a self-assessment or a CMMC Third-Party Assessment Organization, depending on the solicitation.

Higher impact missions may require Level 3. Those assessments are performed by the Defense Industrial Base Cybersecurity Assessment Center. Level 2 and Level 3 both require annual affirmations and maintain a three-year assessment validity period.

Scope the systems that touch CUI. Assign a CMMC Unique Identifier for each scope so proposals and awards align with assessment results.

Use the CUI definition to set the Level 2 or Level 3 scope and align evidence to the solicitation.

When is the CMMC deadline?

The CMMC deadline for inclusion in solicitations begins November 10, 2025. During a three-year phase, programs will decide where to apply CMMC. After November 10, 2028, CMMC will apply when contractor systems process, store, or transmit FCI or CUI. Awards limited to commercially available off-the-shelf products do not require CMMC.

Contracting personnel will verify a current status in the Supplier Performance Risk System (SPRS).

  • Level 1 requires an annual self-assessment and affirmation. 
  • Level 2 and Level 3 assessments are valid for three years, with annual affirmations. 
  • Levels 2 and 3 may use conditional status for a limited period while plans of action and milestones are closed, then move to final.

Offerors provide CMMC Unique Identifiers (UIDs) for each in-scope assessment scope. These identifiers connect the assessment to the proposal or award. The identifiers, status, and affirmation appear in the SPRS.

CMMC success starts with correct dates, the right level, and current status in the Supplier Performance Risk System.

What is the CMMC deadline timeline?

The CMMC deadline follows a phased plan. Phase 1 begins November 10, 2025, and runs through November 9, 2028. During this time, program offices decide whether to include CMMC in solicitations and contracts. Where CMMC appears, whether you are awarded depends on the right level and your current status in the SPRS.

Phase 2 begins on November 10, 2028. CMMC applies to solicitations and contracts where contractor systems handle FCI  or CUI. Awards that are limited to commercially available off-the-shelf products remain excluded.

Program and contracting teams will align actions to this schedule. Planning now reduces later friction at the CMMC deadline.

CMMC deadlines to know: Phase 1 and Phase 2

Who decides your required CMMC level?

The program office or requiring activity sets the level. The decision reflects what information your systems will handle and the risk profile of the work. The contracting officer applies that decision and verifies your status in the SPRS.

For work with FCI only, Level 1 applies. For work with CUI, Level 2 applies. For higher impact missions, Level 3 may be required. Different solicitations can set different levels, even within the same organization.

Read the solicitation language closely. The level and assessment type appear in the requirement and flow through to award checks.

Treat the program office decision as the anchor for level, assessment type, and proposal evidence.

Which level and assessment path fit common scenarios?

An overview of the 3 CMMC levels
  • Level 1 covers basic safeguarding of FCI . You complete an annual self-assessment, record results in the SPRS, and submit an annual affirmation.
  • Level 2 covers CUI. Some requirements permit self-assessment. Other requirements call for a CMMC Third-Party Assessment Organization. Assessments are valid for three years. An annual affirmation is required.
  • Level 3 covers selected work with higher mission impact. Assessments are performed by the Defense Industrial Base Cybersecurity Assessment Center. Assessments are valid for three years. An annual affirmation is required.

Many teams segment systems into enclaves. This keeps FCI and CUI inside distinct scopes with their own CMMC  UIDs.

Match the level and assessment path to the data, the solicitation, and the risk of the mission.

How do SPRS, UIDs, and “current status” fit together?

A status is current when the assessment is within its validity window and the annual affirmation is in place. Level 1 self-assessments refresh every year. Level 2 and Level 3 assessments remain valid for three years. Each level requires an annual affirmation by the affirming official.

Each assessment scope receives a CMMC UID. You include identifiers for the scoped systems in your proposal when CMMC applies. If the scope changes, update the identifier record. Contracting personnel use the SPRS to check identifiers, status, and annual affirmations.

Conditional status may be used for Levels 2 and 3 for a limited period while plans of action and milestones are closed. When the closeout is complete, the status becomes final. Level 1 requires a final status at award.

A current status equals a valid assessment, correct identifier, and on-time affirmation recorded in the SPRS.

What should you do now to meet the CMMC deadline?

1. Map applicability across contracts and systems

Build a list of opportunities and active awards that involve FCI or CUI. Identify every system that will process, store, or transmit this data. Align each item on the list to a likely level.

2. Close gaps against the right standard

For Level 1, confirm all 17 safeguards and supporting evidence. For Level 2, align to the 110 requirements in NIST SP 800-171. Gather artifacts. Use plans of action and milestones (POA&M) only where permitted.

3. Create or update your CMMC Unique Identifiers

Define scope boundaries, post results in the SPRS, and capture the identifiers in your bid and contract files. Add calendar reminders for annual affirmations.

4. Decide and schedule your assessment path

Use self-assessment for Level 1. Use the assessment type stated in the solicitation for Level 2 or Level 3. Book assessment dates early to reduce schedule risk.

5. Set up internal audits and change control

Track inventories, access controls, incident response, backups, and logging. Use change control to keep your posted status accurate between affirmations.

6. Manage subcontractor flowdown

Insert the correct level into subcontracts where FCI or CUI is in scope. Request evidence of status and affirmation before sharing data. Prime contractors may have limited visibility into a subcontractor’s records in the Supplier Performance Risk System. Collect screenshots or certificates directly from the subcontractor.

7. Build a short execution checklist and owners

Assign owners for self-assessments, third-party assessments, identifier maintenance, and annual affirmations. Use a simple tracker so nothing lapses at a key milestone.

Early scoping, clear owners, and scheduled assessments keep your bids on track against the CMMC deadline.

How does COTS fit into the CMMC deadline?

Awards limited to commercially available off-the-shelf products do not include CMMC requirements. If a requirement goes beyond COTS, and contractor systems will handle FCI or CUI, CMMC may apply. Confirm scope during performance so added tasks do not pull a COTS-only action into a higher level.

COTS exceptions reduce effort for purely commercial transactions. The moment the work introduces FCI or CUI into contractor systems, the analysis changes.

Treat COTS decisions as scope tests you revisit when performance changes.

COTS-only awards sit outside CMMC, but scope changes can trigger CMMC requirements.

How should small businesses plan for the phase-in?

Small businesses face the same CMMC deadline and phase-in dates. The difference is resource bandwidth. Many small entities plan for Level 1 self-assessments when handling FCI. For CUI, small entities often create targeted enclaves to limit scope and cost.

Calendar discipline helps. Set clear renewal dates for affirmations. Keep a playbook for evidence collection. Track subcontractor status before you share data.

Primes should communicate early about level expectations, identifiers, and timelines. Small business subs can then plan assessments and affirmations against real dates.

A focused scope and steady cadence help small teams meet the same CMMC deadline as larger firms.

What about existing contracts during the phase-in?

During Phase 1, programs choose where to add CMMC. Some existing contracts may be updated by agreement of both parties. Where CMMC applies, option actions will require a current status. Teams should plan so that lapses in assessment validity or annual affirmations don’t delay options.

Keep your identifier records current. If systems in scope change, update the SPRS. Confirm that option periods do not cross assessment expiration dates without a plan to refresh.

Treat recompetes like new work. Align the level to the solicitation, and post the right evidence in time for evaluation.

Plan for options and recompetes so status stays current across the entire performance window.

What blocks an award at the CMMC deadline?

An award is blocked when the solicitation includes a CMMC requirement, and you lack a current status and affirmation in the SPRS for each identifier tied to the systems in scope. Contracting personnel check the system before award and option actions.

Can a conditional status be used for an award?

Levels 2 and 3 may use conditional status for a limited period while plans of action and milestones close. When the closeout is complete, the status becomes final. Level 1 requires a final status at award.

Do we submit our artifacts with the proposal?

You post assessment results, identifiers, and affirmations in the SPRS. Programs may request artifacts during assessments or investigations. Award checks focus on status, level, and current affirmations.

How do identifiers tie to proposals?

Each scoped system has a CMMC Unique Identifier. You reference the identifiers in your proposal when CMMC applies. The government verifies those identifiers in the SPRS.

How do primes manage subs under CMMC?

Flowdown applies when subs will handle FCI or CUI. Ask subs for proof of status and affirmation. Collect evidence directly if your visibility into a sub’s SPRS records is limited.

Practical checklist for the next 60 to 120 days

This checklist turns policy into calendar dates, owners, and repeatable steps:

  • Map contracts and bids that involve FCI or CUI.
  • Assign a likely level and assessment path for each opportunity.
  • Complete Level 1 self-assessments and prepare Level 2 or Level 3 assessments as required.
  • Create or update CMMC UIDs for each scoped system.
  • Post results and set annual affirmation reminders in the SPRS.
  • Update subcontract templates with level, affirmation, and evidence language.
  • Schedule third-party assessments early where required.
  • Stand up internal audits and change control to keep the status current.

What are the next steps before the CMMC deadline?

Treat November 10, 2025, as a real start. Plan assessments and affirmations against live proposals. Keep identifiers current. Train your affirming official on SPRS submissions. Verify subcontractor status before sharing data.

As Phase 2 approaches on November 10, 2028, expect broader application wherever contractor systems handle FCI or CUI. Keep your assessment calendar rolling. Refresh evidence as systems or contracts change.

Finish with a quick internal brief so executives see timing, costs, and award impacts. That brief turns the CMMC deadline into a predictable business plan.

Prepare now so the CMMC deadline becomes an operational milestone instead of a bid blocker.

How Hyperproof can help you get started on your CMMC journey

You can use Hyperproof to track and measure your CMMC progress and prepare for SPRS submissions quickly and efficiently. By following this practical checklist, you can use Hyperproof’s automated evidence collection, real-time monitoring, and integrated reporting capabilities to maintain accurate SPRS scores while reducing manual effort and improving your overall compliance posture. Hyperproof’s control-centric approach ensures that organizations can efficiently manage their CMMC requirements while preparing for assessments and maintaining ongoing compliance.

Here’s how to get started:

CMMC implementation checklist

1. Determine your CMMC level

Identify whether Level 1, 2, or 3 applies based on the data you handle (CUI or FCI) or your current contracts. Select the appropriate CMMC 2.0 program in Hyperproof.

2. Define your assessment scope

Map the systems, processes, and locations that store, process, or transmit CUI or FCI.

3. Run a gap analysis

Use Hyperproof to conduct a gap analysis to compare your current environment against required CMMC controls. Link each requirement to its control and record the compliance state.

4. Set up dashboards

Add the three SPRS scoring dashboard widgets for a real-time view of your current SPRS score and the status of your program requirements. These dashboards can help you easily track progress towards improving your SPRS score.

Here’s an example of a total SPRS score widget:

SPRS score example

This is what a SPRS requirements implementation widget looks like in Hyperproof:

SPRS requirements example

Here’s an example of the SPRS weighted status widget:

SPRS weighted status example

5. Enable health monitoring and freshness tracking

Activate health monitoring to see overall program health and set freshness windows so controls move from “Fresh” to “Expired” automatically.

6. Automate evidence collection

Use Hyperproof’s 70+ Hypersync integrations (AWS, Azure, GitHub, etc.) to pull logs and configuration snapshots. Configure automated tests that validate the collected evidence.

7. Connect evidence to controls

Attach evidence to the relevant requirement and control to demonstrate control effectiveness.

8. Implement continuous controls monitoring

Run daily compliance tasks, monitor controls with automated tests, track remediation in the issue tracker, and use the SPRS dashboard widgets for real‑time insights.

9. Generate and submit SPRS reports

To prepare your SPRS report, export the total score, status values, and detailed requirement data via the analytics sheet in Hyperproof. Include the export timestamp, then submit the self‑assessment to the official Supplier Performance Risk System (SPRS) with CMMC level, scope, CAGE codes, overall score (for Level 2), and POA&M status.

SPRS report example

10. Keep documentation and POA&Ms current

Update the POA&Ms for any gaps, refresh security policies as new evidence appears, and assign tasks to collect updated proof. Many organizations use the Risk Register or the Issues feature to record POA&M items.

Understanding SPRS scoring in Hyperproof

Hyperproof tracks Supplier Performance Risk System (SPRS) points on a scale from -203 to 110.

  • Each requirement carries an SPRS weight of 5, 3, 1, or N/A.
  • When you mark a requirement as Implemented, the score rises by the weight value.
  • Remember that you can submit a non-perfect score if you have documented remediation plans in a POA&M.

Special rules affect a few requirements:

  • 3.5.3 and 3.13.11 add 3 of 5 points when the status is “Partially Implemented.”
  • 3.1.12, 3.1.13, 3.1.16, 3.1.17, and 3.1.18 award the full 5 points when the status is “Not Applicable.”

See Hyperproof in Action

Request Demo
Related Resources

Ready to see
Hyperproof in action?

G2 Crowd Leader
G2 Crowd Best Estimated ROI
G2 Crowd Best Customer Support Enterprise
G2 Crowd Fastest Implementation
G2 Crowd Momentum Leader