You’re reviewing a new DoD contract opportunity and there it is: “CMMC Level 2 certification required.” This catches you off guard. You thought CMMC was still being figured out. Sure, you remember seeing headlines about a “final rule” back in December, but nothing seemed to change after that. Now suddenly it’s a requirement for new contracts starting November 2025.

What nobody explained clearly was that the “final rule” you saw in the headlines last year established the program standards but didn’t include the contract language needed to require compliance. Then in September 2025, the DoD published the enforcement rules in the Federal Register. That second rule created the contract language. What this means is that starting November 10, 2025, CMMC requirements can show up in new contracts.

Learn about CMMC Compliance Services from XPERTECHS

November 10: CMMC Requirements Start Appearing in Contracts

CMMC won’t appear in every contract immediately. The rollout happens in phases over three years, but some contracts will require it right away. If you’re not ready, you can’t bid on those opportunities.

The contract will specify which CMMC level you need. Level 1 applies to basic Federal Contract Information, while Level 2 covers Controlled Unclassified Information. If you’re unsure which applies to your work, ask your contracting officer or prime contractor.

November 2025 starts with mostly self-assessments. November 2026 brings third-party assessments for Level 2 contracts. By 2028, CMMC will be required for all DoD contracts involving federal information.

Handle CMMC Internally or Bring in Expert Help?

Now that you know CMMC requirements are coming to your contracts, you have a choice to make. Most companies will need months to prepare proper documentation and policies. Waiting until you see CMMC in a contract leaves no time to get ready.

Should you handle this internally, or bring in someone who’s done it before? The answer depends on how well you understand what’s required, how much time you can realistically dedicate, and how confident you are in your ability to document and demonstrate compliance.

Related: Should You Handle CMMC Compliance In-House or Work with an MSP?

Most Companies Underestimate What CMMC Preparation Involves

Even companies that choose to handle CMMC internally often hit the same roadblocks. Many companies assume their entire IT environment needs CMMC compliance. But if systems don’t touch Federal Contract Information or Controlled Unclassified Information, they probably don’t need to be in scope.

The problem is proving that with proper documentation. “We think our systems are separate” doesn’t work. You need policies, procedures, and evidence that shows how data flows through your environment and what’s in scope.

Companies also discover the difference between having security tools and proving CMMC compliance. “We thought we were already doing everything CMMC required” is common from companies that learn this the hard way.

Even if you just need Level 1, there are 17 requirements that still need documentation, executive affirmation, and annual renewals. Most IT teams underestimate the effort because they’re thinking about technology, not compliance paperwork.

Related: Overcoming the Top CMMC Compliance Challenges

XPERTECHS Provides Both Cybersecurity Implementation and CMMC Compliance

XPERTECHS is both a managed cybersecurity provider and a CMMC Registered Practitioner Organization. We have the expertise and the team to approach CMMC from both sides: implementing the technical security controls you need and guiding you through the compliance process.

What this means for you:

• Technical implementation: 24/7 SOC monitoring, Managed Detection and Response, and DEFEND security framework that meets CMMC requirements
• Compliance guidance: Cloud-based system that walks you through every requirement with documentation templates and progress tracking
• One-stop solution: No need to coordinate between separate cybersecurity and compliance vendors

One client came to us just weeks before their Level 1 deadline. They’d done some prep but weren’t confident in their answers or their security posture. We helped strengthen their cybersecurity controls, clean up their documentation, and get their assessment submitted properly.

Now they’re set for annual affirmations without the panic, and they have robust security that goes well beyond basic CMMC requirements.

Start Preparing Now Before Requirements Hit Your Contracts

Ready or not, CMMC is moving from “someday soon” to “right now.” Don’t wait for CMMC to show up in your contracts. Get ahead of it while you still have options.

Contact us to schedule a CMMC consultation.