CMMC is official — here’s your CMMC compliance checklist to stay eligible for DoD contracts.
The Cybersecurity Maturity Model Certification (CMMC) is no longer just a proposal — it’s official. If your business works with the Department of Defense (DoD), you must meet CMMC requirements to remain eligible for contracts. With the November 10, 2025 deadline fast approaching, here’s a comprehensive guide to the five essential actions you need to take now.
1️⃣ Confirm Your CMMC Level
Before anything else, determine which CMMC level applies to your organization. This depends on the type of information you or your clients handle:
- Level 1: Applies if you deal with Federal Contract Information (FCI) — basic data provided by or generated for the government under a contract.
- Level 2: Required if you handle Controlled Unclassified Information (CUI) — sensitive data that requires safeguarding but isn’t classified.
If Level 2 applies, dig deeper:
- Does your contract allow self-assessment, or does it require a C3PAO (Certified Third Party Assessment Organization) audit?
- This distinction determines the complexity and cost of your compliance path.
2️⃣ Complete Your Self-Assessment
Every DoD contractor must complete a self-assessment — at minimum for Level 1.
- Level 1 Self-Assessment: Focuses on 17 basic cybersecurity practices. These are foundational controls like antivirus protection, access control, and regular updates.
- Level 2 Requirements: You must align with NIST SP 800-171, which includes 110 security controls across 14 families (e.g., access control, incident response, system integrity).
Tips:
- Use the official DoD Assessment Methodology to score your implementation.
- Document everything — evidence is key.
3️⃣ Executive Affirmation
Once your assessment is complete, a senior executive must sign off on the results.
- This isn’t a formality — it’s a legally binding attestation.
- The executive is affirming that the information submitted is accurate and complete.
- Any misrepresentation could lead to penalties or disqualification from future contracts.
Make sure your leadership understands the gravity of this step and reviews the assessment thoroughly.
4️⃣ Submit to SPRS
The Supplier Performance Risk System (SPRS) is the DoD’s official repository for contractor cybersecurity scores.
Here’s what you need to do:
- Log into SPRS and enter your score from the self-assessment.
- Upload the executive affirmation document.
- Ensure all data is accurate and up to date — this submission is mandatory for contract eligibility.
If you haven’t used SPRS before, get familiar with its interface and submission process now to avoid last-minute issues.
5️⃣ Prep for Next Steps
If you or your clients fall under Level 2, it’s time to look ahead to 2026.
- C3PAO Certification: Many Level 2 contracts will require a formal audit by a certified third party. These audits are rigorous and require extensive documentation.
- Start building your evidence library now — policies, procedures, system configurations, and training records.
- Consider investing in a compliance management platform to streamline this process.
Proactive preparation will save you time, money, and stress when the audit window opens.
Final Thoughts
CMMC compliance isn’t just a checkbox — it’s a strategic necessity for any business in the DoD supply chain. By tackling these five steps now, you’ll position your organization for continued success and avoid the scramble as the deadline approaches.
Need help navigating the process or preparing for a C3PAO audit? Let’s talk strategy — I can help you build a tailored roadmap. The CMMC compliance checklist is just a start!