CMMC Phase 1 Implementation officially started on November 10, 2025, marking a major milestone in the Department of Defense’s (DoD) push to strengthen cybersecurity throughout its supply chain. This first phase, which is running from Nov 10, 2025 through Nov 9, 2026, focuses heavily on CMMC Level 1 and CMMC Level 2 self-assessments, new reporting requirements, and mandatory affirmation submissions in the Supplier Performance Risk System (SPRS).
For companies doing business with the DoD, this is the first big step toward full CMMC rollout. Even if you’ve been preparing for months or years, Phase 1 creates new obligations that are now active, not optional and not theoretical. Understanding what’s required during this period is essential to staying compliant and protecting your future eligibility for government contracts.
What Phase 1 of CMMC Includes
CMMC Phase 1 Implementation is designed to introduce cybersecurity obligations gradually, giving contractors time to adjust before full assessments begin in later phases. During this first year, the DoD’s primary goal is for organizations to measure, report, and affirm the status of their cybersecurity posture.
Here’s what Phase 1 requires:
1. Level 1 Self-Assessments Are Now Mandatory
Any company that handles Federal Contract Information (FCI) must complete a CMMC Level 1 self-assessment.
This includes 15 basic safeguarding requirements drawn from FAR 52.204-21, covering essentials such as:
- Access control
- Basic authentication
- Physical security
- Data protection and backup practices
After completing the self-assessment, your score must be submitted in SPRS, along with an affirmation from a senior official. This affirmation requirement is new and the DoD will treat false affirmations as potentially fraudulent under the False Claims Act.
2. Level 2 Self-Assessments Are Required for CUI Environments
If your company works with or handles Controlled Unclassified Information (CUI), Phase 1 requires you to conduct a CMMC Level 2 self-assessment.
This includes the 110 security controls from NIST SP 800-171, such as:
- Multi-factor authentication
- Incident response planning
- Audit logging
- Secure configuration practices
- Risk assessment procedures
Just like Level 1, Level 2 assessments must be entered in SPRS with an accurate scoring methodology and a senior-level affirmation.
This is one of the biggest components of CMMC Phase 1 Implementation, and failure to report correctly can put your current and future contracts in jeopardy.
3. Affirmations Are Now Required in SPRS
One of the most important reminders of Phase 1 is simple but critical:
You must submit an AFFIRMATION with your CMMC assessment in SPRS.
An affirmation:
- Must come from a senior company official
- Confirms the accuracy of the assessment
- Carries legal accountability
- Must be updated with every reassessment or score change
Affirmations make cybersecurity compliance more enforceable and transparent. They’re also a sign that the DoD wants real verification, not merely self-reported checkboxes.
Why Phase 1 Matters
Phase 1 lays the foundation for later stages of CMMC, where full third-party assessments and more stringent verification will become required for many contracts. Companies that take this phase seriously will be well-positioned when those future requirements arrive.
Ignoring Phase 1, however, creates major risks:
- Being disqualified from new contracts
- Losing eligibility to renew active contracts
- Facing audits, penalties, or False Claims Act scrutiny
- Falling behind competitors already adapting to CMMC standards
This first year is your opportunity to tighten cybersecurity controls, document your processes, and establish compliance habits that will carry into Phase 2 and Phase 3.
Preparing for What Comes Next
CMMC Phase 1 Implementation isn’t just a regulatory update, it’s the beginning of a full-scale cybersecurity transformation across the DoD supply chain. Between now and November 9, 2026, contractors must complete Level 1 or Level 2 self-assessments, submit accurate SPRS scores, and file their affirmations on time.
A proactive approach now will save time, reduce risk, and strengthen your organization’s security posture as CMMC evolves. The sooner companies assess, document, and affirm their compliance, the smoother the transition will be into the next phases.
Ready to see what AI-powered automation can do for your business?
Contact Simpatico today at 855-672-4800 or visit www.simpatico.com and secure your path to CMMC compliance.
