CMMC Is Now in DoD Contracts: What San Diego Defense Subcontractors Need Before November— ✦ —

San Diego runs on defense work. Between the shipyards, the primes, and the thousands of machine shops, fabricators, and engineering firms that supply them, a large share of the county's manufacturers touch a Department of Defense contract somewhere in their revenue. As of November 10, 2025, that work comes with a new condition: CMMC.

This is not a proposal or a future rule. The Cybersecurity Maturity Model Certification requirement is active now, rolling into DoD solicitations in phases, and it determines whether you can win or keep contracts.

Where the Rollout Stands Right Now

Phase 1 began on November 10, 2025 and runs through November 9, 2026. During this phase, applicable DoD solicitations and contracts require a CMMC Level 1 or Level 2 self-assessment as a condition of award. That means completing the assessment, submitting your score to the Supplier Performance Risk System (SPRS), and having a company official affirm it. No current status in SPRS, no award.

Phase 2 begins on November 10, 2026. That is when contracts handling Controlled Unclassified Information (CUI) can start requiring a Level 2 certification performed by an accredited third-party assessor (a C3PAO), not just a self-assessment. Assessor capacity is limited and firms are booking months out, which is why waiting until a solicitation demands it is a losing strategy. Full implementation across all applicable contracts arrives in 2028, but the pressure starts much earlier: every recompete, renewal, and option period along the way can trigger the requirement.

What Level Applies to You

  • Level 1 applies if you handle Federal Contract Information (FCI), which is most subcontractors. It consists of 15 basic safeguarding requirements, things like access control, limiting who can reach federal contract data, and basic system protections. It is self-assessed annually.
  • Level 2 applies if you handle Controlled Unclassified Information (CUI), such as controlled drawings, specifications, or technical data. It requires implementing the 110 security controls of NIST SP 800-171 and, depending on the contract, certification by a C3PAO.
  • If you only sell commercial off-the-shelf products to the DoD, CMMC generally does not apply. Confirm that with your contracts lead before assuming it.

If you are not sure whether the files your shop receives count as CUI, that question alone is worth a conversation, because it determines whether you are facing a 15-control checklist or a 110-control program.

The Honest Timeline for a Small Shop

Level 1 is achievable in weeks for a reasonably run environment. Level 2 is not. Firms implementing NIST 800-171 from a standing start typically need 12 to 18 months to put controls, documentation, and evidence in place before an assessor ever shows up. A shop that handles CUI and wants to stay eligible for work after Phase 2 tightens should already be working the plan. Many primes are not waiting for the government either; they are asking subcontractors for SPRS scores today as part of supplier risk management.

Where to Start

First, inventory your contracts and data: what is FCI, what is CUI, and where does it live. Second, run a gap assessment against the applicable requirements. Third, decide on architecture, because many small shops save significant money by consolidating CUI into a restricted enclave instead of securing every computer in the building. Then execute, document, and submit your score.

Local Help for Defense Work

Simplicity IT works with manufacturers and defense subcontractors in San Diego County on exactly this: scoping FCI and CUI, implementing the required controls, and getting a defensible score into SPRS. Contact us before your next recompete makes the deadline for you. Schedule your Discovery Call here.