Starting November 10, 2025, new DoW solicitations and contracts can include CMMC requirements. Many small businesses will need either a quick self‑assessment (what folks often call “self‑attestation”) or a third‑party certification to stay eligible. Here’s the plain‑English version and how CyMyCloud makes it easier.
What changes when?
- Phase 1 (starts Nov 10, 2025): many contracts will require a current Level 1 or Level 2 self‑assessment posted in SPRS. Some may already require third‑party certification at Level 2; check your solicitation.
- Phased rollout: DoW will phase requirements in over ~3 years; by the end, CMMC appears broadly across DoW contracts. Some programs can add it earlier.
- Level 1 (FCI only): annual self‑assessment + annual affirmation in SPRS.
- Level 2 (CUI): either self‑assessment or third‑party (C3PAO) certification every 3 years, your solicitation will say which. Annual affirmation still required.
- Level 3: a small slice of programs with higher risk; assessed by DoW.
- Your current CMMC status and/or SPRS score must be present and current when they check.
- Level 2 may require a valid C3PAO certificate, depending on the RFP.
- Know your level. If you only touch FCI, plan for Level 1. If you handle CUI, plan for Level 2 and verify whether your RFP demands a C3PAO certification.
- Do a quick NIST 800‑171 gap check. You need a System Security Plan (SSP), a POA&M for fixes, and a calculated SPRS score (score can be negative; honesty matters).
- Post to SPRS + set reminders. Submit your score, and set a recurring reminder for the annual affirmation (and certification cycle if applicable).
Common snags (so you can avoid them)
Asset inventory gaps • MFA not enforced everywhere • Admin accounts shared • Logs not retained/monitored • No SSP/POA&M artifacts • Unclear CUI boundary • Third‑party/vendor risk unmanaged • Backups not tested
How CyMyCloud makes CMMC simpler
- Turnkey, NIST 800‑171–aligned environment: secure workspace for FCI (Soon CUI) with access control, MFA, encryption, logging, and backup options.
- Ready‑to‑use paperwork: SSP & POA&M templates mapped to controls; evidence collection built into daily operations.
- SPRS‑ready reporting: roll‑up of implemented controls and gaps to speed self‑assessments.
- “C3PAO‑friendly” posture: if your RFP requires third‑party certification, CyMyCloud helps you define the boundary, gather artifacts, and walk into assessments prepared.
- Small‑team friendly: our team handles the heavy lift so you can stay billable.
FAQ (quick hits)
Is Level 1 just paperwork? No, there are 15 required safeguards, plus an annual self‑assessment and affirmation in SPRS.
For Level 2, do I always need a C3PAO? Not always. Some contracts allow self‑assessment; others require a third‑party certification; read the solicitation.
My score isn’t perfect. Am I doomed? Nope. Scores can be negative. Focus on an honest SSP, a real POA&M, and closing gaps. (POA&Ms are allowed for Level 2, and you’ll need to close them on a deadline.)
If you want help figuring out “self‑assessment vs certification” in your situation, just reply to this newsletter and say “CMMC”. We’ll respond same day.
Contact CyberMyte CLICK HERE OR Visit our WebSite CLICK HERE
Follow Us on LinkedIn for the 15 Safeguards: CLICK HERE
CyberMyte
-
Yvonne Rivera CEO
- October 15, 2025
- (855) 665-4308
- Send Email
