Skip to Content
View All Results

CMMC Level 1 is No Longer Optional. What DoD Contractors Need to Do Now

Whether you have one employee or 1000, if your company supports the U.S. Department of Defense (DoD) directly or indirectly (i.e., as a subcontractor to another business that supports the DoD), you are required to meet Cybersecurity Maturity Model Certification (CMMC) requirements in order to be awarded certain contracts.

The final rule took effect November 10, 2025, meaning that CMMC requirements may appear in DoD contracts soon.

What is the CMMC?

There are numerous cybersecurity frameworks in use today, and many share common controls or overlap. CMMC is the DoD’s framework to ensure that contractors handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) meet minimum cybersecurity standards to protect digital records that contain confidential information pertaining to military operations, critical infrastructure, and the like.

CMMC is based largely on existing industry standards, primarily NIST SP 800-171. It was developed with input from a broad base of industry leaders who are committed to the common goal of securing defense contractors and the defense industrial base.

CMMC Level 1 — Who Needs to Act

Any contractor that receives or processes FCI - a category that covers most companies in the DoD supply chain - will be required to complete an annual self-assessment under CMMC Level 1.

Why It Matters

Failing to comply could means False Claims Act liability as well as losing access to existing or future DoD work. The requirements may appear straightforward - just 17 controls - but implementation involves people, processes, and documentation across your organization, not just IT. Plus, Level 1 self-assessments must be affirmed by a senior official, not just IT staff.

Kreischer Miller Can Help With Your CMMC Readiness Efforts

At Kreischer Miller, we’ve helped mid-market companies prepare for regulatory change for decades, and we can help you get CMMC ready without the stress.

We can assist with:

  • Understanding your specific CMMC requirements in plain language
  • Performing readiness assessments and gap analysis, using the RealCISO™ platform
  • Building your evidence package and self-assessment artifacts
  • Guiding you through SPRS submission and affirmation

Don’t Wait Until It’s in the Contract

Time is of the essence. If you're not sure where your company stands, let's get clarity now. Our Technology Advisory team can help make the CMMC process straightforward, so that you can protect sensitive data, stay eligible for DoD contracts, and position your business for growth.

Contact us today to schedule a complimentary CMMC readiness consultation.

Contact Us

We invite you to connect with us to discuss your needs and learn more about the Kreischer Miller difference.
Contact Us
You are using an unsupported version of Internet Explorer. To ensure security, performance, and full functionality, please upgrade to an up-to-date browser.