CMMC News
Cybersecurity Maturity Model Certification
Effective March 25, 2026
Background – The U.S. Department of Defense is advancing implementation of the Cybersecurity Maturity Model Certification (CMMC) program to strengthen cybersecurity across the Defense Industrial Base. Beginning November 10, 2025, DoD contracts are expected to include CMMC requirements based on the type of information involved, including Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). CMMC requirements will be introduced through a phased rollout:
| Phase | Effective Date | Assessment Method |
|---|---|---|
| Phase 1 | November 10, 2025 | Self-assessment (Level 1 or Level 2) |
| Phase 2 | November 10, 2026 | Third-party Level 2 assessment (C3PAO) |
| Phase 3 | November 10, 2027 | Third-party Level 3 assessment (DIBCAC) |
| Phase 4 | November 10, 2028 | Full program implementation |
In certain cases, the DoD may include CMMC requirements in solicitations ahead of the planned phase timeline. As a provider of IT and professional services supporting federal and defense customers, FCN is actively monitoring the evolution of CMMC requirements and aligning its cybersecurity practices to meet applicable standards. FCN remains committed to:
- Supporting secure delivery of solutions across federal environments
- Maintaining compliance with evolving DoD cybersecurity requirements
- Partnering with customers and suppliers to ensure readiness across the supply chain
Applicability to Contractors and Suppliers – Under 32 CFR § 170.23, CMMC requirements apply to all contractors and subcontractors that process, store, or transmit FCI or CUI in support of DoD contracts. These requirements flow down through the supply chain, regardless of tier. At full implementation, required CMMC levels are generally aligned to the type of data handled:
- FCI only: CMMC Level 1 (Self-Assessment) or higher
- CUI: CMMC Level 2 (Self-Assessment or Third-Party Assessment, depending on contract
requirements) - Higher-Level Requirements: May be specified at the prime contract level and flow down as
applicable
Immediate Actions to Complete – Here is what you can do now to be ready to meet the Government’s CMMC requirements and avoid any procurement disruptions:
- CMMC Level 1 (Federal Contract Information) AND all DOD subcontractors who are not
exempt as COTS only- Document your Level 1 Self-Assessment in DOD’s SPRS system
- CMMC Level 2 (CUI)
- In addition to your existing NIST Assessment score in SPRS, you need to update your SPRS profile to include a CMMC Level 2 Self-Assessment,
- Pursue your CMMC Level 2 C3PAO assessment since some GFY 2026 contracts may include a C3PAO requirement for CUI.
FCN IT will require all suppliers to satisfy in-system documentation requirements reflecting the applicable CMMC Statuses that support FCN’s subcontract work. Additional details on these requirements will be addressed in future communications.
Your proactive cooperation is essential to maintaining the security of the Defense Industrial Base and guaranteeing uninterrupted business operations with FCN. Please allocate the necessary resources promptly to ensure your company is prepared.
Contact – For more information about FCN Inc’s cybersecurity capabilities and compliance approach, please contact our team or visit our website.