If you hold a Department of Defense contract — or you're a subcontractor receiving flow-down requirements from a prime — the regulatory landscape shifted on November 10, 2025. The Cybersecurity Maturity Model Certification rule under 48 CFR became effective that day, and a second major deadline (Phase 2) is now less than a year away.
This post explains what changed, who it affects, and what "getting ready" actually means for the small and mid-size contractors in Washington, Oregon, and Idaho who make up the Pacific Northwest defense supply chain.
What the rule actually says
CMMC formalizes something that has existed informally since DFARS 252.204-7012 was issued in 2016: if you handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) under a DoD contract, you need documented, auditable cybersecurity controls.
The rule creates three levels:
- Level 1 — 17 basic practices drawn from FAR 52.204-21. Required for FCI. Self-assessment with annual affirmation.
- Level 2 — 110 practices from NIST SP 800-171. Required for most CUI handlers. Phase 2 broadly requires a third-party (C3PAO) assessment for contracts containing CUI.
- Level 3 — 134 practices (800-171 plus an 800-172 subset). Required for the most sensitive DoD programs; government-led assessment.
The vast majority of regional DIB subcontractors fall into Level 1 or Level 2.
What Phase 2 means (the November 2026 deadline)
The rule is being phased in to avoid disrupting active contracts all at once. Phase 2, which broadly takes effect around November 2026, is when third-party certification requirements begin appearing in new solicitations at scale for Level 2 CUI handlers. In practical terms:
- If your prime issues a new solicitation or a contract renewal after Phase 2, expect to see a CMMC Level 2 requirement — meaning a C3PAO-conducted assessment, not just a self-score.
- Approximately 80,000 DIB organizations need Level 2 certification. As of now, roughly 1% hold it.
- The gap between demand for certified organizations and the supply of them is real and growing.
This does not mean you need to be certified on November 10, 2026. It means that as contracts roll over, the certification requirement will be there. Starting readiness work now is the difference between meeting a contract renewal on time and losing a re-compete.
A note on DOE contractors in the Tri-Cities
CMMC is a Department of Defense program. Contractors whose work flows exclusively through the Department of Energy — including much of the Hanford Site and PNNL work in the Tri-Cities — are not currently subject to CMMC requirements solely by virtue of that DOE relationship. However, many regional firms hold both DoD and DoE contracts, or supply to primes that have DoD work. If your contracts include any DoD prime, CMMC applies to that contract's scope. Verify your contract portfolio before assuming you're out of scope.
DOE contractors who handle CUI are not exempt from data-protection obligations; NIST 800-171 remains the applicable standard for CUI regardless of the agency. The specific enforcement mechanism — and the third-party assessment requirement — is what differs.
What the 110 controls actually cover
NIST SP 800-171 organizes its requirements into 14 domains: Access Control, Awareness and Training, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System and Communications Protection, and System and Information Integrity.
Gaps show up predictably in a few areas for small contractors: multi-factor authentication coverage (especially for remote access and privileged accounts), documented system security plans (SSPs), audit logging with actual review, and media sanitization procedures. These are also the controls that appear most prominently in DOJ enforcement actions.
What readiness looks like in practice
Being "ready" for a CMMC assessment does not mean having perfect scores across all 110 controls on day one. It means knowing where you stand, having a documented Plan of Action and Milestones (POA&M) for any gaps, and being able to demonstrate that controls are actually implemented — not just written down.
The typical readiness sequence for a Level 2 contractor:
- Gap assessment — map your current practices against all 110 controls and document what's in place, partially in place, or absent.
- SPRS score — calculate your current score (scored from -203 to 110) and submit it to the Supplier Performance Risk System. This score is visible to your primes and to DoD.
- POA&M — document the gaps and a realistic remediation timeline. A POA&M isn't an admission of failure; it's a required artifact showing you know your gaps and are working them.
- Remediation — implement controls, prioritized by risk and by what your prime's flow-down requires first.
- Verification — confirm that implemented controls actually work. This is where a penetration test and technical validation become useful: they verify that your stated security posture holds under real-world conditions, not just on paper.
- C3PAO assessment (when required) — engage a Certified Third-Party Assessor Organization to conduct the formal assessment.
Rimrock provides readiness gap assessments, SPRS documentation support, and technical verification testing for Pacific Northwest DIB contractors. We are not a C3PAO and do not conduct formal CMMC certifications — we help clients close gaps before the assessor arrives.
Where to find local resources
If you're a small contractor in eastern Washington and you're not sure where to start, the Washington APEX Accelerator, hosted at the Tri-City Regional Chamber in Kennewick, offers free government-contracting assistance and has run CMMC Level 1 readiness workshops. The CyberAB Marketplace (cyberab.org/marketplace) lists credentialed CMMC practitioners by location if you need outside help.
The Nov 2026 deadline sounds distant. For contracts that renew on 12-month cycles, the decision window to begin readiness work is now.
This article is general information, not legal or compliance advice. CMMC regulatory details reflect the 48 CFR rule effective Nov 10, 2025; verify current requirements against official DoD and CyberAB sources for your specific contracts.