CMMC Phase 1 Is Here: What Manufacturers Should Do Now

Executive summary

CMMC is not just policy noise anymore. The CMMC Program rule is final, the DFARS acquisition rule is final, and the Department's public CMMC page says Phase 1 implementation began on November 10, 2025.

The practical message for small defense suppliers is simple: if your business touches Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), you need to understand your required CMMC level, know what systems are in scope, keep your SPRS and affirmation story current, and build evidence that matches what your people actually do.

Do not panic-buy tools. Do not assume a generic template package gets you ready. Do not wait for a prime contractor to explain your environment back to you.

Start with scope, SSP, score, POA&M, evidence, cloud services, and ownership. That is the work that turns CMMC from a rumor into an operating plan.

What changed

The important shift is that the contractual machinery is now moving.

The CMMC Program rule at 32 CFR Part 170 became effective on December 16, 2024. That rule established the CMMC program structure, levels, assessment types, scoping, affirmations, POA&M rules, scoring methodology, and subcontractor application.

The DFARS final rule for CMMC was published on September 10, 2025 and became effective on November 10, 2025. That rule is the contract-side piece. It amends DFARS parts 204, 212, 217, and 252 to bring CMMC requirements into solicitations and contracts.

The Department's current CMMC page says Phase 1 runs from November 10, 2025 through November 9, 2026 and focuses primarily on CMMC Level 1 and Level 2 self-assessments. That does not mean every contractor needs a C3PAO assessment today. It does mean the "we will deal with this later" posture is getting thinner by the month.

What matters right now

For most small manufacturers and industrial suppliers, the first question is not "Which tool should we buy?"

The first question is: what information do we handle, and where does it live?

If the business only handles FCI, the CMMC conversation may center on Level 1. If the business processes, stores, or transmits CUI, the conversation usually moves toward Level 2 and NIST SP 800-171. If a solicitation or contract specifies a CMMC level, that requirement drives the path.

The latest Department FAQ is also very clear on a point that gets missed: CMMC assessments are tied to the Department's phased implementation in applicable procurements, and the required level will be specified in the solicitation and resulting contract once CMMC is implemented contractually.

That means small suppliers need a way to read the contract pressure without overreacting to every headline.

What this means for manufacturers and machine shops

Manufacturers and machine shops tend to get stuck because their security scope does not look like a clean software company diagram.

There may be estimating files in email, drawings in shared drives, customer portals, ERP data, CNC programming workflows, quality records, old local admin habits, shared shop-floor systems, remote support vendors, and a mix of company-owned and vendor-managed infrastructure.

That mess does not make CMMC impossible. It does mean guessing is expensive.

For a small supplier, the useful first move is to separate the environment into practical categories:

• Systems that clearly process, store, or transmit CUI.
• Systems that support or protect those CUI systems.
• External service providers, cloud services, and MSP relationships that affect the environment.
• Specialized or shop-floor assets that need careful treatment.
• Business systems that may be important, but do not belong in the CMMC assessment scope if they do not touch or protect FCI or CUI.

The goal is not to make the smallest possible scope at any cost. The goal is to define a truthful scope that the business can operate, defend, and explain.

SPRS, SSPs, POA&Ms, affirmations, and eMASS in plain English

A lot of CMMC language sounds bigger than it is. Here is the practical version.

SPRS is where summary assessment information and CMMC status become visible to the acquisition side. Existing DFARS 252.204-7019 and 252.204-7020 requirements already tied NIST SP 800-171 assessment scores to SPRS. The current SPRS site also has CMMC tutorials for Level 1 entry, Level 2 self-assessment, and affirming officials.

An SSP is your System Security Plan. It should explain the system boundary, CAGE codes, architecture, implemented requirements, responsible parties, and how the environment protects the relevant information. If the SSP is fiction, the rest of the readiness work gets fragile fast.

A POA&M is a Plan of Action and Milestones. CMMC allows limited POA&M use for Level 2 and Level 3, but not for Level 1. Conditional statuses have closeout expectations, and the public CMMC material repeatedly points to a 180-day closeout window for conditional Level 2 and Level 3 status. The useful takeaway is that a POA&M is not a parking lot for hard problems.

An affirmation is a senior official saying the organization continues to meet the applicable CMMC requirements. The DFARS final rule and CMMC material make annual affirmation part of the operating rhythm. That raises the stakes for leadership understanding. Somebody should know what they are affirming.

eMASS shows up in CMMC certification assessment reporting. For Level 2 C3PAO assessments, the C3PAO submits results into the CMMC instantiation of eMASS, which then transmits to SPRS. If you are not in a C3PAO assessment path yet, do not let eMASS become a distraction. Get your scope, SSP, evidence, and SPRS story clean first.

CMMC readiness is not the same as assessment readiness

Readiness means the organization has a real program moving in the right direction.

Assessment readiness means the organization can show the right scope, implementation, evidence, and ownership to the right assessment path.

Those overlap, but they are not identical.

A company can have decent security habits and still be a mess for assessment because evidence is scattered, the SSP is stale, cloud responsibilities are unclear, and nobody knows which CAGE codes or systems the score represents.

A company can also have beautiful documents and still be weak operationally because the process is not happening. That is worse. It creates confidence on paper and confusion in reality.

For most small suppliers, the right sequence is:

• Confirm contract and data pressure.
• Define scope.
• Build or clean up the SSP.
• Score honestly.
• Tie gaps to a real POA&M where allowed.
• Organize evidence by requirement and owner.
• Review cloud and external service provider dependencies.
• Prepare leadership for affirmation.

That sequence is less exciting than a tool demo. It is also the work that keeps you from wasting money.

NIST SP 800-171 Rev. 3: watch it, but do not overreact

NIST published SP 800-171 Revision 3 in May 2024, and NIST lists Revision 2 as superseded. That creates understandable confusion because current CMMC assessment material still centers on Revision 2.

The Department's latest FAQ addresses this directly. It says the Department will incorporate Revision 3 through future rulemaking. In the interim, the Department issued a class deviation to keep Revision 2 as the standard against which defense industrial base companies are assessed until Revision 3 is incorporated into the CMMC Program rule.

The same FAQ says companies can implement Revision 3, but should use the Department's organization-defined parameters and make sure gaps between Revision 2 and Revision 3 are addressed.

Plain English: do not ignore Revision 3, but do not rebuild your CMMC plan around rumor. If you are preparing for current CMMC assessment expectations, understand the Revision 2-based path. If you are building a durable program, watch Revision 3 and the Department's ODPs so the program does not become obsolete the moment the next rulemaking lands.

Cloud services and MSPs need adult supervision

Cloud and service-provider questions are where a lot of small businesses get surprised.

DFARS 252.204-7012 already includes requirements for external cloud service providers that store, process, or transmit covered defense information. The CMMC FAQ reinforces that cloud service providers storing encrypted CUI still need to meet requirements equivalent to the FedRAMP Moderate baseline. It also says encrypted CUI is still CUI until properly decontrolled.

MSP and MSSP relationships are also not magic escape hatches. The FAQ explains scenarios where external service providers do not need their own CMMC certification but are still assessed as part of the organization's assessment scope against applicable requirements.

For a manufacturer, that means the MSP conversation should be very concrete:

• What systems does the provider administer?
• Does the provider process, store, or transmit CUI?
• Does the provider handle security protection data?
• What provider evidence, service descriptions, shared responsibilities, and configuration records will support the SSP?
• Is the cloud tenant yours, the provider's, or modified by the provider in a way that changes responsibility?

If nobody can answer those questions, you have a readiness gap.

Where companies get stuck

The usual failure points are boring. That is why they matter.

Companies get stuck when they:

• Do not know whether they handle FCI, CUI, or both.
• Treat every system as in scope because nobody wants to draw a boundary.
• Treat almost nothing as in scope because the boundary was drawn for convenience instead of truth.
• Have an SSP that does not match current systems, vendors, or workflows.
• Submit or discuss an SPRS score without understanding which system and CAGE codes it represents.
• Use a POA&M as a wish list instead of an executable remediation plan.
• Assume the MSP, cloud provider, or prime contractor owns the problem.
• Collect screenshots only after somebody asks for evidence.
• Let executives affirm compliance without a plain-language briefing on what changed, what is still open, and what risk remains.

None of these are exotic cybersecurity problems. They are ownership problems.

What to do this week

If you are a small supplier trying to get out of the fog, start here:

• Pull the contracts, solicitations, flowdowns, and customer requests that mention DFARS, CMMC, NIST SP 800-171, SPRS, FCI, or CUI.
• Identify which products, programs, customers, and files may involve FCI or CUI.
• Build a quick system map: email, file storage, ERP, CAD/CAM, customer portals, cloud services, endpoints, servers, remote access, backups, and MSP tools.
• Decide which CAGE codes and systems your current or future assessment story needs to cover.
• Find the SSP. If it does not exist or does not match reality, fix that before polishing policy language.
• Review your current SPRS status and who has access to manage it.
• Identify the affirming official and brief them in plain English.
• List all cloud providers and external service providers that touch CUI, security protection data, administration, backups, logging, or remote access.
• Build a gap list and separate implementation gaps from evidence gaps.
• Turn the gap list into a prioritized remediation plan instead of a giant spreadsheet nobody owns.

If that sounds like a lot, that is because it is the real work. But it is also manageable when you put it in the right order.

What is still uncertain

Some things are now clear: the program rule is final, the DFARS rule is final, Phase 1 has begun, and the official materials describe assessment, affirmation, POA&M, SPRS, eMASS, and cloud expectations.

Other things still need to be monitored contract by contract.

The required CMMC level comes from the solicitation and resulting contract. Primes may communicate flowdown expectations before the small supplier sees clean language. Some requirements may be delayed to option periods. The Department may update guidance, FAQs, training, and Rev. 3 transition material. The ecosystem will also keep learning what good assessment evidence looks like in the field.

So the right posture is not panic. It is readiness with a monitoring habit.

Watch the official CMMC page, the CMMC Resources and Documentation page, the CMMC FAQ, relevant DFARS clauses, SPRS updates, and NIST publications. Treat vendor commentary as commentary, not authority.

The practical next step

CMMC is now operational enough that small suppliers need a working plan.

You do not need to boil the ocean this week. You do need to know your scope, your current score story, your SSP quality, your POA&M reality, your cloud and MSP dependencies, your evidence habits, and who is comfortable making an affirmation.

Trawvid Sec helps manufacturers, machine shops, industrial suppliers, and defense subcontractors turn that mess into a practical next-step plan. We can help you talk through your SSP, SPRS score, POA&M, cloud services, evidence, and assessment path before you spend heavily on tools or assessment prep.

If you want help organizing the work, start with the CMMC readiness service, review the broader cybersecurity services menu, or contact Trawvid Sec. If you are ready to talk now, schedule a CMMC readiness consultation and bring the requirement, customer request, or messy scope question that is slowing the program down.