November 10, 2025, marks the official start of the Department of Defense’s phased rollout of CMMC. But for many contractors, the practical impact of CMMC doesn’t begin on this date. It started months or even years ago. Primes have already begun asking about CMMC readiness. Some solicitations are already referencing assessment status. And many contractors are already undergoing (or have undergone) assessments.
So, what actually changes on November 10? And what does it mean for organizations that may already be feeling the pressure? This post breaks it down clearly and realistically, without hype or FUD (Fear, Uncertainty, and Doubt).
TLDR:
Beginning November 10, 2025, CMMC enters its formal, enforceable rollout. Contracting officers will now be able to include CMMC requirements directly in new solicitations under Phase 1.
But here’s the nuance that matters:
While the phased rollout sets the DoD’s mandatory timelines, CMMC requirements can appear at any time, and many contractors have already encountered them.
The phased structure simply defines the point at which everyone must comply for any new contract. It does not prevent a specific contract or prime from requiring CMMC earlier.
What Actually Changes on November 10
CMMC becomes formally enforceable in new DoD solicitations
After November 10, contracting officers can include:
- CMMC Level 1 Self-Assessment
- CMMC Level 2 Self-Assessment
…in new contract solicitations. This is the start of the official rollout, meaning it’s now an authorized, standardized requirement the DoD expects to begin showing up broadly.
Contractors must be prepared for CMMC to appear in any new contract
Before November 10, CMMC requirements could appear…but inconsistently. After November 10, it becomes structurally expected.
This means:
- If a contract includes FCI – expect a Level 1 Self-Assessment requirement
- If a contract includes CUI – expect a Level 2 Self-Assessment requirement
- If the requirement is present – a SPRS score will be required prior to award
You may not see it in every single contract immediately, but it becomes fair game everywhere.
Prime contractors may increase CMMC flow-down requirements
Prime contractors are already performing due diligence on their subs:
- Requesting SPRS scores
- Verifying the existence of an SSP
- Asking about CMMC timelines
- Conducting supply-chain risk assessments
After November 10, primes will have even stronger justification to require CMMC status from subcontractors to protect their bids and meet flow-down obligations. In other words: if you’re a subcontractor, don’t wait for the DoD to tell you. Your prime might ask first.
Documentation accuracy becomes a practical gate to bidding
CMMC self-assessments require:
- A current SSP
- A real, actionable POAM
- A defensible SPRS score
Even before November 10, this documentation has been a risk factor. After November 10, it becomes a clear eligibility factor. An outdated SSP or missing SPRS score can delay or disqualify a bid.
What Does not Change on November 10
It does not mean everyone gets assessed at the same time
CMMC is not a “one-day switch”. Assessments don’t suddenly begin for every contractor. But assessments can still be required by a specific contract at any time. Many organizations are already undergoing them.
Existing contracts are not retroactively changed
CMMC applies to new awards, not current contracts.
November 10 is not the last day to prepare
It’s the beginning of the official rollout. Not the end. A far more accurate way to look at this is that the phases define when CMMC must apply to everyone, but CMMC can apply to anyone earlier.
There is Still Time – We Can Help
Here’s what contractors should focus on right now. Get your scope crystal clear (CUI, users, workflows, systems). This determines everything from controls to cost. Ensure your SSP and POAM are real, accurate, and current. If a contracting officer or primes asks today, these need to be ready. Validate your SPRS score. A bad or inaccurate score can be worse than no score. Plan for how you will handle CUI (enclave, GCC High, hybrid, etc.). You don’t have to move everything on Day 1, but you do need a defensible plan.
Tesseract helps organizations:
- Validate scope and ensure CUI boundaries are correct
- Develop dynamic SSP and POAMs to reflect actual practice
- Assist with SPRS scoring to ensure accuracy
- Prepare for self-assessments or third-party assessments
- Implement enclaves in Microsoft GCC High or hybrid configurations
- Achieve continuous compliance with ongoing monitoring, logging, backup, incident management, and documentation support
Most importantly, we help organizations avoid the panic cycle by providing a structured, expert-led program designed specifically for SMBs in the DIB.
We’ll meet you exactly where you are, whether you’re starting from scratch, deep in your assessment, or responding to a prime contractor’s request with a tight deadline.
→ Book a 20-minute consultation
Let’s make sure you’re ready for whatever CMMC brings next.
