CMMC is no longer a future requirement or a planning exercise. Phase 1 of the rollout is active and contracting officers are now required to verify CMMC status in SPRS when it appears in a solicitation.
This marks a major shift.
For the first time, cybersecurity maturity is directly tied to contract eligibility at time of award.
If your status is not current, you may not be eligible to win.
At the center of this shift is the protection of Controlled Unclassified Information (CUI). CUI is sensitive to government information that requires safeguarding under federal regulations. When an organization stores, processes, or transmits CUI, it triggers higher security expectations under NIST SP 800-171 and CMMC Level 2. Phase 1 enforcement makes it clear that protecting CUI is no longer theoretical. It is now a verified, award impacting requirement.
What Phase 1 Actually Means
Phase 1 focuses primarily on:
• Level 1 self-assessments
• Level 2 self-assessments
• Required affirmations by a senior official
• Submission of results into SPRS
This is not optional when CMMC language appears in the contract.
Contracting officers are required to verify that:
- The correct assessment level has been completed
- The assessment applies to the system that will perform the contract
- An affirming official has attested to compliance
- The status is entered and current in SPRS
If any of those elements are missing, eligibility is impacted.
For organizations handling CUI, this means Level 2 expectations must be fully implemented before award. Systems that store or transmit CUI must be clearly scoped, documented in the System Security Plan, and supported with evidence that NIST SP 800-171 controls are operational. Simply stating that CUI is protected is no longer sufficient. Protection must be demonstrable.
The Affirmation Requirement Is Not a Formality
One of the most overlooked components is the affirmation requirement.
A senior company official must formally attest that the organization meets the required CMMC practices.
This carries real weight.
Submitting an affirmation without proper implementation can expose leadership to significant legal and contractual risk. It is no longer enough to say, “we’re compliant.” The organization must be able to defend that claim with documented evidence.
When CUI is involved, that evidence must clearly show how Controlled Unclassified Information is safeguarded across access control, encryption, logging, incident response, and configuration management practices. If CUI protections are weak or undocumented, affirmation becomes a liability rather than a compliance milestone.
Annual affirmations are also required to maintain current status.
Meaning: compliance is now an ongoing governance function, not a onetime project. Protection of CUI must be continuously monitored, updated, and revalidated.
POA&Ms and Conditional Status
For Level 2, there are limited situations where organizations may operate under conditional status while closing out specific POA&M items.
However:
• Not all controls are eligible for POA&M deferral
• Closeout windows are limited
• Failure to remediate within required timelines can invalidate status
Contractors relying too heavily on deferred remediation are exposing themselves to award and performance risk.
This is especially critical when those deferred items affect controls that directly safeguard CUI. If a POA&M item impacts encryption, access control, multi factor authentication, or incident response related to CUI systems, the risk extends beyond compliance. It affects contractual integrity and potential exposure of Controlled Unclassified Information.
Conditional status is not a strategy. It is a short-term bridge. CUI protection gaps left unresolved create both compliance and operational risk.
Flowdown Is Expanding the Impact
Even if your organization is not a prime contractor, CMMC still affects you.
Prime contractors are now required to flow down CMMC requirements to subcontractors handling FCI or CUI.
This means:
• Subcontractors must maintain appropriate CMMC status
• Primes must validate compliance before award
• Supply chains will increasingly require proof of compliance during procurement
If your organization handles Controlled Unclassified Information in support of a prime contract, your CUI environment must meet the same Level 2 expectations. Primes cannot risk subcontractors mishandling CUI. As a result, CUI protection is becoming a competitive differentiator across the supply chain.
CMMC is not just a DoW requirement. It is becoming a competitive requirement within the defense industrial base.
The Cost of Waiting
Organizations delaying preparation are encountering:
• Rushed implementations
• Poor scoping decisions
• Overbuilt environments
• Incomplete documentation
• Leadership signing affirmations without adequate evidence
The result is higher cost, higher stress, and greater legal exposure.
Companies that take a structured approach now are controlling scope, budgeting intelligently, and reducing risk before CMMC language appears in a solicitation.
There is also a competitive cost that many organizations underestimate. As more contractors achieve current CMMC status, those without it become higher risk vendors in the eyes of primes and contracting officers. Procurement teams are already beginning to prioritize suppliers who can demonstrate readiness immediately. When two technically qualified bidders compete, the contractor with verified, current CMMC status becomes the safer choice. Waiting does not just increase remediation expense. It quietly reduces win probability and weakens your position in the supply chain.
For organizations handling CUI, waiting compounds risk. Delays mean longer periods where Controlled Unclassified Information may not be fully protected under validated controls. That exposure increases audit risk, enforcement scrutiny, and reputational damage.
Strategic Takeaway
CMMC has moved from advisory guidance to enforceable contracting criteria.
Phase 1 is the beginning of a multi-year expansion that will increasingly affect:
• Small defense contractors
• Manufacturing suppliers
• Technology vendors
• Engineering firms
• MSP-supported environments
Eligibility is no longer assumed. It must be documented, affirmed, and visible in SPRS.
At its core, this is about protecting Controlled Unclassified Information. Organizations that clearly define CUI scope, implement NIST SP 800-171 controls, maintain evidence, and affirm accurately will remain competitive. Those that treat CUI protection as an afterthought risk contract loss.
Not Sure If You Properly Protect CUI?
If you are unsure whether your organization meets CMMC Level 2 requirements for handling CUI, do not wait until a contract forces the issue.
Complete the form below to schedule a compliance review and identify gaps before eligibility is at risk.
https://outlook.office365.us/book/CMMCCompliance@breanetworks.com/?ismsaljsauthenabled=true
CMMC Phase 1 is active, and contract eligibility now depends on having your requirements properly implemented and documented. If you are unsure whether your controls, scope, CUI protections, and SPRS reporting align with Level 2 expectations, now is the time to verify. Download the CMMC Level 2 Audit Checklist to see what assessors look for, what evidence is required, and where organizations most commonly fall short before it impacts on your ability to win or retain contracts.
Brea Networks is a cybersecurity and compliance focused IT partner dedicated to supporting Defense Industrial Base (DIB) contractors. We help organizations understand and implement the security requirements outlined in FAR 52.204-21, DFARS 252.204-7012, and the CMMC framework — from Level 1 self-assessments to Level 2 and Level 3 readiness. Our team works alongside contractors to strengthen system security, define assessment scope, prepare documentation such as System Security Plans (SSPs) and POA&Ms, and build sustainable cybersecurity programs that protect FCI and CUI. Whether you are preparing for a self-assessment, a C3PAO certification, or simply improving your security posture, Brea Networks provides practical guidance and technical expertise to help you move forward with confidence.
Brea Networks
451 W Lambert Rd Ste 214
Brea, CA 92821
