CMMC Phase 1: Why Contractors Shouldn’t Bet Everything on Self-Attestation

As CMMC enters its official rollout, many defense contractors are treating Phase 1 as a 12-month grace period — a window where self-attestation will be the only requirement for compliance with Level 2. And while that’s technically what the baseline rule allows, there’s a critical detail many are missing: 

DoD contracting officers have discretion to require third-party CMMC certifications — even during Phase 1. 

This is explicitly stated in the 32 CFR rule, but many organizations are moving forward as if self-attestation is guaranteed. Here’s why that’s a risky assumption — and how you can prepare accordingly. 

The costly misconception about CMMC timing 

Here’s where many companies are getting it wrong. A common belief is that CMMC certification isn’t needed until 12 months after 48 CFR rule becomes final. While this phased rollout timeline applies in general, an important detail tucked into the 32 CFR CMMC Program Rule states that DoD Program Managers will have discretion over requiring Level 2 CMMC Certification—even during the first 12 months.   

Yes, you read that right. According to the rule: 

Phase 1. DoD intends to include the requirement for CMMC Statuses of Level 1 (Self) or Level 2 (Self)… DoD may also, at its discretion, include the requirement for CMMC Status of Level 2 (C3PAO) in place of the Level 2 (Self) CMMC Status for applicable DoD solicitations and contracts.”  

(Source: 32 CFR Part 170.3 e (1) – Cybersecurity Maturity Model Certification (CMMC) Program Rule) 

That final sentence is the most important — and often overlooked. 

Key takeaway:  

If your CMMC strategy revolves around hoping DoD Program Managers won’t enforce certification requirements early, you’re taking significant risks with your pipeline.  

What this means in practice 

Here’s what’s happening on the ground: 

  • Many primes are already flowing down CMMC certification requirements to their subs, regardless of phase. 
  • We’ve seen early RFIs and RFPs include CMMC language — including third-party certification expectations. 
  • With the 48 CFR rule expected to be finalized later this year, DoD contract officers could require CMMC Level 2 Certifications immediately thereafter. 

Bottom line: the rules may allow for self-attestation, but your contract may not. 

The risk of misreading phase 1 

Contractors who assume that Phase 1 guarantees a 12-month reprieve from C3PAO involvement are setting themselves up for: 

  • Contract risks: Organizations risk bid disqualification due to lack of a required third-party certification. 
  • Competitive disadvantage: Proactive competitors will be certified and ready to go. Delaying your own certification gives them the edge to secure more opportunities you could have been eligible for.   
  • Cost surges: The longer you wait, the higher the demand for certification services will be. This could lead to inflated service costs and fewer available resources as deadlines get closer.   
  • Lost trust: Primes and customers can lose trust, knowing that a contract’s status was unable to be awarded due to your lack of preparedness when the requirements come. 

How contractors can prepare 

Proactive organizations are avoiding the “wait and see” mindset. Here’s what we recommend through A-LIGN’s 5 Steps to CMMC Compliance

  • Understand: Read the program requirements and familiarize yourself with the practices outlined in the model for each of the CMMC levels.  
  • Identify: Based on your level, you must identify your scope and any gaps in compliance.  
  • Prepare: Develop an implementation plan and prepare for the C3PAO assessment 
  • Assess: Your C3PAO will complete the CMMC assessment for certification.  
  • Improve: Perform annual self-assessments before renewing your 3-year CMMC certification 

Final word

Phase 1 of CMMC’s rollout is not a blanket exemption from certification. It’s a flexible phase that gives the DoD — and contracting officers — room to assess risk and require certification when they see fit. 

Don’t leave your compliance future up to chance. By taking proactive steps now, you’re not only protecting your pipeline but also safeguarding your reputation as a trusted partner in the defense supply chain.   

Need help navigating your CMMC strategy? Schedule a consultation with our team of experts and ensure your organization is equipped to succeed.