Every time the Department releases an update to the Cybersecurity Maturity Model Certification (CMMC), the entire Defense Industrial Base (DIB) pauses to hold its breath. And with good reason. Compliance isn’t just a checklist… it directly affects your ability to win contracts, keep customers, scale operations, and protect your company.
The latest CMMC FAQs Revision 2.1 landed this month, and as someone who spends every day helping federal contractors navigate this maze, I want to break down what actually matters, what’s changing, and how you should be positioning your business for 2026 and beyond.
Spoiler alert:
November 10, 2025 is no longer a distant date. It’s a line in the sand.
Let’s walk through what the government really said—and what it means for you.
CMMC Goes Live November 10, 2025: No More “We’ll Get to It Next Quarter”
One of the most important confirmations in the new FAQs is the official go-live date for CMMC requirements in solicitations. Starting November 10, 2025, any defense contractor touching Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) will see CMMC language baked directly into contracts.
For the first year, the DoD is softening the blow:
✔ Level 1 = self-assessment
✔ Level 2 = mostly self-assessment
✔ Level 3 = DoD-led assessment
But make no mistake: this is the beginning of the compliance enforcement era.
The transition from “promise you’re secure” to “prove you’re secure” has officially begun.
Costs Are Going Up, But Not for the Reason You Think
Another common question in the contractor community is cost. The FAQs make something very clear:
CMMC isn’t considered a “new cost” by the government.
They actually expect you already implemented everything in DFARS 252.204-7012. That’s right—your SIEM, logging, MFA, encryption, incident reporting, and SSP should already be in place.
The cost differences between contractors will come down to this: How clean is your environment today?
At inDirectIT, we see three basic categories:
1. Mature companies
They’ve already built secure enclaves, use GCC High properly, and have a healthy SSP.
Estimated cost: Minimal.
2. Mid-maturity companies
They’ve started but have gaps—especially around logging, segmentation, access control, and documentation.
Estimated cost: Moderate.
3. Legacy environments (most common)
They’ve grown organically instead of intentionally. Their data sprawls across personal devices, cloud apps, local servers, and shared drives.
Estimated cost: High without a remediation strategy, reasonable with the right phased plan.
NIST SP 800-171 Rev. 3 Is Coming, But You’re Still Being Scored on Rev. 2
A big concern in the community has been the jump to NIST 800-171 Revision 3.
The good news?
The DoD confirmed that all assessments will still be based on Revision 2 until rulemaking is complete.
But here’s the catch: You CAN implement Rev. 3 now, but you must follow DoD’s special parameters.
If you jump too early or configure things incorrectly, you’ll fail Rev. 2 even if Rev. 3 controls are technically “stronger.” This is exactly why intentional planning matters.
Encrypted CUI Is Still CUI — Period
A new FAQ clarified something we’ve been explaining to clients for years:
Even if your CUI is encrypted…
Even if it’s in Microsoft’s cloud…
Even if it’s unreadable to the human eye…
Encrypted CUI is still considered CUI.
Meaning it must still:
- Stay inside FedRAMP Moderate-equivalent systems
- Follow all NIST 171 requirements
- Be handled by assessed service providers
- Have proper access control and monitoring
This one rule alone eliminates 90% of off-the-shelf software from being “CUI-compatible.”
SPRS Submission Errors Are Still the #1 Roadblock for Contractors
The FAQs address the common SPRS error: “No CMMC Score” or “No CMMC Status.”
The #1 culprit? You marked the System Security Plan as “Not Met.”
That’s an automatic failure.
Every contractor must have an SSP, and it must be complete, accurate, and updated. You cannot POA&M an SSP.
This is a major red flag we see during our assessments:
Companies treat the SSP like a Word document instead of a living system.
If your SSP doesn’t match reality, your compliance program is already off track.
VDI Can Keep Your Endpoints Out of Scope… If You Do It Right
A fascinating addition to the FAQs was the clarification on Virtual Desktop Infrastructure.
The DoD officially said:
If your VDI prevents ANY CUI storage, processing, copying, printing, or local caching, the endpoint is out of scope.
This is huge for companies with:
- BYOD environments
- Field workers
- Overseas teams
- High turnover
- Tight budgets for endpoint hardening
But there’s a warning:
If your VDI isn’t configured perfectly, the endpoint becomes a CUI asset automatically.
This is why our team works closely with clients to build CMMC-aligned virtual enclaves for GCC High and Azure Gov.
External Service Providers Are Now Explicitly in the Spotlight
The FAQs clear the air:
Your MSP and MSSP will be evaluated as part of your assessment. If they:
- Touch your systems
- Manage your security tools
- Manage your Microsoft tenant
- Hold admin credentials
- Provide help desk or security services
They don’t need their own certification, but they must be able to prove compliance with your controls. This is exactly why inDirectIT built one of the first CMMC-aligned MSP stacks designed specifically for GovCon clients.
So What Should Contractors Do Right Now?
Here’s my CEO-level advice after reading the new FAQs and living in this world daily:
1. Perform a real NIST 800-171 self-assessment
Not a checkbox exercise. Not an automated tool.
A real control-by-control review.
2. Build your SSP and POA&M as if an assessor were coming tomorrow
Because they are—just maybe not officially until late 2026 or 2027.
3. Segment CUI into a dedicated, controlled enclave
Stop trying to secure the entire company. Secure the CUI data flow.
4. Choose your cloud carefully
If you handle CUI, GCC/GCCH or Azure Gov is no longer optional.
5. Review your MSPs and external vendors
If they can’t talk CMMC, they can’t support CMMC.
6. Start building your culture of cybersecurity maturity
Compliance is a snapshot. Security is a living system.
The companies who win in the new era will be the ones who invest in both.
Final Thoughts from inDirectIT
The release of these new FAQs isn’t just administrative housekeeping—it’s the clearest signal yet that the DoD is done waiting. The government is tightening requirements. Auditors are ramping up. And the contractors who embrace this change now will be the ones who dominate the defense market for the next decade.
At inDirectIT, we help federal contractors design, implement, and maintain compliant technical environments that don’t just “check the boxes”—they drive real operational value.
If you want us to evaluate your readiness, build a compliant enclave, or guide your leadership team through the new requirements, we’re here for you.
The next chapter of CMMC is here. Let’s tackle it together.
Contact us today for a personalized consultation, comprehensive assessment, or detailed evaluation tailored specifically to your organization’s current compliance landscape.
