For three years, the running joke among Pacific defense subcontractors was that CMMC was “always coming next year.” That joke is over. The DoW published the CMMC final rule on December 16, 2024, Phase 1 enforcement began November 10, 2025, and full third-party assessment requirements phase in through November 10, 2026. If your business carries Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) on a current DoW contract — or wants to bid on the next one — the runway is shorter than most contractors realize.

This is what Pacific defense contractors should know about the timeline, and what to do at each phase.

The Three Dates That Matter

December 16, 2024 — Final rule published

The CMMC 2.0 final rule was officially codified in 32 CFR Part 170. This established the program structure, the three certification levels, the assessment requirements, and the role of Certified Third-Party Assessment Organizations (C3PAOs).

This date matters because it ended the “still being finalized” excuse. As of December 16, 2024, CMMC stopped being a proposed rule and started being a regulation.

November 10, 2025 — Phase 1 enforcement begins

DoW’s phased implementation plan calls for Phase 1 to begin one year after the rule’s effective date. In practice, this means:

Level 1 self-assessment requirements appear in new DoW solicitations for contractors handling FCI only.
Level 2 self-assessment requirements appear in solicitations where the contracting officer determines a self-assessment is sufficient (a smaller subset of CUI contracts).
The Supplier Performance Risk System (SPRS) score continues to be required, with verification ramping up.

If you bid on DoW work right now, expect to see CMMC clauses showing up in solicitations.

November 10, 2026 — Full compliance phases in

By the end of Phase 2 / start of Phase 3, the third-party C3PAO assessment requirement for Level 2 phases across all applicable DoW contracts. This is the date most subcontractors are unprepared for: it shifts CMMC from “self-attest if your prime asks” to “produce a C3PAO certificate or lose the contract.”

For a 25-person Pacific subcontractor starting from minimal NIST 800-171 maturity, the path from current-state to C3PAO-ready is typically 9–12 months. That math implies starting now, not in Q3 2026.

What Pacific Contractors Should Do Right Now

The Hawaii defense supply chain has specific characteristics that affect how CMMC engagements play out. Roughly $9.1 billion in annual DoW spending flows through Hawaii installations — JBPHH, Schofield Barracks, MCBH Kaneohe, Fort Shafter, USINDOPACOM HQ — and the subcontractor base is dense, diverse, and often deeply linked to mainland primes.

Here’s what we recommend, in order:

1. Confirm your level

Most subcontractors are Level 2. If you handle anything that could be CUI — engineering drawings, technical documents, ITAR-adjacent material, contract performance data marked with distribution restrictions — assume Level 2 until a contracting officer tells you otherwise. Level 1 is for FCI-only environments, which is rarer than people assume.

2. Define your CUI boundary

The single biggest determinant of engagement size and cost is the scope of your CUI environment. A bounded enclave — one Microsoft 365 GCC High tenant, a defined user list, a controlled set of systems — is materially cheaper to assess than a flat network where CUI could be anywhere. If your environment isn’t bounded yet, that’s your first remediation project.

3. Move to GCC High if you handle CUI in M365

Commercial Microsoft 365 will not satisfy DFARS 252.204-7012 by itself. The combination of FedRAMP Moderate baseline plus DoW-specific safeguards effectively requires GCC High (or an equivalent Government Community Cloud) for CUI handling. The migration is not trivial — licensing, mailbox cutover, SharePoint, Teams, Defender, Sentinel — and you need documented SSP language to defend the choice.

4. Stand up the controls you can’t fake

Some controls are easy to demonstrate: written policies, training records, configuration documents. Others are continuous operational disciplines that auditors will probe live: continuous monitoring (SI.L2-3.14.6), audit logging with sufficient retention (AU family), incident response (IR family), and vulnerability management (RA + SI families). These are the most common failure modes for mid-market contractors. They’re also the controls that benefit most from a managed services model.

5. Author the SSP. Live with the POA&M.

The System Security Plan (SSP) is your declaration of how each of the 110 NIST 800-171 controls is implemented in your environment. The Plan of Action & Milestones (POA&M) is your tracker for what isn’t fully implemented yet and when it will be. Both are living documents. Treating them as one-time deliverables is one of the most common reasons assessments fail.

6. Do a mock assessment

Before the C3PAO walks in, have someone outside your team conduct a mock assessment with the same questioning style. Most environments have at least one or two interview-only controls (training, awareness, incident handling) where the documented answer is fine but the operational answer falls apart in conversation. You want to find that gap before the assessor does.

Why a Pacific MSSP Matters for This

Time zones, US-persons handling, and direct experience with Pacific contracting realities are not nice-to-haves. They are the substance of a useful CMMC engagement.

HST hours — When your prime calls about a CUI handling question at 9 AM HST, you want your security partner open. East Coast providers are 5–6 hours ahead and often gone by then.
US persons by default — DFARS 252.204-7012 and the CMMC personnel handling controls require US-person access to CUI. Offshore SOC tier-1 staffing is incompatible with this. We staff dedicated US-citizen analyst pools for DoW-aligned engagements.
INDOPACOM-AOR awareness — The threat picture for Pacific defense contractors includes nation-state actors who specifically target supply-chain weaknesses. Awareness of that threat picture shapes how a SOC is tuned and how an IR plan is written.

The Honest Cost Conversation

Most Pacific subcontractors approaching CMMC for the first time are looking at $80K–$180K of investment across 9–12 months for full Level 2 readiness, plus ongoing managed services for the controls that have to run continuously. Larger or more complex environments are more.

That’s a lot of money. It’s also a fraction of the contract revenue at risk. A single DoW prime contract terminated for non-compliance, or a re-compete lost to a CMMC-certified competitor, recovers the investment many times over.

The contractors who treat CMMC as overhead are going to lose contracts. The ones who treat it as a competitive advantage — and start now — won’t.

Where to Start

We do free 30-minute scoping calls with Pacific subcontractors. Bring your contract types, your headcount, your top 1–2 systems, and your current M365 setup. We’ll come back with a fixed-scope plan.

Schedule a discovery call. Or call 833-92-CYBER. We’re in HST, and we answer the phone.