With the activation of CMMC Phase 1 on November 10, 2025, contractors meeting Level 1 Maturity (and, in some cases, Level 2) can provide self-assessment documentation in lieu of undergoing an audit with a C3PAO. This means that every cybersecurity claim a defense contractor makes now carries the same legal weight as a cost or performance claim.
But what does this mean for contractors in the DIB? In many cases, while it opens up plenty of opportunities to streamline compliance through self-reporting, it also opens up legal liability if that reporting isn’t accurate.