Key CMMC Compliance Timeline and Requirements

Organizations that want to bid on DoD contracts are subject to CMMC. The government put forth a phased implementation. The next deadline is Phase 2 with an effective date of November 10, 2026. Phase 1 has been in place since November 2025.

Phase 2 involves contractors handling CUI. They will need to undergo a third-party evaluation by a certified assessor organization. It’s a requirement to receive the award for a contract.

Contractors must have specific protections in place for CUI and FCI. Security must be in place for data at rest, in use, and in transit. The protocols for executing on this must align with NIST 800-171, NIST 800-172, and FIPS. What’s critical to understand is that encryption at rest is insufficient, and most platforms fall short here.

CMMC Controls in Practical Terms

CMMC documents 14 control domains derived from NIST SP 800-171. They are both comprehensive, but what do they really represent?

1. Access Control (AC)

Contractors must have Identity Access Management (IAM) with data-level access enforcement, requiring a data protection component.

2. Awareness & Training (AT)

Employees of contractors must complete security training and have records to verify this.

3. Audit & Accountability (AU)

You must be able to provide audit logs and evidence of data protection. Platforms that generate audit logs and documentation reduce the time and effort required by manual activities.

4. Configuration Management (CM)

To meet this control, you’ll need policy baselines within a data protection system along with Security Information and Event Management (SIEM).

5. Identification & Authentication (IA)

Companies should have standard protocols for identification and authentication, such as MFA and password policies.

6. Incident Response (IR)

Organizations must develop and document an IR plan, including containment and testing.

7. Maintenance (MA)

Systems should receive regular maintenance. If those doing so don’t have authorization, there must be a supervisor. If the maintenance is remote, MFA must be in place.

8. Media Protection (MP)

To protect media, you should have CUI data discovery capabilities as well as classification of this information, layered with access controls.

9. Personnel Security (PS)

You must screen individuals prior to providing them with CUI access.

10. Physical Protection (PP)

Complying with this involves limiting physical access to only those who need it and maintaining a log of physical access.

11. Risk Assessment (RA)

Meeting these policies includes ongoing evaluations for risk, vulnerability scanning, and

12. Security Assessment (SA)

In this control, the emphasis is on assessing and monitoring security controls and having an operational plan of action. Performing penetration testing is an example.

13. System and Communications Protection (SC)

Data encryption must be in place for data at rest and in transit, and the cryptography must be FIPS-validated.

14. System and Information Integrity (SII)

This category involves endpoint security, software patching, antivirus protection, and real-time security alerts.

These controls touch on every area of security. Many of these have a connection to encryption practices.

CMMC Compliance: Transitioning to Modern Encryption

Where are your current gaps in terms of data encryption that meet compliance and elevate security, in general?

Here are a few areas that should be on your checklist.

Beyond Disk-Centric Encryption

Many contractors rely on disk-centric encryption mechanisms. They satisfy the at-rest part of the rule. However, once that data moves, the protection is no longer present. It leaves organizations in a position of heightened risk exposure and noncompliance.

Modern encryption expands protections by being data-centric. It remains with the sensitive information throughout its lifecycle. It stays with the data even in file sharing.

This type of encryption is at the file and field level. Protection travels with CUI across endpoints, file shares, the cloud, email, or partner environments.

FIPS Validated vs. Compliant

AES-256 encryption is insufficient to achieve compliance or best practices. Rather, you’ll need FIPs-validated encryption to accomplish this. Not all encryption methods can provide this. As a result, you’ll need to evaluate gaps.

Key Management Simplified

CMMC also requires proper procedures for managing encryption keys. This can get complicated and has considerable costs. Our Smartkeys make this much easier. They combine encryption keys with a corresponding access control list. You don’t need a separate key infrastructure.

Contingency keys are always available, as well. You can’t be locked out of your data even if you lose the original one or passphrase.

Encryption That’s Not Disruptive

Certificate-free encryption maintains authorized user access without disrupting workflows or applications. Applications and workflows can access the sensitive information they require to function.

This is possible through software development kits (SDKs) and application programming interfaces (APIs) connections. This mechanism enables in-stream encryption and decryption within an application. Data is never written to disk in an unencrypted state. With this approach, you achieve CMMC compliance and ensure consistency in these activities across your enterprise.

Quantum-Safe Encryption

The age of quantum computing is nearing, which means encryption could become easier to break. CMMC takes the approach of NIST standards. Organizations will need to adopt these quantum encryption requirements upon release.

Ideally, you want to be on an encryption platform that’s already planning for this. It’s a vital consideration, and you should evaluate any solution’s crypto agility.

What’s Next in the CMMC Compliance Journey?