The Department of Defense (DoD) has made it official. The 48 CFR CMMC Acquisition Rule is now final, which means the Cybersecurity Maturity Model Certification (CMMC) is becoming enforceable in DoD contracts.
This isn’t just another piece of government red tape. It changes the playing field for prime contractors and subcontractors across the Defense Industrial Base (DIB). If you aren’t prepared, you could lose contract opportunities. If you are, you’ll be ahead of the competition.
Key Facts and Timeline
Here’s what you need to know:
- The final rule was published in the Federal Register on September 10, 2025.
- It goes into effect on November 10, 2025. From that point on, new DoD solicitations and contracts will start requiring CMMC compliance.
- The rule adds DFARS clause 252.204-7021 into contracts, giving contracting officers the authority to enforce CMMC.
- The rollout will be phased in. Some contractors will start with self-assessments while others will need third-party assessments depending on the level.
What It Means for Contractors and Subcontractors
Prime Contractors
- You must meet the CMMC level required in solicitations, often Level 2, if you handle Controlled Unclassified Information (CUI).
- You are responsible for your supply chain. If your subcontractors deal with Federal Contract Information (FCI) or CUI, they also need to meet the required level.
- Compliance isn’t a one-time thing. You will need to maintain it throughout the life of the contract.
Subcontractors
- If you process, store, or transmit FCI or CUI, you’ll need CMMC certification at the required level.
- Many subcontractors that handle CUI will need third-party assessments, not just self-attestations.
- Documentation matters. Policies, System Security Plans (SSPs), Plans of Action and Milestones (POA&Ms), and audit evidence will be required.
How to Prepare
Getting CMMC ready can take 9 to 12 months, so it’s best to start now. Here’s a roadmap:
Figure out your level
Review your contracts. If you handle FCI, you may only need Level 1. If you handle CUI, expect Level 2.
Do a gap assessment
Compare your current security practices against NIST SP 800-171 or the level you need to meet.
Update your documentation
Create or refresh your SSP, POA&Ms, and other required documents.
Plan for assessments
For Level 2, line up an accredited C3PAO for your third-party assessment.
Work with your partners
Primes should communicate with subs. Subs should make sure primes know they are preparing.
Implement the fixes
Close security gaps with new policies, technical controls, and staff training.
Watch the timelines
Track when new solicitations require CMMC, so you’re not caught by surprise.
Set your budget
Allocate resources now for assessments, remediation, and ongoing compliance.
Pitfalls to Avoid
- Waiting until the rule shows up in your contract. By then it may be too late.
- Hoping for a waiver. They are rare and usually temporary.
- Skipping documentation. You can have good security controls, but without proof, you won’t pass.
- Ignoring your subcontractors. Your compliance may depend on theirs.
Why Early Action Pays Off
Getting ready now does more than keep you out of trouble. It also gives you:
- An edge in bidding for new contracts
- Stronger relationships with primes and the DoD
- A smoother, less stressful transition into compliance
- More control over cost and timing
The finalization of the 48 CFR CMMC rule means that compliance is now a requirement for most DoD contractors and subcontractors. Starting November 10, 2025, you’ll see CMMC language in contracts, and being certified will be the price of admission to win new work.
The best move you can make right now is to start preparing. Do a gap assessment, build your documentation, talk with your partners, and schedule your assessment if needed. By getting ahead, you’ll protect your contracts and position your business for long-term success.