CMMC Final Rule: The 60-Day Countdown That Will Reshape Defense Contracting

Written by USFCR | Sep 10, 2025 3:00:00 PM

The Department of War has issued the final DFARS rule implementing the Cybersecurity Maturity Model Certification (CMMC). It was published on September 10, 2025, and will take effect on November 10, 2025. On that date, contracting officers can begin including new DFARS clauses in solicitations and contracts, formally tying cybersecurity compliance to eligibility for defense awards.

Why November 10th Matters
This date is not just a technical milestone. Once effective, solicitations and contract options can require proof of certification or self-assessment in the Supplier Performance Risk System (SPRS) and an affirmation of continuous compliance. Contractors who delay preparation risk being excluded from opportunities as early as the first quarter of FY 2026.

What the Final Rule Does

Confirms DFARS 252.204-7021 as the main clause requiring contractors to maintain CMMC compliance and flow down requirements to subcontractors
Adds the new CMMC notification provision that notifies offerors that award eligibility depends on having a current CMMC result and affirmation in SPRS
Directs contracting officers to verify CMMC status in SPRS before exercising contract options
Excludes COTS-only acquisitions, but allows CMMC to apply in most commercial item buys

The Real Market Pressure
Although the rule phases in over several years, prime contractors will not wait. They must ensure their subcontractors are compliant, and they are already reviewing supply chains. Non-compliant companies risk being replaced.

The limited number of certified third-party assessment organizations (C3PAOs) means that backlogs are inevitable. Early movers may secure certification slots in 2026. Those waiting could be pushed into 2027, sidelining them for years.

Certification Levels

Level 1: Self-assessment with 15 basic practices
Level 2: NIST 800-171 compliance, self-assessed or third-party verified
Level 3: Additional controls with government assessment

Any contractor handling Federal Contract Information (FCI) will need at least Level 1. This includes contract details such as delivery schedules, pricing, and statements of work, not just classified data.

What Contractors Should Do Now

Reserve an assessment slot before backlogs increase.
Train an affirming official for annual compliance attestation.s
Audit subcontractor compliance to avoid replacement risk
Update governance and insurance policies to cover executive liability.

Bottom Line
November 10 is the start of a new contracting environment. Compliance is no longer optional or something to handle later. It is now a requirement for access to DoW business. Contractors who prepare now will protect their market position, while those who wait may find that opportunities are gone for good.

If your business needs help preparing for CMMC certification, speak with a USFCR contracting specialist at (877) 252-2700

FAQ

Do subcontractors have to be CMMC certified?
Yes. The rule requires primes to flow down CMMC requirements to subcontractors whenever they apply, meaning compliance affects the entire supply chain.

How will contracting officers verify compliance?
Contracting officers will check the Supplier Performance Risk System (SPRS) to confirm that the required CMMC level and affirmation of continuous compliance are posted before award or exercising contract options.

Will Level 2 always be self-assessed in Phase 1?
No. Contracting officers can require C3PAO third-party assessments for Level 2 at their discretion during Phase 1, despite the general self-assessment allowance. Individual solicitations may demand third-party verification immediately, so don't assume self-assessment will be accepted.

Sources:

The 17 Most Common Types of Government Contracts Explained

Writing a Winning Capabilities Statement in 2025

Understanding Federal Set-Asides

View full post