CMMC Final Rule Published: What Contractors Need to Know Before Enforcement

📄 View the Federal Register notice here:
Defense Federal Acquisition Regulation: Assessing Contractor Implementation of Cybersecurity Requirements

You can also view the official release from the DoD/DoW here:
👉 Department of Defense / Department of War Announcement

As of September 9, 2025, the 48 CFR DFARS rule for CMMC was released for public inspection, with official publication scheduled for the Federal Register on September 10, 2025. This rule includes contract clauses that authorize the Department of Defense to embed CMMC requirements into DoD solicitations and awards.

Following a standard 60-day congressional review, the rule's effective date is November 10, 2025. From that date onward, all new DoD solicitations and contracts must include CMMC requirements as a condition for award.

Timeline Snapshot

CMMC phased rollout: Phase 1 begins at effective date with Level 1/2 self-assessments; Phase 2 at +12 months (Level 2 certification where applicable); Phase 3 at +24 months (Level 3 certification where applicable); Phase 4 at +36 months (full implementation).

What You Need to Know

• Contract Impact Is Real Now
  Starting November 10, CMMC is no longer optional—it’s required. New DoD contract bids will include CMMC Level 1 or Level 2 requirements based on whether you handle FCI (Federal Contract Information) or CUI (Controlled Unclassified Information).
  
  
• Phase 1 Enforcement Begins
  This marks the official launch of CMMC Phase 1, where self-assessments are acceptable at Level 1 (for FCI) and Level 2 (for CUI). However, contracting officers may already require C3PAO assessments for Level 2 depending on contract specifics.
  
  
• Policy Updates and New Definitions
  The new rule clarifies important terms such as CMMC unique identifier, CMMC status, and POA&M (Plan of Action & Milestones). Notably, “Conditional CMMC Status” is permitted for Levels 2 and 3, but only for a limited time (up to 180 days).
  
  
• Actions for Contractors—No Time to Lose
  • Conduct or update your NIST 800-171 gap assessment and submit/update your SPRS score
  • Remediate any identified deficiencies and close out POA&Ms
  • Prepare your System Security Plan (SSP) and gather evidence for compliance
  • Consider engagement and/or re-engagement with Peerless — let us put you on a path toward CMMC certification with a C3PAO if you handle CUI, or sooner, to avoid scheduling delays

Highlights from the Final Rule

The DoD’s final rule introduces several important details that defense contractors should understand right away:

• CMMC Status Required at Award
  Contractors must have a valid CMMC status in SPRS at the time of contract award. Without it, contracting officers are prohibited from awarding the contract.
  
  
• Conditional Status Window
  For Levels 2 and 3, contractors may receive a Conditional CMMC Status for up to 180 days while closing out POA&Ms, provided certain security controls are met. Award can occur with conditional status, but Final status must be achieved within that timeframe.
  
  
• Subcontractor Requirements
  CMMC requirements flow down to subcontractors that process, store, or transmit FCI or CUI. Subcontractors must also upload their self-assessments and affirmations into SPRS and may share proof of status with primes.
  
  
• Maintained for the Life of the Contract
  CMMC is not a one-time check. Contractors must maintain the required status throughout contract performance, including extensions or options.

Why This Matters

• CMMC Compliance = Contract Eligibility
  After November 10, 2025, failure to meet CMMC requirements could disqualify you from new DoD contracts.
  
  
• The Countdown Is Real
  With typical procurement lead times, the window between solicitation and contract award may not allow time for jumping into CMMC readiness at the last minute. Acting now is your best chance for a smooth transition.

How Peerless Can Help

We specialize in guiding DoD and Federal contractors through their compliance journey—whether you’re just getting started or already on the path to certification.

• For new customers: We provide assessments, compliance roadmaps, and tailored remediation services to align your organization with CMMC requirements quickly and effectively.
• For existing customers: We’ll review your current posture, update your documentation, support POA&M closure, and prepare you for a smooth C3PAO audit experience.

📅 Don’t wait until November — reach out to Peerless today to schedule a consultation and ensure your business is ready for CMMC when it officially takes effect.