‍

As of November 10, 2025, the wait is over. Now that 48 CFR has passed regulatory review, CMMC requirements will be included in all defense contracts, and all contractors, prime and sub alike, must comply.

The journey has progressed much since President Obama’s executive order in 2010, which defined controlled, unclassified information (CUI) and established a process for handling and safeguarding such data.

As information systems evolved, so did the need for more stringent oversight and regulations around data access, distribution, storage, and transmission of CUI. This ultimately led to the establishment of the Cybersecurity Maturity Model Certification (CMMC) program, outlining the mechanisms defense contractors must implement to maintain compliance with government contracts.

While the CMMC program itself became effective in 2024, it was still only a framework and thus not enforceable. Upon publication of 48 CFR, contracting officers now have the authority to incorporate CMMC mandates into RFPs, RFIs, contract solicitations, and awards via the DFARS 7021 clause.

According to the CMMC, contract requirements become enforceable on November 10, a mere 30 days after the rule was published in the Federal Register.

Contractors who fail to meet the required CMMC standards will be excluded from receiving new contract awards.

Phase 1 Rollout: What Year One Has in Store

Phase 1 (of four phases) will require CMMC Level 2 in many contracts.

In some cases, contractors will be permitted to self-assess that they meet Level 2 requirements. However, contracts that have DFARS 7012 requirements or contain sensitive CUI or SPD must undergo a third-party C3PAO assessment and obtain a CMMC certification before proceeding.

The DoD estimates that up to 65% of the DIB will be required to self-assess during Phase 1.

The rollout will begin slowly and ramp up over the year.

The number of contracts requiring Level 2 compliance is expected to increase annually until the program is fully implemented in year four.  

During this time, it is expected that primes must endeavor to ensure their subcontractors are fully compliant with the appropriate CMMC level before awarding them a contract. All contractors must maintain their CMMC level status for the duration of the contract and, in many cases, will need to requalify within a year.

CMMC Level 2 Requirements

For defense contractors, planning your Level 2 compliance strategy is imminent and essential. Here’s what you’ll need:

• Satisfy all NIST 800-171 requirements according to the CMMC level and types of contracts they handle.
• Migrate cloud systems to a FedRAMP Moderate equivalent, such as Microsoft 365 GCC or GCC High.
• Ascertain whether third-party providers require CMMC certification and remediate.
• Ensure that subcontractors throughout the supply chain adhere to the same cybersecurity standards as the prime.
• Ensure that in-scope virtual environments and endpoints comply with the appropriate standard.

Is Your Organization CMMC Ready?

A CMMC Readiness Assessment is the first step towards achieving compliance. The process evaluates your cybersecurity processes, policies, controls, and infrastructure, ensuring you satisfy all NIST 800-171 requirements while preparing you for your C3PAO assessment.

Depending on the size and complexity of your organization, the journey from start to certification can take up to 18 months to complete. With CMMC enforcement looming over your contracts, time is of the essence.

Speak to an expert today to find out how to get started.