The long-anticipated wait for the 48 CFR final rule’s publication is over. CMMC is officially enforceable as of November 10, 2025, and all defense contractors must comply appropriately.
For the vast majority, it will simply mean completing a self-assessment. However, any contractor with ITAR requirements or who otherwise handles sensitive CUI must comply with more stringent standards and may be required to undergo a third-party assessment to continue working on current and future defense contracts.
Title 48 of the Code of Federal Regulations is commonly referred to as 48 CFR. This is the code that regulates and oversees Federal contracts and acquisitions. Having now been incorporated into the code, contracts are required to include CMMC clauses in all defense contracts, thereby enforcing cybersecurity standards that all contractors must comply with.
Going forward, contracts will be awarded only to those contractors with the appropriate CMMC status of Level 1, Level 2, or Level 3. Level requirements are dictated by the sensitivity of the information contained in the contracts and CUI handled on behalf of the Federal Government.
The final rule was published on September 10, 2025, and takes effect on November 10. After this date, CMMC requirements will be baked into all new Defense contracts and solicitations.
Essentially, this means that contractors must be prepared to demonstrate CMMC compliance to be eligible for contract awards. If a contractor cannot comply or has not completed the required steps according to their CMMC level, they will not be eligible for new contracts.
It is prudent to note that organizations can continue to bid on contracts before completing their certification (or self-assessment, as applicable). Still, they must be compliant at the time of award or risk losing the contract. The same applies to contract renewals, even for long-standing contracts. There is no leeway here; all contractors must comply with this requirement.
To ease the burden on contractors and enforcement, the DoD will phase the CMMC rollout over four years.
Phase 1, starting on November 10, 2025, will focus on lower-level compliance, self-assessments, and self-affirmations. Self-assessment applies to Level 1 and some Level 2 contracts.
Phase 2 will begin approximately one year later, at which time third-party assessments will be mandatory for Level 2 and above.
The full rollout will span about three years, allowing the DIB to settle into the new normal.
With Phase 1 looming, all contractors must prepare. Here are our recommended action steps:
Working with a CMMC-certified MSSP is your best defense. Speak to the experts at Essendis today to schedule your readiness assessment.

