What Defense Contractors Need to Think About Before November 10, 2025

The long-anticipated wait for the 48 CFR final rule’s publication is over. CMMC is officially enforceable as of November 10, 2025, and all defense contractors must comply appropriately.

For the vast majority, it will simply mean completing a self-assessment. However, any contractor with ITAR requirements or who otherwise handles sensitive CUI must comply with more stringent standards and may be required to undergo a third-party assessment to continue working on current and future defense contracts.

What is 48 CFR?

Title 48 of the Code of Federal Regulations is commonly referred to as 48 CFR. This is the code that regulates and oversees Federal contracts and acquisitions. Having now been incorporated into the code, contracts are required to include CMMC clauses in all defense contracts, thereby enforcing cybersecurity standards that all contractors must comply with.

Going forward, contracts will be awarded only to those contractors with the appropriate CMMC status of Level 1, Level 2, or Level 3. Level requirements are dictated by the sensitivity of the information contained in the contracts and CUI handled on behalf of the Federal Government.

What Happens After November 10?

The final rule was published on September 10, 2025, and takes effect on November 10. After this date, CMMC requirements will be baked into all new Defense contracts and solicitations.

Essentially, this means that contractors must be prepared to demonstrate CMMC compliance to be eligible for contract awards. If a contractor cannot comply or has not completed the required steps according to their CMMC level, they will not be eligible for new contracts.

It is prudent to note that organizations can continue to bid on contracts before completing their certification (or self-assessment, as applicable). Still, they must be compliant at the time of award or risk losing the contract. The same applies to contract renewals, even for long-standing contracts. There is no leeway here; all contractors must comply with this requirement.

Phased Rollout Begins on November 10

To ease the burden on contractors and enforcement, the DoD will phase the CMMC rollout over four years.

Phase 1, starting on November 10, 2025, will focus on lower-level compliance, self-assessments, and self-affirmations. Self-assessment applies to Level 1 and some Level 2 contracts.

Phase 2 will begin approximately one year later, at which time third-party assessments will be mandatory for Level 2 and above.

The full rollout will span about three years, allowing the DIB to settle into the new normal.

What Contractors Need to Do Now

With Phase 1 looming, all contractors must prepare. Here are our recommended action steps:

  1. Identify your CMMC level.
    The steps you need to take to comply will depend on the level of compliance required for your contracts.
    • Level 1 entails fundamental cyber hygiene for contractors dealing with Federal Contract Information (FCI). At this level, there are 17 practices to conform to.
    • Level 2 requires alignment with 110 practices as outlined in NIST SP 800-171. This is a significantly more complex undertaking that may require up to 18 months to complete, depending on the organization’s size and complexity.
    • Level 3 is directed to organizations handling sensitive CUI and adds NIST 800-172 in addition to those mandated in Level 2.
  2. Gap assessment
    Evaluate your systems against the requirements of your level and develop a plan to address any gaps.
  3. Prepare for your certification
    Once your deficiencies are addressed, you will schedule an assessment with a C3PAO and train your staff in accordance with CMMC standards.
  4. Be proactive
    The CMMC program is evolving and will continue to do so. Failure to align with changes may result in noncompliance. Stay up-to-date on DoD updates to the program and implement any guidance provided during the rollout.

CMMC is Here. Are You Prepared?

Working with a CMMC-certified MSSP is your best defense. Speak to the experts at Essendis today to schedule your readiness assessment.

Talk to a Cloud Cybersecurity Expert

Thank you for contacting Essendis. Our team is reviewing your submission and will be in touch shortly. 
We look forward to assisting with your cybersecurity and cloud computing needs. 

Continue Exploring Essendis’ Offerings

Return to Essendis
Oops! Something went wrong while submitting the form.