On September 10, 2025, the Department of Defense published the long-awaited final rule implementing the Cybersecurity Maturity Model Certification (CMMC). Effective November 9, the rule officially codifies CMMC into DFARS and kicks off a three-year phased enforcement across the defense industrial base.
This marks a shift from policy planning to contract execution.
What’s Changing – and When
Starting this fall, contracting officers can include CMMC requirements in new solicitations and awards. During the rollout, requirements will primarily focus on:
- Level 1 and Level 2 self-assessments
- Select Level 2 third-party (C3PAO) certifications
Beginning November 10, 2028, CMMC becomes mandatory for all contractors handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), with only COTS (commercial off-the-shelf) contracts exempt.
Compliance Now Tied to Contact Eligibility
CMMC is no longer a “nice to have.” It’s a pass/fail requirement. No more grace periods. No more delays. If you’re not compliant, you won’t be eligible to compete.
Important updates in the final rule include:
- Conditional Awards: Contracts may be awarded with an open POA&M—if items are closed within 180 days.
- SPRS Reporting Requirements: Contractors must post assessment results, identify in-scope systems, and affirm compliance annually.
- Not a Competitive Factor: Meeting CMMC is now baseline eligibility, not a scoreable differentiator.
What This Means for Small and Mid-Sized Contractors
The DoD estimates that nearly 70% of affected contractors are small businesses. That means thousands of organizations must now:
- Conduct thorough gap assessments
- Lock down technical and policy controls
- Document and maintain an accurate System Security Plan (SSP) and POA&M
- Prepare for audit-readiness, even before CMMC is formally in your contract
The cost of inaction is steep: lost business, increased risk exposure, and potential contract noncompliance.
How to Prepare Now
CMMC readiness isn’t something you can spin up overnight. Contractors should treat it like any core operational requirement, like cost accounting or quality assurance.
What we’re seeing among proactive firms:
- Alignment with NIST SP 800-171
- Building CMMC-compliant enclaves
- Partnering with vendors who understand federal compliance inside and out
- Moving to GovCloud or M365 GCC High to align with FedRAMP and DFARS expectations
Final Takeaway: Compliance Is the New Gatekeeper
The message from the DoD is clear: CMMC is no longer optional. It’s a condition of doing business in the federal space.
If you’re waiting for the requirement to land in your next RFP, you’re already behind. At Compliancy Sherpa, LLC, we help defense contractors move from “uncertain” to “audit-ready.” If you’re unsure where your organization stands, or need a plan to get compliant, we’re here to support that journey.
