For years, the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) has felt like a distant worry. A good idea on paper, maybe something to deal with “down the road.” That road just hit a checkpoint. If you’re not prepared, you’re already behind.

As of November 10, 2025, the DoD made good on its word and activated the final rule for DFARS Case 2019-D041. That rule incorporates CMMC requirements into new solicitations and contract awards. Specifically, DFARS clause 252.204-7021 is now in effect. ³ This clause states:

The Contractor shall have a current (i.e., not older than 3 years) CMMC certificate at the CMMC level required by this contract, and shall maintain the CMMC level for the duration of the contract.

Further, DFARS 252.204-7025 adds: ⁴

Offerors are required to provide a CMMC certificate number and date in the Supplier Performance Risk System (SPRS) prior to award.

What this means in plain English: contracting officers are now allowed to require CMMC Level 1 or Level 2 self-assessments, or even third-party certification, as part of the award process for new contracts. This is the first phase of a multi-year rollout, but the implications are immediate.

What’s Different Now?

Before November 10, most contractors operated on the assumption that CMMC wouldn’t be enforced for years. That assumption is no longer safe. We are now in Phase 1 of the rollout. According to the rule published in the Federal Register on September 10, 2025, contracting officers can begin including CMMC language in their solicitations and awards immediately. ¹

During this phase, the focus is on Level 1 and Level 2 self-assessments. That sounds simple, but it introduces real obligations. To be considered for a contract, a vendor must:

• Complete a NIST 800-171 self-assessment (for Level 2), scoring it using the DoD’s methodology;
• Submit the assessment results to the SPRS portal;
• Provide their CMMC certificate UID or documentation of the self-assessment, depending on the contract’s requirements.

These requirements can be applied at the task order level, the base contract, or even in subcontractor relationships, depending on what the prime includes in the agreement. That brings us to the next shift.

Pressure from the Top

Even if your company is not bidding directly on DoD prime contracts, you may still be feeling the squeeze. We have already seen examples of primes asking their subcontractors to provide:

• Their current CMMC certification status;
• Details about which systems process Controlled Unclassified Information (CUI);
• Proof of SPRS score submission;
• CMMC UID numbers for relevant systems.

Why? Because primes are trying to stay eligible for contracts that now include these DFARS clauses and if a sub can’t show compliance, that’s a risk to the entire bid.

Understanding the CMMC UID

The term “UID” refers to a CMMC Unique Identifier. It is a ten-character alphanumeric code assigned to each contractor information system that has undergone a CMMC self-assessment or third-party assessment. The UID ties your system directly to an assessment and is how the DoD and primes can confirm which systems have met the required level. ⁷

You can access, generate, or locate your CMMC UID through the SPRS Cyber Reports portal after completing and affirming your assessment.

How To Find or Generate Your CMMC UID in SPRS

Step 1 – Confirm Your Role

Log into PIEE and make sure your account has the “SPRS Cyber Vendor User” role assigned for your proper CAGE code and hierarchy. This role is required to add or update CMMC records.

Step 2 – Access the Cyber Reports Module

Within SPRS, go to Cyber Reports (CMMC & NIST) from the left-hand menu. Choose the appropriate CAGE/hierarchy and click “Run Cyber Reports.”

Step 3 – Navigate to the CMMC Assessments Tab

Find the tab labeled “CMMC Assessments.” You’ll see options like Level 1 (Self), Level 2 (Self), and Level 2 (C3PAO).

Step 4 – Add a New Assessment (if needed)

If you have not submitted an assessment, click “Add New” for your appropriate level. Complete the form fields, including Assessment Date, Scope (Enterprise or Enclave), and included CAGE(s).

Step 5 – Locate Your CMMC UID

Once the assessment is affirmed, SPRS will assign a UID, usually starting with “S1” or “S2” depending on the assessment level. It appears in the assessment summary grid.⁵

Step 6 – Export or Print Your Record

Click the “Details” button next to your UID to view a print-friendly version. Save this record and keep it accessible. It may be requested during contract negotiations or by your prime contractor.

If the UID is missing or expired, double-check whether the affirmation step has been completed. Expired entries will show in red with “No CMMC Status (Expired).” ⁶

Compliance Is Now a Competitive Differentiator

This is where the strategic mindset shift needs to happen. CMMC compliance is no longer a checkbox. It’s not something to hand off to IT and forget about. It’s now a key part of winning, and keeping, federal business.

“We’ve been on both sides of the table; first as a federal contractor, now as a CMMC partner. Today, CMMC isn’t just about passing an audit. It’s about whether you’re seen as a ready, reliable part of the federal supply chain. CMMC isn’t some far-off deadline. If your name’s not in SPRS with a score, or your documentation isn’t defensible, you’re already losing ground. We’ve seen it starting in real bids.”

Patrick Birt, CEO & Registered Practitioner, Compliancy Sherpa, LLC

If your SPRS scores are outdated, if your POA&Ms (Plans of Action and Milestones) are vague, or if your documentation is scattered across vendors and SharePoint folders, you’re not ready. And if your prime contractor is prepping for a bid, your lack of readiness could be the deciding factor in whether you get included.

Actions You Can Take Today

Let’s not overcomplicate this. Here are five practical steps to take now:

1. Review all active and upcoming DoD opportunities to determine if CMMC clauses apply.
2. Identify which of your systems handle FCI or CUI, and what level of CMMC they require.
3. Conduct or update your self-assessment using the DoD’s scoring methodology.
4. Post your score to the SPRS portal; include details like date and CMMC UID.
5. Communicate your readiness to primes and teaming partners clearly.

This last one is crucial. Don’t wait for someone to ask. Get ahead of it. Show that you’re a low-risk, high-readiness partner.

The Bottom Line

DFARS 252.204-7021 and 252.204-7025 are now tools in the DoD’s acquisition toolbox. Contracts issued today can include these clauses. That means eligibility is no longer just about technical capacity or past performance. It’s also about documented cybersecurity maturity.

Don’t let outdated assumptions keep your company from qualifying for the next big opportunity. CMMC is not a theoretical framework anymore. It’s operational. And it’s already showing up in the fine print.

Need help figuring out if you’re already subject to these clauses? Want guidance on what to post in SPRS or how to assess your environment? That’s what we’re here for; you handle the mission and we’ll handle the map. Contact us today for your free compliance assessment.

Resources:

1. Department of Defense. (2025, September 10). Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (Final Rule). Federal Register, 90(176), 62541–62561. https://www.federalregister.gov/documents/2025/09/10/2025-17359/defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of
2. Department of Defense. (n.d.). Cybersecurity Maturity Model Certification (CMMC) Overview. DoD Chief Information Officer. https://dodcio.defense.gov/CMMC
3. General Services Administration. (2025). DFARS 252.204-7021 – Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirements. Acquisition.gov. https://www.acquisition.gov/dfars/252.204-7021-cybersecurity-maturity-model-certification-requirements
4. General Services Administration. (2025). DFARS 252.204-7025 – Notice of Cybersecurity Maturity Model Certification Level Requirements. Acquisition.gov. https://www.acquisition.gov/dfars/252.204-7025-notice-of-cybersecurity-maturity-model-certification-level-requirements
5. SPRS Program Office. (2025). SPRS Awardee User Guide Version 4.1.1. Defense Logistics Agency (DLA). https://www.sprs.csd.disa.mil/pdf/SPRS_Awardee.pdf
6. SPRS Program Office. (n.d.). SPRS Frequently Asked Questions (FAQs). https://www.sprs.csd.disa.mil/faqs.htm
7. Cyber AB. (2023). CMMC Assessment Process (CAP) Version 2.0. https://cyberab.org/Portals/0/CMMC%20Assessment%20Process%20v2.0.pdf