CMMC Implementation Update – November 10, 2025

After years of anticipation, the Department of Defense (DoD) officially begins enforcing the Cybersecurity Maturity Model Certification (CMMC) requirements as a mandatory condition in new defense contracts starting November 10, 2025. This long-awaited enforcement marks a pivotal shift for defense contractors: CMMC compliance is no longer optional but a contract eligibility prerequisite.

What Changes Starting November 10, 2025

Effective with the end of the required 60-day implementation after the September 10 Federal Acquisition Regulation (48 CFR) rule publication, DoD contracting officers gain the authority to include CMMC clauses in all new contract solicitations. Specifically:

DFARS clause 252.204-7021 becomes mandatory for contracts handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).

Contractors are now required to publish their CMMC compliance status and associated Unique Identifiers (UIDs) in the Supplier Performance Risk System (SPRS).

Annual compliance affirmations must be submitted by designated “affirming officials,” ensuring ongoing adherence.

Phase 1 Requirements: November 2025 to November 2026

During this initial enforcement phase:

Level 1 self-assessments become mandatory for protecting FCI.

Level 2 self-assessments, aligning with 110 NIST SP 800-171 controls, must be completed for CUI protection.

The DoD retains discretion to require Level 2 certified third-party assessments (via C3PAOs) for contracts deemed critical.

Roughly 65% of the Defense Industrial Base will face immediate impact from these requirements.

Looking Ahead: Implementation Timeline

The CMMC enforcement roadmap envisions progressive certification mandates:

Phase 2 (November 2026): Level 2 certification through accredited C3PAO assessments becomes mandatory for applicable contracts.

Phase 3 (November 2027): Initiation of Level 3 assessments to protect higher-impact data.

Phase 4 (November 2028): Full CMMC implementation across all Department of Defense contracts.

Business Impact and Challenges

The new rule has immediate and significant business repercussions:

Companies lacking a current and valid CMMC status will be ineligible to bid on DoD contracts involving FCI or CUI.

Assessment backlogs are emerging, with wait times stretching from three to six months amid a surge in compliance efforts.

Achieving Level 2 certification often demands 12 to 18 months of preparation due to the complexity of required controls.

The DoD estimates over 80,000 companies require Level 2 certification, with more than 1,500 needing Level 3 certification in the coming years.

Critical Takeaway

The era of delay and extensions has ended. CMMC compliance is now a contractual requirement integral to DoD contract eligibility. Defense contractors and subcontractors must prioritize their cybersecurity maturity to continue competing for federal defense work.

Helpful Resources

Official DoD CMMC Program website: https://dodcio.defense.gov/CMMC/

Federal Register for Acquisition Rule details: https://www.federalregister.gov/

CyberAB – Accredited Assessment Bodies: https://cyberab.org/

USFCR CMMC Final Rule Blog: https://blogs.usfcr.com/cmmc-final-rule