(Source: Department of Defense Final Rule – 48 CFR Parts 204, 212, 217, and 252; Federal Register, September 10, 2025)

If we haven’t met yet, we’re IS Partners, a trusted C3PAO partner helping defense contractors prepare for, assess, and maintain CMMC compliance with confidence.

After years of anticipation, it’s official: the Department of Defense (DoD) has published the Cybersecurity Maturity Model Certification (CMMC) Final Rule in the Federal Register under Title 48 of the Code of Federal Regulations (48 CFR Parts 204, 212, 217, and 252).

This Final Rule, effective November 10, 2025, transitions CMMC 2.0 from policy guidance into a binding contractual requirement for all contractors and subcontractors that process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).

1) Effective Date and Authority

The Final Rule (48 CFR Parts 204, 212, 217, and 252 – Defense Federal Acquisition Regulation Supplement [DFARS]) was formally published in the Federal Register on September 10, 2025, with an effective date of November 10, 2025.

Once effective, contracting officers will begin incorporating the updated DFARS 252.204-7021 and 252.204-7025 clauses into new DoD solicitations, making CMMC certification a prerequisite for award eligibility.

Reference: Final Rule – “Cybersecurity Maturity Model Certification (CMMC) Program,” 48 CFR Parts 204, 212, 217 and 252; Federal Register Vol. 90, No. 175, September 10, 2025.

2) Three-Year Phased Implementation (per 48 CFR 204.7502)

PeriodCMMC RequirementScope of Application
Years 1–3 (Nov 10 2025 – Nov 9 2028)CMMC requirements apply only to select contracts where the DoD Program Office determines inclusion is necessary.Controlled rollout to reduce burden on small businesses; COTS contracts excluded.
After Nov 10 2028All DoD contracts that require handling of FCI or CUI must include CMMC requirements.Applies across the Defense Industrial Base (DIB).

3) Conditional and Final CMMC Statuses (48 CFR 204.7501 and 32 CFR Part 170)

The Final Rule introduces formal recognition of Conditional and Final CMMC Statuses:

  • Conditional Status – Valid for 180 days following an initial self- or third-party assessment (Level 2 or 3). Contractors may receive awards but must close all POA&Ms before expiration.
  • Final Status – Issued after successful remediation: Level 1 (Self): valid 1 year; Level 2 (Self or C3PAO) & Level 3 (DIBCAC): valid 3 years; requires annual affirmation of continuous compliance in SPRS by an authorized official.

Compliance questions? Get answers!

Book a free 30-minute consultation with a specialist to find your path to compliance. Secure your spot today.

SPEAK TO AN EXPERT

4) Requirements Effective November 10, 2025 (per 48 CFR 204.7503)

Contractors and offerors must:

  • Maintain a current CMMC Status at the required level.
  • Post results and affirmations in SPRS.
  • Provide CMMC Unique Identifiers (CMMC UIDs) for each in-scope information system.
  • Flow down requirements only to subcontractors handling FCI/CUI.
  • Exclude contracts solely for COTS items – explicitly exempt under the Final Rule.

5) Award Eligibility and Verification

Under 48 CFR 204.7503:

• DoD may not award, extend, or exercise options without verifying a contractor’s CMMC Status in SPRS.
• Contractors holding Conditional Status (Level 2 or 3) remain eligible for award but must reach Final Status within 180 days.
• Contractors are responsible for maintaining compliance and updating UID records throughout the contract lifecycle.

6) How to Prepare Now

As a trusted C3PAO partner, IS Partners recommends starting preparation immediately:

1. Conduct a CMMC readiness assessment to identify your target level.
2. Document your System Security Plan (SSP) and Plan of Action & Milestones (POA&M).
3. Remediate control gaps and verify technical evidence.
4. Register your organization in SPRS and assign CMMC UIDs.
5. Schedule your C3PAO assessment early to avoid bottlenecks.
6. Establish an annual affirmation workflow.
7. Ensure subcontractor readiness to meet flowdown requirements.

Conclusion

The CMMC Final Rule (48 CFR Parts 204, 212, 217, and 252) transforms cybersecurity compliance from a goal into a contractual obligation.

Beginning November 10, 2025, CMMC will be a requirement for eligible DoD contracts, with a three-year phased implementation culminating in full enforcement by November 2028.

Contractors that act now will be best positioned to win new work as the DoD tightens cyber requirements across the Defense Industrial Base.

Get a Quote Try our Compliance Checker

About The Author

Jena Andrews IS Partners consultant
Jena is a senior auditor and security consultant since 2021. She is specialized in compliance management, cybersecurity, IT security, and risk management. Jena is a certified information systems auditor (CISA) and project manager.

With a decade-long history in Project Management, Jena has focused the past five years on Compliance, IT and Operations auditing, Information Security, and Cybersecurity. She has conducted a plethora of compliance audits and security assessments in accordance with standards including SOC 1, SOC 2, HIPAA, PCI DSS, ISO 27001, and NIST 800-53, 800-171.

Jena is a proud B.S. graduate in Criminal Justice from West Chester University and holds esteemed CISA, PMP, and CCP certifications, further highlighting her expertise and commitment to professionalism.

Related Content

Gain Deeper Insights

Get started

Get a quote today!

Fill out the form to schedule a free, 30-minute consultation with a senior-level compliance expert today!

Benefit from:

ioc-checkAnalysis of your compliance needs
ioc-checkTimeline, cost, and pricing breakdown
ioc-checkA strategy to keep pace with evolving regulations

Want to speak to us now?

Call us at (866) 642-2230

or

Start a live chat

Great companies think alike.

Join hundreds of other companies that trust IS Partners for their compliance, attestation and security needs.

mcl logopaymedia-logo-1xeal logoclient-doelegal-2-2 (1)presort logodentaquest-4

Scroll to Top