CMMC Title 48 Effective November 10, 2025: Summary of How This Ruling Impacts the DIB

Key Takeaways

• CMMC Goes Live November 10, 2025 – All DoD contracts and subcontracts (except COTS) will require compliance, completing the regulatory process begun in 2020.
• Phased Rollout Over 4 Years – Year 1: Level 1 & 2 self-assessments; Year 2: Level 2 third-party certifications; Year 3: Level 3 certifications; Year 4: full compliance mandatory.
• Conditional Awards Allowed – Contractors at CMMC Levels 2 or 3 may receive a contract with approved POAMs, but must close gaps within 180 days.
• Verification Through SPRS – Contracting officers cannot award contracts without current CMMC status and unique system identifiers logged in the Supplier Performance Risk System.
• Prime and Subcontractor Obligations – Compliance must flow down the supply chain; failure to meet required CMMC level can disqualify bidders or jeopardize contract eligibility.

The U.S. Department of Defense (DoD) has finalized the Title 48 rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to formally implement the Cybersecurity Maturity Model Certification (CMMC) program in defense contracts. This final rule, effective November 10, 2025, mandates cybersecurity requirements in DoD solicitations, contracts, and subcontracts, aligning with earlier rulemakings and the National Defense Authorization Act. CMMC, which was officially established in October 2024 under 32 C.F.R. part 170, aims to enhance cybersecurity protections for Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

Key Updates in the Final Rule

Conditional Awards for CMMC Levels 2 and 3

Under DFARS 204.7502, contractors can receive a contract award with a conditional CMMC status for up to 180 days, provided they have eligible Plans of Action and Milestones (POAMs). A final CMMC status is granted once these POAMs are successfully completed. This provides flexibility to companies still working towards full compliance.

Contracting Officer Procedures

DFARS 204.7503 states that contracts cannot be awarded unless the offeror has a current CMMC status at or above the required level for each system involved. Contractors must provide CMMC unique identifiers for each relevant system, and contracting officers must verify these in the Supplier Performance Risk System (SPRS).

Phased Implementation

As outlined in DFARS 204.7504, CMMC requirements will roll out in phases:

Year 1: Level 1 and 2 self-assessments.

Year 2: Level 2 third-party certifications.

Year 3: Level 3 certifications.

Year 4: Full CMMC compliance in all contracts.

During the first three years, inclusion of CMMC clauses is optional unless chosen by the program office. After that, clauses become mandatory for any contract involving FCI or CUI. These requirements do not apply to commercial off-the-shelf items.

Solicitation and Clause Changes

The final rule requires offerors to have a current CMMC status and continuous compliance affirmation in SPRS. Offerors must also submit and update their CMMC unique identifiers. The term “senior company official” has been replaced with “affirming official” to align with the CMMC regulation.

Reporting Revisions

The rule removes some proposed requirements to report security lapses directly to the contracting officer but still requires notifications of information security incidents as per DFARS 252.204-7012(c) and annual affirmations of compliance.

Definitions Update

DFARS 204.7501 adds and clarifies key definitions. Terms like “current,” “CMMC status,” and “CMMC unique identifier” are redefined for consistency and clarity.

Implications for Contractors

Contractors should prepare for Level 1 and 2 self-assessments and consider scheduling Level 2 audits with certified organizations.

CMMC clauses may appear in modifications or option exercises, so contractors must monitor compliance.

Subcontractors who handle FCI or CUI must also comply with CMMC requirements. Prime contractors are responsible for ensuring proper flow-down of the contract CMMC requirements. Non-compliance or lack of appropriate CMMC level may disqualify a bidder, making early review of contracts critical.

This final rule completes the formal regulatory process begun in 2020, setting the stage for full CMMC implementation starting November 2025.

McKonly & Asbury is an authorized C3PAO with experienced Lead Assessors who have been an integral part of the CMMC Ecosystem. Please contact Dave Hammarberg, LCCA and Partner or Elaine Nissley, LCCA and Director to learn more about obtaining C3PAO services to meet the CMMC Level 2 Certification requirements.

About the Author

Related Services