Skip to content

 Confident in your compliance posture? Explore our CMMC Readiness Signal

Talk to an Advisor
Talk to an Advisor

CMMC 48 CFR Clears Regulatory Review: What Defense Contractors Need to Know

CMMCdownload
GET YOUR CMMC BUY-IN GUIDE 

Struggling to get leadership support for compliance? Download our guide for talking to execs about CMMC urgency.

Talk to Your Boss About CMMC

Executive Brief 

The long-anticipated CMMC 48 Code of Federal Regulations (CFR) rule has cleared regulatory review and has been published into the Federal Register. The official effective date is November 10, 2025. Here's what defense contractors need to know: 

  • The government's phased rollout of CMMC certification contract requirements will begin on November 10, 2025
  • The rollout occurs in three phases:
    • Phase I: Level 1 and 2 self-assessments (November 2025)
    • Phase II: Level 2 (C3PAO) requirements (November 2026)
    • Phase III: Level 3 (DIBCAC) requirements (November 2027)

  • Even before CMMC appears in a contract’s base language, prime contractors can flow down CMMC certification requirements to their subcontractors ahead of the phased rollout schedule 
  • Noncompliance—intentional or not—can lead to lost contract opportunities or even legal consequences under the False Claims Act 

Dig deeper and continue reading below!


What Is the 48 CFR CMMC Rule? 

The CMMC 48 CFR rule is the enforcement portion of the CMMC program. It is the second and final rule of the CMMC 2.0 rulemaking process. Whereas the CMMC 32 CFR rule set forth the CMMC program, requirements, and ecosystem, the 48 CFR rule will require DoD solicitations to include CMMC certification requirements to all applicable contracts. 

Why It Matters for Defense Contractors 

Now that the rule has cleared regulatory review, the final version of the CMMC 48 CFR rule can be published into the Federal Register. This is important to defense contractors for the following reasons:

  • On November 10th, the government's phased rollout will officially begin. The rollout will technically begin with Level 1 and Level 2 (Self) certifications
  • However, Contract Officers have the right to flow down requirements to their supply chain ahead of the phased rollout schedule. This means Level 2 (C3PAO) certification requirements can end up in your contracts much earlier than anticipated
  • The revised CMMC standards and certification requirements could also be applied to contracts with option years that come up for discussion during the phased rollout

Bottom line: Certification = competitive edge. As of August 2025, just 0.35% of the DIB is certified. Schedule your assessment now to secure your advantage—before the "Level 2 rollout rush" begins.

Key Takeaways from the 48 CFR Rule 

  • CMMC requirements are now being added into contracts: As of the rule's effective date, contractors must comply before contract award 
  • CMMC Level 2 nearly always requires third-party certification: DoD allows self-assessments only in limited, non-prioritized acquisitions—estimated to apply to fewer than 5% of contractors handling CUI 
  • SPRS Reporting Still Required: Level 1 contractors must reaffirm their SPRS yearly through self-attestation. For Level 2+, while certification lasts for three years, contractors need to annually reaffirm compliance and submit annual SPRS scores 
  • Flow-Down Clauses Apply: Prime contractors must ensure their subcontractors are also appropriately certified

new dfars clause to look for 

Part of the CMMC 48 CFR rule is to amend DFARS to include a new clause: DFARS 252.204-7025 (Notice of Cybersecurity Maturity Model Certification Level Requirements). This will be the clause in your contract that identifies which maturity level your company will need to accept award of the contract. The language will read as: 

The CMMC level required by this solicitation is: ___________. This CMMC level or higher (see 32 CFR part 170)is required prior to award for each contractor information system that will process, store, or transmit Federal contract information (FCI) or controlled unclassified information (CUI) during performance of the contract.

WHAT DOES the PHASED ROLLOUT LOOK LIKE

  • Phase I: Begins on the effective date listed in the final 48 CFR rule, November 10, 2025. Applies to contracts that will include CMMC Level 1 and CMMC Level 2 (Self) certification levels
  • Phase II: Begins 12 months after the start date of Phase I, November 2026. Applies to new contracts that will include Level 2 (C3PAO) certification requirements. These requirements can be flowed down sooner by primes
  • Phase III: Begins in November 2027, 12 months after the onset of Phase II. Applies to contracts requiring Level 3 (DIBCAC) certification requirements
  • Goal: The DoD wants all DIB contractors to be certified at the appropriate CMMC maturity level by the end of 2028

What to do Next 

If you’re unsure how to proceed, here are the next steps to protect your DoD contract eligibility: 

  • Review your current contracts. What clauses are currently being flowed down or placed in your contracts? This will help you feel confident in which CMMC maturity level you'll need to achieve. That said, Level 2 (C3PAO) is going to be the safest bet for current and future contracts.
  • If you have not heard from your primes about their CMMC plans, reach out to them. Since they have the right to flow down requirements ahead of the phased rollout, you will want to know whether they plan on following the rollout schedule or working ahead of it
  • Conduct a gap assessment to benchmark against the appropriate cybersecurity standard. This step is critical for determining your path to compliance, estimating remediation timelines, and preparing for your Level 2 assessment
  • Determine if outside help is needed. CMMC assessments are unique—and the learning curve can be steep. Do an honest and thorough review of your IT team to assess their ability to do the work. If you're not 100% confident, consider bringing in some help
  • Engage a C3PAO early. C3PAOs are already scheduling out into Q1 2026. Assess how long remediation is going to take and schedule your assessment around your internal timeframe. ISI Insight: Don't rush to an open spot. It's more important to get it right than to rush and increase your risk of failing

ISI Insight: We're expecting to see an assessment bottleneck beginning sometime in Q1 or Q2 in 2026. Once you identify your scope and remediation timeline, schedule your assessment to keep your compliance journey on track!

CMMC Levels and Requirements 

Depending on the type of data you handle, you may be subject to one of three certification levels: 

  • Level 1 (Foundational): For organizations handling FCI. Requires 17 basic cyber hygiene practices and an annual self-assessment reported in the Supplier Performance Risk System (SPRS) 
  • Level 2 (Advanced): For contractors handling CUI. Requires implementation of all 110 controls and 320 objectives from NIST SP 800-171 and a triennial third-party assessment by a certified CMMC Third-Party Assessment Organization (C3PAO) and annual self-affirmations 
  • Level 3 (Expert): Reserved for contractors on the most sensitive programs. Requires government-led assessments and compliance with NIST SP 800-172
     

Partner with ISI for CMMC Level 2 Readiness 

CMMC compliance doesn’t just safeguard sensitive information—it also protects your business. At ISI, we specialize in helping defense contractors prepare for CMMC Level 2 certification, including documentation, gap analysis, and long-term compliance planning. 

We don’t just help you meet the minimum—we help you compete with confidence. 

 

FAQs 

Do all contractors need to be CMMC certified now?

No, but early adopters are going to enjoy a greater competitive advantage. As of August 2025, fewer than 300 companies had achieved CMMC Level 2 certification. Don't mistake that as a reason to green-light delaying; see it as a motivator to accelerate your compliance journey.

Can I self-assess for CMMC Level 2? 

Yes. However, less than 5% of Level 2 contractors will be able to self-assess. Level 2 (Self) heavily depends on what type of CUI you handle. If you have any CUI in the Defense Index Grouping of the CUI Registry, a C3PAO assessment is going to be required. If not, a self-assessment may suffice. But counting on self-assessments to move your business forward is a risky proposition.

What if I fail a CMMC audit?

The most immediate concern is you will further delay your company's ability to accept award of new defense contracts. Additionally, from a budget perspective, you are going to have to spend more to at least pay for another assessment (roughly $30-45k). On top of that, depending on which controls you failed, you may need to invest in additional tools that weren't budgeted for. Last, you could face some reputational damage, hurting your ability to win contracts even if you do eventually achieve certification.

What does SPRS submission involve? 

It involves uploading your self-assessment score based on NIST SP 800-171 implementation along with basic supporting details into DoD's SPRS. While not required to initiate a CMMC assessment, completing this step is a key part of Level 2 readiness and may already be required under current DFARS clauses in your contracts. 

Internal Links: 

Related Posts