ISI Insights

CMMC 48 CFR Clears Regulatory Review: What Defense Contractors Need to Know

Written by ISI | Aug 31, 2025 2:41:19 PM

Executive Brief 

The long-anticipated CMMC 48 Code of Federal Regulations (CFR) rule has cleared regulatory review and has been published into the Federal Register. The official effective date was November 10, 2025. Here's what defense contractors need to know:

The government's phased rollout of Cybersecurity Maturity Model Certification (CMMC) certification contract requirements began on November 10, 2025. The rollout occurs in three phases:

  • Phase I: Level 1 and 2 self-assessments (November 2025)
  • Phase II: Level 2 Certified Third-Party Assessment Organization (C3PAO) requirements (November 2026)
  • Phase III: Level 3 Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) requirements (November 2027)

Even before CMMC appears in a contract’s base language, prime contractors can flow down CMMC certification requirements to their subcontractors ahead of the phased rollout schedule.

Noncompliance, intentional or not, can lead to lost contract opportunities or even legal consequences under the False Claims Act.

Dig deeper and continue reading below.

What Is the 48 CFR CMMC Rule? 

Published by the Department of Defense (DoD) (also known as the Department of War) on September 10, 2025, and effective as of November 10, 2025, the 48 CFR CMMC rule formally incorporates CMMC requirements into the Defense Federal Acquisition Regulation Supplement (DFARS). It’s the second and final rule of the CMMC 2.0 rulemaking process.

Whereas the 32 CFR CMMC rule set forth the CMMC program, requirements, and ecosystem, the 48 CFR CMMC rule establishes enforcement, requiring DoD solicitations to include CMMC certification requirements to all applicable contracts. 

Why It Matters for Defense Contractors 

Here’s what you need to know now that the rule has cleared regulatory review and been published into the Federal Register:

  • The government's phased rollout officially began on November 10 with Level 1 and Level 2 (self) certifications.
  • However, Contract Officers have the right to flow down requirements to their supply chain ahead of the phased rollout schedule. This means Level 2 (C3PAO) certification requirements can end up in your contracts much earlier than the start of Phase II in November 2026.
  • The revised CMMC standards and certification requirements could also be applied to contracts with option years that come up for discussion during the phased rollout.

Bottom line: Scheduling and completing a Level 2 assessment is a growing bottleneck for defense contractors. As of the end of 2025, fewer than 1% of the Defense Industrial Base (DIB) is certified. Wait times for C3PAO assessments are already around 9 months, and delays could stretch to 24-30 months by late 2026

Early certification gives you a competitive edge. Companies that achieve Level 2 certification before November 2026 will enjoy limited competition and a once-in-a-generation opportunity to grow their business pipeline while their competitors wait in line. Schedule your assessment now to secure your advantage before the Level 2 rollout rush begins.

Key Takeaways from the 48 CFR Rule 

  • CMMC requirements are now being added into contracts: As of the rule’s effective date, contractors must comply before contract award.
  • CMMC Level 2 nearly always requires third-party certification: DoD allows self-assessments only in limited, non-prioritized acquisitions. It’s estimated these will apply to 2% of contractors handling Controlled Unclassified Information (CUI).
  • Supplier Performance Risk System (SPRS) reporting is still required: Level 1 contractors must reaffirm their SPRS yearly through self-attestation. For Level 2+, certification lasts for three years, but contractors need to annually reaffirm compliance and submit annual SPRS scores.  
  • Flow-down clauses apply:  Prime contractors must ensure their subcontractors are also appropriately certified.

new dfars clause to look for 

Part of the 48 CFR CMMC rule is to amend DFARS to include a new clause: DFARS 252.204-7025 (Notice of CMMC Level Requirements). This will be the clause in your contract that identifies which maturity level your company will need to accept the award of the contract. The language will read as:

The CMMC level required by this solicitation is: ___________. This CMMC level or higher (see 32 CFR part 170) is required prior to award for each contractor information system that will process, store, or transmit Federal contract information (FCI) or controlled unclassified information (CUI) during performance of the contract.

WHAT DOES the PHASED ROLLOUT LOOK LIKE

  • Phase I: Begins on the effective date listed in the final 48 CFR rule, November 10, 2025. Applies to contracts that will include CMMC Level 1 and CMMC Level 2 (self) certification levels.
  • Phase II: Begins 12 months after the start date of Phase I, November 2026. Applies to new contracts that will include Level 2 (C3PAO) certification requirements. These requirements can be flowed down sooner by primes.
  • Phase III: Begins in November 2027, 12 months after the onset of Phase II. Applies to contracts requiring Level 3 (DIBCAC) certification requirements
Goal: The DoD wants all DIB contractors to be certified at the appropriate CMMC maturity level by the end of 2028

What to do Next 

If you’re unsure how to proceed, here are the next steps to protect your DoD contract eligibility:

  • Review your current contracts. What clauses are currently being flowed down or placed in your contracts? This will help you feel confident in which CMMC maturity level you'll need to achieve. That said, Level 2 (C3PAO) is going to be the safest bet for current and future contracts.
  • If you haven’t heard from your primes about their CMMC plans, reach out to them. Since they have the right to flow down requirements ahead of the phased rollout, you will want to know whether they plan on following the rollout schedule or working ahead of it
  • Conduct a gap assessment to benchmark against the appropriate cybersecurity standard. This step is critical for determining your path to compliance, estimating remediation timelines, and preparing for your Level 2 assessment.
  • Determine if outside help is needed. CMMC assessments are unique and the learning curve can be steep. Do an honest and thorough review of your IT team to assess their ability to do the work. If you're not 100% confident, consider bringing in some help
  • Engage a C3PAO early. C3PAO assessment schedules for the first half of 2026 are already filling quickly. Assess how long remediation is going to take and schedule your assessment around your internal timeframe. 

ISI Insight: Don't rush to an open spot. It's more important to get it right than to rush and increase your risk of failing.

ISI Insight: The assessment backlog is beginning to grow. CCAs and C3PAOs are expanding, but not quickly enough to meet rising demand. Once you identify your scope and remediation timeline, schedule your assessment ASAP to keep your compliance journey on track!

CMMC Levels and Requirements 

Depending on the type of data you handle, you may be subject to one of three certification levels: 

  • Level 1 (Foundational): For organizations handling FCI. Requires 17 basic cyber hygiene practices and an annual self-assessment reported in the Supplier Performance Risk System (SPRS) 
  • Level 2 (Advanced): For contractors handling CUI. Requires implementation of all 110 controls and 320 objectives from NIST SP 800-171 and a triennial third-party assessment by a certified CMMC Third-Party Assessment Organization (C3PAO) and annual self-affirmations 
  • Level 3 (Expert): Reserved for contractors on the most sensitive programs. Requires government-led assessments and compliance with NIST SP 800-172
     

ISI: A Trusted Partner for CMMC Level 2 Readiness 

At ISI, we specialize in helping defense contractors prepare for CMMC Level 2 certification. As one of the first MSPs in the U.S. to earn CMMC Level 2 certification, we understand both the technical requirements of CMMC/NIST SP 800-171 and the day-to-day realities of small DIB IT teams.

 What sets us apart from general IT providers:

  • Purpose-built expertise: Our compliance frameworks, assessment tools, and managed services were developed specifically for DoD contractors handling CUI.
  • End-to-end support: From gap assessments and remediation planning to readiness reviews and C3PAO coordination, we help you streamline every step toward certification.
  • Integrated platform: ISI combines cybersecurity, IT, and compliance management under one roof, reducing vendor complexity and ensuring continuous protection and documentation.
  • Real-world results: We’ve guided hundreds of DIB clients through successful assessments, helping them stay contract-eligible and audit-ready without disrupting daily operations.

With ISI, you do more than meet the minimum; we help you compete with confidence.

 

FAQs 

Do all contractors need to be CMMC certified now?

No, but early adopters are going to enjoy a greater competitive advantage. As of August 2025, fewer than 300 companies had achieved CMMC Level 2 certification. Don't mistake that as a reason to green-light delaying; see it as a motivator to accelerate your compliance journey.

Can I self-assess for CMMC Level 2? 

Yes. However, less than 5% of Level 2 contractors will be able to self-assess. Level 2 (Self) heavily depends on what type of CUI you handle. If you have any CUI in the Defense Index Grouping of the CUI Registry, a C3PAO assessment is going to be required. If not, a self-assessment may suffice. But counting on self-assessments to move your business forward is a risky proposition.

What if I fail a CMMC audit?

The most immediate concern is you will further delay your company's ability to accept award of new defense contracts. Additionally, from a budget perspective, you are going to have to spend more to at least pay for another assessment (roughly $30-45k). On top of that, depending on which controls you failed, you may need to invest in additional tools that weren't budgeted for. Last, you could face some reputational damage, hurting your ability to win contracts even if you do eventually achieve certification.

What does SPRS submission involve? 

It involves uploading your self-assessment score based on NIST SP 800-171 implementation along with basic supporting details into DoD's SPRS. While not required to initiate a CMMC assessment, completing this step is a key part of Level 2 readiness and may already be required under current DFARS clauses in your contracts. 

Internal Links: 
View full post