Executive Brief
It’s official: CMMC 48 CFR is now in effect.
As of November 10, 2025, Cybersecurity Maturity Model Certification (CMMC) requirements are part of the Defense Federal Acquisition Regulation Supplement (DFARS).
This change marks a new era for the Defense Industrial Base (DIB) — one where cybersecurity compliance is no longer preparation. It’s performance.
If you work with the Department of Defense (DoD) (now known as the Department of War), the countdown is over. Here’s what this shift means, how it affects your contracts, and what to do next.
The Shift From Policy to Practice
CMMC is no longer theoretical. With 48 CFR live, certification requirements can now appear directly in DoD solicitations and awards.
- The rule amends DFARS to include 252.204-7025, the new Notice of Cybersecurity Maturity Model Certification Level Requirements clause.
- Contracting officers can now specify which CMMC level your organization must hold before accepting award.
- Prime contractors must also ensure their subcontractors meet the same certification level when handling Controlled Unclassified Information (CUI).
Even if CMMC hasn’t yet appeared in your contracts, it likely will soon (or in your next renewal or option year). This marks the official move from voluntary alignment to contractual enforcement.
The Rollout Timeline
The DoD structured CMMC enforcement in three phases to help manage readiness and capacity:
Phase I — November 2025: CMMC Level 1 and Level 2 (Self) requirements begin appearing in select solicitations. Contractors must self-assess, document, and report compliance in SPRS before award.
Phase II — November 2026: CMMC Level 2 (C3PAO) third-party assessments become required for most contracts involving CUI. Certification must be complete prior to award.
Phase III — November 2027: CMMC Level 3 (DIBCAC) assessments begin for mission-critical programs.
Goal: Full enforcement across the DIB by 2028.
5 Things Contractors Need to Know
Compliance is now contract law. CMMC language will appear in new and modified DoD agreements starting now.
SPRS accuracy matters now more than ever. The DoD and primes use scores to evaluate risk and validate readiness. False or inflated reporting can trigger False Claims Act exposure.
Flow-down clauses are active. Prime contractors can (and will) begin requiring proof of certification from subcontractors ahead of formal rollout.
Self-assessment is limited. Only “non-prioritized” Level 2 contracts (roughly 5% of total) may qualify for self-attestation.
Assessment demand is rising. C3PAOs are already booking audits into mid-2026. Delays in scheduling could cost months of contract eligibility.
What You Should Do Now
- Review new Requests for Proposals (RFPs). Check for DFARS 252.204-7025 and any upcoming option years that may add it.
- Validate your SPRS score. Ensure your System Security Plan (SSP) and Plan of Action and Milestones (POA&M) are up to date and accurate.
- Conduct a gap assessment. Identify missing controls, incomplete documentation, and any areas that could fail a third-party audit.
- Plan and prioritize remediation. High-value controls like multi-factor authentication, logging, and access restrictions should come first.
- Engage a C3PAO early. Don’t wait until your prime requires proof. Audit capacity will become a bottleneck.
- Coordinate with your prime. Align timelines and expectations for flow-down requirements to avoid contract disruption.
The DoD’s long-awaited enforcement mechanism is now active, and defense contractors are expected to demonstrate progress, not just intent.
Early adopters who performed gap assessments and began remediation before November 10 are on track to be eligible for more contracts and face less competition.
ISI Insight: Certification equals competitiveness. Contractors that move now will secure their place in the 2026–2027 pipeline while others rush to catch up.
The Cost of Waiting
Delaying readiness now means:
- Lost bid opportunities as CMMC appears in solicitations
- Procurement slowdowns as primes vet noncompliant suppliers
- Higher remediation costs from rushed compliance
- Potential False Claims Act exposure for inaccurate SPRS submissions
By contrast, contractors who complete remediation and schedule their C3PAO audits within the next 90 days will be positioned for contracts issued before Phase II begins in November 2026 when third-party certification becomes mandatory and assessment backlogs intensify. Acting now helps you stay competitive while others race to catch up.
What Happens Next
Expect the following changes over the next 6–12 months:
- New solicitations will specify required CMMC levels.
- Existing contracts may be updated during renewal or option year reviews.
- DoD source selections will increasingly consider CMMC status.
- Annual SPRS reaffirmations remain mandatory, even after certification.
The era of “wait and see” is over. CMMC readiness is now a determining factor in contract eligibility.
Partner with ISI for CMMC Level 2 Readiness
With 48 CFR now live, your organization must act quickly to stay compliant and competitive.
As a CMMC Level 2-certified Registered Provider Organization (RPO), ISI helps defense contractors accelerate compliance through:
- NIST SP 800-171 gap assessments
- SSP and POA&M development
- Tool selection and integration guidance
- Third-party (C3PAO) assessment preparation
- Ongoing managed compliance support
We don’t just help you meet the minimum, we help you compete with confidence.
FAQs
Do I need to be certified right now?
Not all contractors will see CMMC language in their current contracts, but it’s being added in new solicitations starting today. If you handle CUI, you should prepare for Level 2 certification now.
Can I still self-assess for Level 2?
Only if your contract explicitly allows it under “non-prioritized acquisitions.” For nearly all contractors, a third-party (C3PAO) certification will be required at some point.
How often will I need to recertify?
Every three years for formal certification. Annual self-affirmations and SPRS updates are still required.
What if I fail my first CMMC audit?
You’ll need to remediate deficiencies, schedule a re-assessment (costing roughly $30K–$45K), and delay new contract eligibility until you pass.
How can ISI help?
Our compliance experts and managed security services help reduce risk, shorten timelines, and ensure audit readiness under real-world conditions.
