September 23, 2025

The Final Rule is Official

The Department of Defense published the Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041) on September 10, 2025. This rule becomes effective on November 10, 2025, marking the beginning of a 3-year phased rollout for implementation. You need to review this rule, along with the CMMC Program itself (32 CFR Part 170), and act immediately — waiting will put your organization behind on compliance requirements.

Current Compliance Requirements

In accordance with 32 CFR Part 170, there is a requirement for contractors to provide a CMMC self-assessment Supplier Performance Risk System (SPRS) score or CMMC certification, based on contract language at time of award.  An organization at minimum must upload a SPRS score to https://www.sprs.csd.disa.mil/ as part of any existing contracts, or in preparation for bidding or being awarded a contract.  Starting November 10, 2025, solicitation clauses requiring CMMC compliance and/or certification will begin appearing in contracts. After the three-year phased rollout is completed, all organizations will need formal CMMC certification to qualify for DoD contracts.

Key Language from the Final Rule

The updated solicitation provision clearly states that offerors will not be eligible for contract awards if they lack:

• Current CMMC status in SPRS at the required level specified in paragraph (b)(1) of the provision

• Current affirmation of continuous compliance with security requirements identified in 32 CFR Part 170 for each contractor information system that will process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI)

Beginning November 10, 2025, DoD contracting officers have discretion to include clauses requiring Level 2 certification for CUI protection, even during Phase 1 of the rollout. Organizations that work with or expect to work with CUI data should, at minimum, have a developed System Security Plan (SSP) and Plan of Action and Milestones (POA&M) ready.

The table below provides timing and expectations specific to each phase of the rollout. 

As an RPO (Registered Provider Organization), GuidePoint Security can provide expert guidance with your CMMC compliance efforts. GuidePoint offers CMMC gap assessment and advisory services, delivered by Registered Practitioner(s) (RP) and Registered Practitioner Advanced (RPA) consultants with operations backgrounds who understand how to apply the CMMC controls to your environment, as well as advise on figuring out the in-scope environment and any changes/additions need to close compliance gaps.

A gap assessment can be viewed as a “practice run” for formal CMMC certification by a C3PAO (CMMC Third-Party Assessor Organization).