We’ve known it’s been coming, but it’s finally here: CMMC is no longer optional. Approval to issue the new Final Rule was fast-tracked, and the deadline is looming.

In Brief: What is CMMC?

CMMC is the Cybersecurity Maturity Model Certification. The first version was released all the way back in 2020, as a way to bring about a new paradigm of information security throughout the Department of Defense and the Defense Industrial Base, broadly in response to mounting threats of phishing and other cyberattacks on the government. Existing frameworks like FedRAMP just didn’t meet the needs of the DoD, but CMMC provides a broader framework for securing sensitive information.

While information above the sensitive level, such as classified and secret information, has its own mechanisms for protection, Federal Contract Information and Controlled Unclassified Information were more broadly handled and less well secured.

CMMC serves as a broad framework encompassing all of the controls necessary to secure FCI and CUI throughout the Defense Industrial Base. As a third-party-validated framework with auditing requirements and trickle-down responsibility, it both helps contractors commit to secure systems and validates that the security is actually in place when it counts.

What’s the News?

The previous CMMC Final Rule, published in October of 2024, finalized the state of CMMC 2.0, meaning the framework has exited the feedback stage and entered the implementation stage. Any organization that was waiting to make sure the standards were set in stone before working on compliance was able to start acting with confidence.

As of that rule, the countdown started to the inevitable full implementation of CMMC as a required security framework for DoD contracts. What no one knew at the time was how long that countdown would take.

A new Final Rule has been issued as of September 10, 2025.

A summary from the Federal Register puts it like this:

“DoD is issuing a final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to incorporate contractual requirements related to the final Cybersecurity Maturity Model Certification program rule, titled Cybersecurity Maturity Model Certification Program. This final DFARS rule also partially implements a section of the National Defense Authorization Act for Fiscal Year 2020 that directed the Secretary of Defense to develop a consistent, comprehensive framework to enhance cybersecurity for the U.S. defense industrial base.”

The rule was rushed through the approvals process; what normally takes around 90 days took only 34. The end result is a ticking clock: the time to commit to CMMC is now.

The new rule is not quite as firm as it might sound, though it’s much stricter than it was previously. There are a couple of carve-outs; Commercial Off The Shelf products (or COTS) can be eligible for DoD contracts without needing to implement CMMC, contractors that do not handle FCI or CUI are exempt from the need, and there’s some timing flexibility with level 2 and level 3 implementation.

Either way, there should be no further delay.

Why it Matters

Making CMMC part of the federal acquisitions process means it is now mandatory for any contractor that would handle FCI or CUI on behalf of the Department of Defense or its contractors, subject to flowdown.

This isn’t an interim requirement or a “we’ll get it when we win the bid” situation. Without a valid, authenticated CMMC implementation, contractors will no longer be able to work on DoD contracts, cannot win bids for DoD contracts, and cannot bid on those contracts at all.

Losing the Race Before it Begins

The new Title 48 acquisition rule hands the power to DoD contracting officers.

These officers are now able to:

• Specify what level of CMMC is required for a contract, given the sensitivity of the information that would be handled by contractors.
• Check and verify compliance within the Supplier Performance Risk System before awarding a contract.
• Disqualify any noncompliant contractor from the running, no matter how technically competent or otherwise ideal the contractor would be for the DoD’s needs.

Until this rule passed, CMMC was a strong suggestion, but the DoD could still work with contractors that didn’t meet its standards, and could allow interim contracts with in-progress CMMC implementation. Now, this is effectively no longer the case.

Enforcing Flowdown

Another repercussion of the new rule is the codification of the flowdown requirements. Prime contractors working with subcontractors that themselves handle FCI or CUI will need to make sure their subcontractors are certified at the appropriate level.

This must be done before work on the contract begins. Sharing sensitive information downstream without certification in place can lead to significant penalties.

Earning the CMMC Unique Identifier

Prior to this new rule, companies working on DoD contracts could earn a DoD Unique Identifier, a piece of data attached to their profile in the SPRS. This terminology has been replaced and is now known as the CMMC Unique Identifier.

This is, essentially, a piece of data validating that the company has passed its audit and is certified under CMMC. This identifier is logged in the SPRS and can be used for verification purposes when it comes to awarding DoD contracts.

Flexibility in Certification

The one nod towards in-progress contracts is that the new rule allows up to 180 days on a conditional certification for contractors aiming for Level 2 or Level 3 certification, but who have not quite passed their audits.

This period allows the DoD to award a contract to a company that has not yet achieved CMMC, on the condition that they successfully finish the process within the timeline. POA&Ms are a significant part of this contingency.

The New Timeline for CMMC

With the rapid approval of the new policy, you might expect a shorter-than-usual timeline, but this is not the case. Those familiar with government contracts already can guess the new timeline.

This new rule, issued in September, officially takes effect on November 10, 2025. This is the initiation of the final roll-out of CMMC 2.0 as an official, mandatory requirement.

From there, the clock has three years on it. From November 2025 to October 2028, the DoD can award contracts as it has been, and companies can work with the DoD without having finished the CMMC compliance process. Once November 2028 rolls around, however, the time will have come for full mandatory compliance.

At this point, barring exclusions like COTS products, any contractor working with or applying to bid on DoD contracts will be required to have implemented an appropriate level of CMMC. While many companies have been working towards the overall CMMC goal, there’s now a firm deadline to have it done.

To be extra clear: starting November 2025, DoD contracts can require CMMC, but don’t have to. By November 2028, all DoD contracts will require it, barring a few rare exceptions like COTS products. In the interim, it’s expected that more and more contracts will require CMMC-validated companies in the SPRS, and that any firm not currently certified will be summarily ignored.

Has Anything in CMMC Changed?

No. The final rule for CMMC’s actual list of requirements for each level was finalized at the end of 2024. This new rule is a formalization of when CMMC will be required, but it does not make changes to what it means to comply.

If you’ve already been working on CMMC compliance, nothing has changed in the process, and you should continue. If you already have CMMC validated, you’re good to go. If you haven’t yet gotten started, now you have a firm deadline if you want to be part of the Defense Industrial Base.

Why Now?

Why has the federal government fast-tracked this requirement?

The short version is, they really haven’t. It has been over five years since the introduction of the original CMMC, and yet the framework was not made mandatory until now.

Meanwhile, the threats faced by the United States in general and the Defense Industrial Base in particular are ever-mounting. Numerous large attacks, including supply chain attacks on critical infrastructure, have been occurring. Groups like Volt Typhoon and numerous state-level actors have been waging a digital war on the country, and those efforts are not going to weaken.

Modern technology moves fast, too. Novel tools like AI are making it easier than ever for threats to spin up novel vectors for attack.

The overall Defense Industrial Base is very broad and encompasses an estimated 200k-300k businesses across the country and around the world. Yet as of now, under 300 of those companies have a valid CMMC implementation.

While most of those hundreds of thousands of companies aren’t handling FCI or CUI and thus won’t need CMMC, there are many thousands that will need at least Level 2, and thousands more that will need Level 1 certification. That’s quite the gap, and even one of those companies represents a possible leak of FCI or CUI.

The government has drawn its line in the sand: it’s time to take matters seriously and comply or get out of the way for a compliant organization to take over the contract.

What You Need to Do Now

What does this new announcement mean for your business?

It depends on where you are in the process and what your goals are.

Do you fall into one of the exemptions? If you offer a Commercial Off The Shelf product and can qualify for the CMMC exemption, you’re good to go. There are a few similar exemptions as well, such as micro-purchases; generally, you already know if you’re in one of these categories.

Do you intend to work with the Department of Defense or one of its contractors? If you don’t, you likely don’t have to pursue CMMC. CMMC is not required for all federal government contracts, just DoD contracts subject to DFARS contract clauses. If you intend to work for the Department of Defense or for a contractor within the Defense Industrial Base, then you will likely need to look deeper.

Will you handle Federal Contract Information, Controlled Unclassified Information, or other Covered Defense Information? If not, you won’t need CMMC. CMMC exists to protect sensitive information that could pose a threat if it is exposed. Forcing businesses that don’t handle anything sensitive to jump through hoops for security isn’t going to help anyone; a limited scope is a stronger scope.

If you’re going to be handling sensitive information, it’s time to buckle down and get that CMMC implementation pinned down.

What stage of CMMC implementation have you reached?

If you are one of the 300-ish businesses that have already achieved CMMC records in the SPRS, you’re good to go. Keep doing what you’re doing, make sure to keep on top of security on an ongoing basis, and be sure to bid on the contracts you can win as soon as you can to take advantage of lower competition.

If you are one of the hundreds more who are in the process of implementing CMMC, keep doing what you’re doing. When you get it all done and certified, you can rest assured that you’re in a good position for working with the DoD moving forward.

If you have not yet started to implement CMMC, you have a lot of work ahead of you. Determine what level of CMMC you need to achieve (most likely level 2), figure out what work needs to be done and what evidence needs to be compiled, and get to work.

You’ll also want to find a C3PAO to work with. At Ignyte, we can help both as a C3PAO and as a service provider and consultant. If you have questions, we can advise you. If you need a tool to help you track and maintain all of your compliance tasks across all of the many security controls relevant to CMMC, the Ignyte Assurance Platform is perfect. All you need to do is schedule a call to see it in action.

It’s high time that CMMC became the law of the land, and the clock is ticking. Getting the ball rolling on implementation now will save you trouble later, so the sooner you can get to it, the better.

*** This is a Security Bloggers Network syndicated blog from Ignyte authored by Dan Page. Read the original post at: https://www.ignyteplatform.com/blog/cmmc/cmmc-mandatory-defense-contractors/