Defense Contractors Face a New Reality: The Final 48 CFR Rule is Bringing CMMC into Federal Acquisition

On September 10, 2025, the Federal Register published the long-awaited final rule amending Title 48 of the Code of Federal Regulations (48 CFR) to incorporate the Cybersecurity Maturity Model Certification (CMMC) directly into Department of Defense (DoD) contracts (Link Here). This marks a decisive turning point for the defense industrial base (DIB): what began as a policy framework under 32 CFR Part 170 will now have binding contractual force. The rule is scheduled to become effective sixty days after publication, meaning by November 2025 contractors will be legally required to demonstrate compliance with specific CMMC requirements before they can be awarded or perform on most new DoD contracts.

The 48 CFR CMMC Final Rule Has Two Primary Objectives

From Policy to Law: The Evolution of CMMC

CMMC was first introduced in 2019 as DoD’s response to systemic weaknesses in the protection of controlled unclassified information (CUI) across its vast supplier ecosystem. Building on NIST SP 800-171 requirements, the program aimed to standardize expectations and create a tiered certification framework. After several revisions, CMMC 2.0 was finalized in December 2024 through 32 CFR Part 170. That rule defined levels of certification, clarified assessment procedures, and established waiver authorities.

Yet, as important as that step was, 32 CFR Part 170 alone did not compel contractors to comply. It set out the framework, but it lacked the contractual hook. For CMMC to bite, it had to be embedded in the Defense Federal Acquisition Regulation Supplement (DFARS). That is precisely what the new 48 CFR rule achieves. By amending key sections of 48 CFR — specifically Parts 204, 212, 217, and 252 — it authorizes contracting officers to insert DFARS clause 252.204-7021 into solicitations and contracts. Once present, that clause makes CMMC a condition of award and performance.

The Road Through OIRA Review

The journey of the 48 CFR rule has been deliberate and highly scrutinized. The DoD submitted the final package for review to the Office of Information and Regulatory Affairs (OIRA) on July 22, 2025. Under federal administrative procedure, OIRA is granted 90 days to evaluate economically significant rules, with an option for a 30 extension. During this period, stakeholders raised concerns, but the urgency of securing sensitive defense data pushed the process forward.

Publication in the Federal Register is the last procedural milestone. Once published, the rule takes effect after 60 days, barring a congressional override. This puts the effective date in early to mid-November 2025 — an aggressive timeline considering the scale of compliance work still outstanding across the DIB.

Immediate Enforcement Upon Effectiveness

When the November 10, 2025, effective date arrives, contracting officers will begin incorporating CMMC clauses into applicable solicitations and awards. Contractors should note they may see this appear in contracts only for new contracts and new contract option years. There is no expectation of a grace period. Contractors that cannot demonstrate certification at the required level for a given opportunity will be considered ineligible for award. This is a significant departure from past practice, where self-attestation sufficed under DFARS 252.204-7012 and 252.204-7019 (Primes)/7020 (Subcontractors).

The final rule also makes clear that compliance is not a one-time hurdle. Contractors must maintain certification for the duration of contract performance. Certification lapses or misrepresentation could trigger remedies ranging from contract termination for default to False Claims Act exposure.

By the Numbers

During the phased implementation of the CMMC rule, it is estimated that 1,104 small entities will be affected in year one, increasing to 5,565 in year two, 18,554 in year three, and reaching 229,818 by year four and beyond   , encompassing both prime contractors and subcontractors. By the fourth year, all offerors for DoD contracts involving contractor information systems that process, store, or transmit federal contract information (FCI) or CUI must have at least a CMMC Level 1 self-assessment or the level specified in the solicitation, except for contracts exclusively for commercial off-the-shelf (COTS) items. The appropriate CMMC level will be determined by the program office or requiring activity, and estimates for impacted entities exclude those dealing solely with COTS items due to tracking limitations.

“DoD anticipates that the following mix of self-assessments and certificates will occur starting in Year 4; however, it is likely to change based on component program office discretion regarding whether a CMMC status is required and, if so, at what CMMC level:”

The CMMC Phased Rollout

The DoD will implement the rule in four phases, beginning with lower-tier contracts. Phase One focuses on self-assessments for organizations handling only FCI at Level 1, or CUI at Level 2 where the contracting officer permits self-validation. For more sensitive CUI, however, contracting officers may immediately require third-party assessments conducted by a Certified Third-Party Assessment Organization (C3PAO).

As subsequent phases unfold, third-party assessments will expand to cover more Level 2 work, and eventually Level 3 for contracts involving highly sensitive data. While the DoD has yet to publish the exact pacing, history suggests that by 2026 and 2027, the bulk of new contracts will demand CMMC Level 2 third-party certification as a baseline requirement. The ultimate goal is full coverage of the DIB by the end of the decade.

CMMC Phased Implementation

In some procurements, DoD may implement CMMC requirements in advance of the planned phase.

CMMC and Contracting Award Conditions 

For contracting officers, the policy requires that solicitations include the required CMMC level as specified by the program office or requiring activity, and this level must be included in the solicitation provision and contract clause as prescribed at 204.7504. Contracts, task orders, or delivery orders cannot be awarded to offerors lacking a current CMMC status at the required level, and contracting officers must check the Supplier Performance Risk System (SPRS) to verify that the offeror’s CMMC status is posted at or above the required level for each CMMC unique identifier (UID) provided, applicable to all contractor information systems processing, storing, or transmitting FCI or CUI. 

Contractors must achieve and maintain the specified CMMC level for all relevant information systems throughout the contract’s duration, and contracting officers must also verify SPRS before exercising options or extending periods of performance to ensure continued compliance for each CMMC UID. 

Awards or contract modifications can only proceed if the offeror’s or contractor’s CMMC status is listed and meets or exceeds the required level; for CMMC Levels 2 and 3, a conditional status is acceptable for up to 180 days from the CMMC status date, while Level 1 requires a final CMMC status for award. If a contractor provides new CMMC UIDs during contract performance, the contracting officer must verify in SPRS that each new UID meets the required CMMC level or higher for any information systems used to process, store, or transmit FCI or CUI.  

Contractor Requirements

Contractors must maintain a current CMMC status at the required level (as specified in the contract) for all information systems used to process, store, or transmit FCI or CUI throughout the contract’s duration. They must ensure that only systems meeting this CMMC level are used for such data and flow down the appropriate CMMC requirements to all subcontracts and contractual instruments. Contractors are required to annually affirm, via an authorized official, continuous compliance with the specified CMMC level in the SPRS for each relevant system. Subcontractors and suppliers must also complete and maintain annual affirmations of compliance before subcontract award. If operating under a Conditional CMMC status, contractors must successfully complete a plan of action and milestones to achieve a Final CMMC status.

Key Requirements

The rule imposes several new obligations on offerors and contractors responding to solicitations or holding contracts that require CMMC certification:

SPRS Posting

Contractors must post the results of their current CMMC status in the SPRS for each CMMC UID not already covered by a third-party (C3PAO) or Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) assessment at the required CMMC level (or higher). This applies to all contractor information systems processing, storing, or transmitting FCI or CUI for contract performance.

Eligibility

The offeror may be considered ineligible for contract award if any information system used to process, store, or transmit FCI or CUI during contract performance does not meet the required CMMC status.

Maintenance of CMMC Status

Contractors are required to maintain the necessary CMMC level throughout the contract’s duration.

UID Reporting

The offeror must include in their proposal the CMMC UIDs from SPRS for each information system that will handle FCI or CUI during contract performance, and update the list if new UIDs are generated. These UIDs are provided in SPRS after the offeror submits self-assessment results for each system.

Continuous Compliance Affirmation:

Contractors must have a current affirmation in SPRS that they continuously comply with the security requirements specified in 32 CFR part 170 for each CMMC UID.

Plan of Action and Milestones (POAM):

If an offeror has a Conditional CMMC status, they must complete a valid plan of action and milestones, as outlined in 32 CFR 170.21, to achieve a Final CMMC status.

These requirements apply to both offerors responding to solicitations with a CMMC requirement and contractors with existing contracts containing a CMMC requirement, particularly before exercising contract options. However, they do not apply to contracts that do not involve the handling or transmission of FCI or CUI.

Flow-Down Obligations for the DIB Supply Chain

Another critical feature of the rule is its flow-down requirement. Prime contractors must ensure that subcontractors handling FCI or CUI also meet the applicable CMMC level. This cascades the compliance obligation deep into the supply chain, including small businesses and niche suppliers. Primes will be forced to make difficult decisions about whether to sponsor, support, or replace subs that cannot achieve certification in time. The potential for disruption in supply chains is substantial, particularly where specialized vendors play an irreplaceable role in programs of record.

Beyond the Assessment: Sustaining Compliance

Achieving certification is only the beginning. The rule emphasizes that contractors must maintain their CMMC level for the life of the contract. This means continuous monitoring, policy enforcement, and readiness for surveillance assessments. Contractors will need to establish governance structures to track control effectiveness, manage plan of action and milestones (POA&Ms), and ensure that documentation remains current. For many organizations, this represents a shift from project-based compliance exercises to ongoing cyber risk management as an operational discipline.

Note for Adding New Cage Codes to CMMC Certification Post-C3PAO Assessment

Organizations acquiring new companies through Private Equity face significant implications under current DoD CMMC policy when adding new CAGE codes to an existing CMMC-certified environment. According to the latest guidance direct from the DoD CIO to C3PAOs, once a CMMC assessment is finalized and closed by the C3PAO in eMass (30 days after submission), any addition of new CAGE codes may require a completely new C3PAO assessment for those systems.

This means that private equity firms or parent organizations integrating newly acquired entities cannot simply append new CAGE codes to their current CMMC certification without potentially triggering a costly and time-consuming reassessment process. This can delay integration timelines, increase compliance costs, and introduce operational uncertainty, especially if the acquired company needs to quickly participate in DoD contracts involving FCI or CUI.

Additionally, this policy may impact deal structuring and post-acquisition integration strategies, as buyers must now consider the timing and resources required for CMMC reassessment. Organizations should plan for these compliance hurdles early in the M&A process and coordinate closely with C3PAOs to understand the full scope of requirements and potential disruptions. Until DoD policy evolves, careful planning and proactive compliance management are essential for private equity-backed defense contractors seeking to expand through acquisition.

Contracting Timelines and the Preparation Crunch

The timing of this rule poses a logistical challenge. The average Procurement Administrative Lead Time (PALT) between solicitation and award in the DoD is approximately 32 days. By contrast, preparing for and achieving CMMC Level 2 certification typically requires nine to 12 months. The mismatch is stark: Organizations that have not already begun their certification journey are unlikely to be ready when opportunities arrive after the rule takes effect.

In practicality, this means that contractors waiting for final publication to act will likely be too late. Primes and proactive subcontractors that have already invested in compliance will enjoy a competitive advantage, both in meeting contractual eligibility and in strengthening their reputational standing with DoD program offices. Additionally, primes may be whittling down their preferred subcontractor list to those who meet CMMC certification requirements months in advance of an anticipated RFP.  Noncompliant subcontractors may find themselves removed from a prime’s short list of vetted and compliant subcontractors simply because of their inability to provide assurance of compliance.

Waivers Will Be Rare and Limited

Some contractors have held out hope for waivers, but the rule makes clear that these will be rare, limited, and centrally controlled. Waivers are not available on request from contracting officers and cannot be obtained retroactively. They are intended only for exceptional mission needs where compliance is temporarily impossible, and even then, they come with stringent oversight. For most contractors, planning for a waiver is unrealistic. The only reliable path is compliance.

Strategic Advantages of Early Readiness

While the compliance burden is significant, there are strategic advantages to being early. Contractors that achieve certification ahead of the curve can use it as a market differentiator, signaling maturity and reliability to both primes and government buyers. They are also positioned to shape subcontracting relationships, dictating terms to suppliers still lagging behind.

In competitive procurements, contracting officers are unlikely to risk award to bidders with uncertain certification status. Even when CMMC requirements are formally optional in the early phases, many program managers will treat them as de facto mandatory. In this environment, certification is not just about eligibility; it is about credibility.

What Contractors Should Do Now

For organizations across the DIB, the imperative is clear. First, scope the environment and identify which systems handle FCI or CUI. Second, perform a gap analysis against NIST SP 800-171 controls and develop a remediation plan. Third, engage with a C3PAO early if third-party validation is likely to be required ( for most C3PAOs, their schedule is into the second quarter of 2026 as of the date of this article). Fourth, allocate budget and personnel resources now; waiting until solicitations are released will be too late.

Communication with subcontractors is equally important. Primes should assess their supply chains, identify weak links, and either support or replace vendors at risk of noncompliance. Subcontractors should proactively inform primes of their compliance status and timelines, reducing the risk of exclusion.

Finally, all contractors should monitor the Federal Register for the official text of the rule, as well as DoD guidance memoranda that may accompany implementation. Technical nuances in definitions, flow-down obligations, or reporting mechanisms could materially affect compliance strategies.

The Era of Accountability Has Arrived

The September 10, 2025, publication of the final 48 CFR rule represents the culmination of years of policy development and industry debate. It transforms CMMC from a policy aspiration into binding law. For the defense industrial base, it signals the end of voluntary self-attestation and the beginning of enforced accountability.

The final rule’s publication is not the end of the story but rather the beginning of a new era. Over the coming years, the DoD is expected to expand enforcement, refine assessment methodologies, and integrate lessons learned into future revisions. Industry associations will continue to lobby for flexibility, but the overarching trajectory is clear: CMMC is here to stay.

Contractors should expect increased scrutiny, not less, as geopolitical tensions, supply chain attacks, and data exfiltration incidents continue to demonstrate the stakes of inadequate cybersecurity. By 2027 or 2028, it is plausible that CMMC certification will be as routine a contracting requirement as facility security clearances are today.

Contractors that are prepared will find themselves well positioned not only to retain eligibility but to win new opportunities. Those that delay risk exclusion, supply chain disruption, and reputational harm. The message from DoD could not be clearer: Cybersecurity is now a core element of national defense contracting, and compliance is non-negotiable.