After years of waiting, debate, and “almost there” announcements, it’s official: the Cybersecurity Maturity Model Certification (CMMC) has arrived. On September 10, 2025, the Department of Defense (DoD) published the long-awaited final rule in 48 CFR, making cybersecurity certification a real, enforceable requirement for doing business with the DoD. The rule takes effect November 10, 2025—and this time, it’s for real.

CMMC is no longer a theoretical framework or a future initiative. It’s the new standard for protecting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) across the Defense Industrial Base (DIB). For every contractor and subcontractor in the supply chain, that means the countdown to compliance has officially begun.

Key Highlights from the Final Rule

1. Two-Part Rulemaking Now Complete

CMMC rulemaking is now fully in place:

  • The Program Rule (32 CFR Part 170) went into effect in December 2024, outlining how CMMC works—its levels, structure, and oversight.
  • The new Clause Rule (48 CFR), effective November 2025, adds the CMMC clauses into DoD contracts, making compliance a condition for award.

Together, these rules turn years of planning into enforceable policy. Contractors will now see CMMC requirements written directly into solicitations.

2. Phased Implementation Over Three Years

The final 48 CFR rule officially takes effect in November 2025, but CMMC won’t appear in every contract overnight. The Department of Defense is introducing it gradually over a three-year rollout, starting with a limited set of programs and expanding to most DoD contracts by 2028.

For contractors, this phased schedule is a valuable window of opportunity. It gives you time to get your systems in order, close any gaps, and position your business ahead of the competition. Those who act early—by assessing their CMMC level, documenting controls, and confirming readiness—will have a clear edge as the requirement becomes more widespread.

CMMC compliance isn’t something to rush once a contract demands it; it’s a process best started now, while you still have room to plan, prepare, and move forward confidently.

3. New DFARS Clauses to Watch

The final rule introduces updated and new DFARS clauses that make CMMC compliance legally enforceable:

  • DFARS 252.204-7025 — signals which contracts require CMMC.

  • DFARS 252.204-7021 — outlines what contractors must do to stay compliant, including maintaining a valid CMMC status for each covered system.

You’ll start seeing these clauses appear in solicitations starting November 2025.

4. Focused Scope: Only Systems Handling FCI or CUI

CMMC applies only to systems that process, store, or transmit FCI or CUI. Systems outside that footprint are not subject to certification—but contractors must clearly define that scope.

Each system in scope must have a unique identifier (UID) in the Supplier Performance Risk System (SPRS), and those UIDs will be required as part of proposal submissions. Defining this correctly will save time and headaches down the road.

5. Certification, Attestation, and Continuous Compliance

Under the final rule, CMMC certifications are valid for three years, but contractors are required to submit annual affirmations to demonstrate that they are maintaining compliance throughout that period. For environments handling CUI, which fall under Level 2 or Level 3, third-party assessments are mandatory to verify adherence to the standard. While Plans of Action & Milestones (POA&Ms) can be used in limited circumstances, critical requirements must be fully implemented before a certification can be awarded. Contractors are also responsible for ensuring that their subcontractors meet the appropriate CMMC level, making supply chain compliance a shared responsibility. In short, CMMC isn’t a one-time checkbox; it’s a continuous process of sustaining strong cybersecurity practices and demonstrating readiness at all times.

What This Means for You

Now that the rule is final, CMMC readiness isn’t optional—it’s essential. Here’s how to stay ahead:

  1. Identify Your Scope
    Determine which systems handle FCI or CUI and map them to the right CMMC level.

  2. Get Your UID in SPRS
    Register each in-scope system. You’ll need that UID for proposals once CMMC appears in solicitations.

  3. Assess and Fill Gaps
    Perform a readiness assessment to find where you stand against NIST 800-171 controls and where you need improvement.

  4. Build a Continuous Compliance Process
    Document your controls, track changes, and keep everything audit-ready.

  5. Engage Subcontractors Early
    Make sure your supply chain is aligned. Compliance doesn’t stop with you—it flows down.

Why Acting Now Matters

The final rule changes the landscape for every DoD contractor. Cybersecurity is now just as important as cost, schedule, and quality. Waiting until a solicitation drops to start preparing could mean missing out on future contract opportunities.

By beginning your CMMC journey now, you’ll avoid the last-minute scramble, reduce assessment costs, and stand out as a trusted, proactive partner to the DoD.

How Rizkly Helps

At Rizkly, we know that compliance doesn’t have to be complicated. Our CMMC automation and compliance platform gives contractors everything they need to prepare, certify, and stay compliant—without drowning in spreadsheets or confusion.

With guided workflows, built-in NIST 800-171 mapping, and expert support, Rizkly makes it easy to move from uncertainty to readiness. Whether you’re a small business or an enterprise contractor, we’ll help you get certified faster and stay audit-ready for every new opportunity.

CMMC isn’t “on the way” anymore—it’s here. Rizkly helps you meet it with confidence.

Related Posts: