The future of cybersecurity in the US defense supply chain is finally here. The US Federal Register has been updated to announce the effective date for the 48 CFR Final Rule as Monday, November 10, 2025. The US Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) program is no longer “speculative” in any way. Requirements for CMMC Level 1 are imminent (effective on November 10, 2025), and also for CMMC Level 2 (November 10, 2026). Contractors that adopted a “wait and see” attitude about elevating their cybersecurity are now at a competitive disadvantage.

This article covers the latest CMMC activity, including the effective 48 CFR Final Rule date and what to expect once the rollout begins.

Key takeaways

• The CMMC 2.0 rollout will start on November 10, 2025.
• Phase 1 of the CMMC rollout will immediately require CMMC Level 1 and Level 2 compliance self-assessments as a pre-award condition for new contracts.
• The 48 CFR Rule also includes a requirement for continuous CMMC compliance attestation, plus a mandate to notify contract officials anytime changes are made to a system that handles CUI.
• Defense contractors that handle controlled unclassified information (CUI) need to be ready for a third-party CMMC Level 2 assessment not later than November 10, 2026.

What is the effective CMMC rule date?

As officially announced in the Federal Register on September 10, 2025, the effective rule date for the 48 CFR CMMC rule is November 10, 2025.

This means that nearly all new DoD contracts will require CMMC compliance starting on that date. Compliance will most likely take the form of a CMMC Level 1 and Level 2 self-assessment during this initial CMMC rollout phase (first 12 months). However, some solicitations will likely include requirements for CMMC Level 2 certification via third-party C3PAO assessment.

While everyone focuses on the November 10, 2025 effective rule date, it is key to know that the CMMC Level 2 certification requirements (now available via the updated DFARS 252.204-7021 clause) will be added to new and renewing contracts 12 months after the effective rule date. This is what DoD is calling “Phase 2” of the 48 CFR rollout. This date—November 10, 2026—is the one that all contractors are now circling in red.

What is the 48 CFR CMMC Rule?

Two regulations implement the CMMC program:

• 32 CFR Part 170 defines CMMC policy, maturity levels and controls/requirements, roles, how waivers will function, and assessment parameters.
• 48 CFR Parts 204, 212, 217, and 272 implement CMMC acquisition policy and create standardized contract language.

The 32 CFR rule has been in effect since December 2024. However, the final 48 CFR rule is needed to authorize the addition of CMMC language in DoD contracts and solicitations. Its publication in the Federal Register will put 48 CFR into effect on November 10, 2025, as noted above.

This is the final action that will officially make CMMC a legally enforceable contract requirement. Specifically, 48 CFR’s go-live will mandate the insertion of the DFARS 7021 clause into DoD contracts and require contracting officers to include CMMC language in solicitations. It also initiates the four-phase CMMC rollout.

Other important requirements within the 48 CFR rule include:

• Flowdown to subcontractors. 48 CFR specifies mandatory flowdown of requirements at the appropriate CMMC certification level to all subcontractors in the supply chain that handle federal contract information (FCI) or CUI.
• A continuous compliance mandate. 48 CFR requires defense contractors to maintain the CMMC level specified in their contract throughout the contract’s duration. This includes submitting alphanumeric DoD unique identifiers (UIDs) for all systems that will store, process, and/or transmit CUI, and affirming continuous compliance based on self-assessment or third-party certification.
• A requirement to report system modifications. 48 CFR will further require DoD contractors and subcontractors to notify the contracting officer anytime they make any modification to a system that handles CUI in the course of the contract. The notice must include new UIDs for the updated system(s) so the DoD can review all changes for compliance.
• Senior leadership affirmations. A senior company official must complete all required CMMC compliance affirmations, including attestations that a company’s self-assessment or certification remains current and in compliance. These attestations must be made annually.

What are prime contractors saying about CMMC compliance?

DoD prime contractors continue to remind subcontractors that handle CUI that they are already required per the DFARS 7012 and DFARS 7020 clauses in current contracts to self-assess their compliance with NIST 800-171 Rev. 2 and submit their assessment scores to the DoD’s Supplier Performance Risk System (SPRS).

The assumption is that all defense industrial base (DIB) orgs that handle CUI are already fully compliant with NIST 800-171 today, and thus ready for CMMC Level 2. Many primes require their subs to provide notice if they are not in full compliance.

All DIB orgs that handle CUI are encouraged to prepare now for their upcoming CMMC Level 2 third-party certification assessment. The DoD likewise encourages all DIB orgs to join the National Defense Information Sharing Analysis Center (ND-ISAC) for threat intelligence and sharing, as well as support for CMMC compliance and best practices.

What will the CMMC four-phase rollout look like?

On November 10, 2025, the DoD’s phased CMMC rollout will officially begin. These are the four rollout phases in a nutshell:

1. Phase 1 will immediately require CMMC Level 1 and Level 2 compliance self-assessments as a pre-award condition for new contracts. The DoD may also require CMMC Level 2 third-party certification assessments during Phase 1.
2. Phase 2 will begin one year after the start of Phase 1 (November 10, 2026). At this point, most DIB orgs that handle CUI will need a CMMC Level 2 certification to participate in new or renewing contracts. Likewise, CMMC Level 3 assessments for high-priority programs will begin with this phase.
3. Phase 3 will begin one year after the start of Phase 2 (November 10, 2027). By this time, all applicable DoD contracts must include Level 2 and Level 3 third-party assessments as conditions for contract award.
4. Phase 4—full CMMC 2.0 implementation—will begin one year after the start of Phase 3 (November 10, 2028). Now all DoD contracts, solicitations, and option periods will require CMMC Level 1, 2, or 3 compliance.

DIB orgs that handle CUI should be fully prepared or actively preparing now for their third-party CMMC Level 2 certification assessment. This may be a contract requirement as soon as November 10, 2025, based on contracting officers’ “discretion.” But realistically, for many contractors this will be sometime after Phase 2 begins on November 10, 2026.

If you are hoping for a waiver of your CMMC Level 2 requirements, this is highly unlikely. Waivers will be predetermined at the acquisition level and will not be granted upon request or to late bidders. Waivers are not for contractors, but for contracts themselves. If you see the CMMC certification requirement on a RFP/RFQ, the waiver process for that requirement has already taken place.

What’s next?

It’s been five years since the release of CMMC 1.0 in September 2020—but the CMMC program has finally arrived. If you need a CMMC Level 2 third-party certification in 2026, you have no time to waste.

CBIZ Pivot Point Security offers a full complement of CMMC advisory and consulting services. Contact us today to connect with a CMMC expert about your company’s unique compliance scenario and how we can help ensure you can continue to compete for business with the DoD.