On Wednesday, September 10, 2025, the Department of War (DoW) will publish the Final Rule integrating the Cybersecurity Maturity Model Certification (CMMC) into Title 48 of the Code of Federal Regulations. The rule becomes effective November 10, 2025, and begins a three-year phased implementation that will permanently transform how information security is enforced across the Defense Industrial Base (DIB)

A Long-Awaited Shift from Self-Attestation to Verification

The CMMC program is not a set of new requirements; it’s a mechanism to enforce long standing but largely ignored requirements for defense contractors and their supply chains to protect Controlled Unclassified Information (CUI). For years, defense contractors have been required to implement security controls aligned with NIST SP 800-171 and report cyber incidents under DFARS 252.204-7012. But compliance was largely based on self-attestation, and many ignored or failed to adequately address the requirements. This left persistent security gaps which our adversaries exploited, stealing sensitive design data, research, and (CUI), eroding U.S. technological advantage and diminishing national security.

CMMC is designed to close those gaps by establishing a new conformity assessment framework that enforces long-standing requirements with rigor and accountability. By tying certification directly to eligibility for DoW contracts, the rule ensures that contractors can no longer claim compliance without verification.

What the Final Rule Requires

The Final Rule establishes CMMC as a binding contract requirement. Beginning November 10, 2025, contracting officers will be prohibited from awarding contracts to companies that do not have a current CMMC status at the level required by the solicitation. Contractors must not only achieve certification at the time of award but maintain it throughout the life of the contract

Among its most critical provisions, the rule makes clear that:

• Scope of Applicability: All contractors and subcontractors that process, store, or transmit Federal Contract Information (FCI) or CUI must comply. Contracts solely for Commercial Off-the-Shelf (COTS) items are excluded.
• Levels of Certification: CMMC remains a three-tier model. Level 1 requires annual self-assessment. Level 2 requires either self-assessments or third-party certification, depending on contract type. Level 3 mandates DoW-led assessments
• Verification and Reporting: Companies must register CMMC unique identifiers (UIDs) in the Supplier Performance Risk System (SPRS) and submit annual affirmations of continuous compliance. Cyber incidents must still be reported within 72 hours under DFARS 252.204-7012
• Conditional Certification: For Levels 2 and 3, conditional certification may be granted for up to 180 days while companies close out a Plan of Action and Milestones (POA&M)
• Subcontractor Requirements: Subcontractors must perform self-assessments, submit affirmations in SPRS, and comply with flow down requirements before receiving work

Phased Implementation

While the rule becomes effective in November 2025, the DoW will implement it gradually. Over a three-year period, CMMC requirements will be added to select contracts until they become universal in November 2028

Importantly, primes may accelerate this timeline. Lockheed Martin has already informed its subcontractors that they will be expected to fully comply sooner than the DoW’s official schedule

Companies that wait for the government’s phase-in may find themselves shut out of opportunities by their own supply chain partners.

Why This Matters

The stakes are high. “Data Leakage”  has cost the U.S. economy hundreds of billions of dollars, and adversaries have repeatedly stolen defense technologies that took decades to develop. The Council of Economic Advisors estimated that malicious cyber activity cost the U.S. economy between $57 and $109 billion in a single year. These losses weaken America’s military edge and compromise national security.

By embedding CMMC into the Federal Acquisition Regulation system, the DoW is sending a powerful message: information security is mission critical. Contractors who fail to comply will lose award eligibility, and those who misrepresent compliance risk exposure under the False Claims Act.

What Companies Must Do Now

For the more than 300,000 companies in the defense supply chain, the message is clear: prepare now. That means:

• Conducting gap assessments against CMMC requirements.
• Closing deficiencies and documenting plans of action.
• Registering in SPRS and preparing affirmations of continuous compliance.
• Engaging with C3PAOs early if Level 2 certification is anticipated.

Addressing all requirements for CMMC conformance and preparing for an assessment is not a quick process. For many organizations, it can take 12 to 18 months to close gaps, implement required practices, and build the documentation needed to demonstrate conformance. Once preparation is complete, the assessment process itself can take up to 10 weeks, and when that assessment can begin depends on the availability of a certified third-party assessment organization (C3PAO).

This means that companies delaying action may find themselves in jeopardy of being ineligible for new awards or option periods when the rule takes effect. The time for procrastinators, doubters, and those with their heads in the sand has passed. Only those who act now will be positioned to continue supporting the nation’s defense mission when CMMC becomes enforceable.

Conclusion

The Final CMMC Rule represents the most significant shift in defense contracting requirements since DFARS 252.204-7012 was introduced nearly a decade ago. By moving from self-attestation to independent verification, the DoW is reinforcing supply chain security as a national defense priority and ensuring that sensitive information remains protected.

Effective November 10, 2025, information security will become as fundamental to defense contracting as cost, schedule, and performance. The time for preparation is now.