The Cybersecurity Maturity Model Certification program has moved from framework to enforceable law. With the final DFARS acquisition rule (48 CFR) effective November 10, 2025, the Department of Defense has begun adding CMMC requirements to select solicitations. Defense contractors and their subcontractors who have been watching from the sidelines no longer have that luxury.
What the CMMC Program Rule Established
The CMMC Program Rule (32 CFR Part 170) became effective December 16, 2024, establishing the foundational requirements of the program. It defined the three CMMC levels, assessment requirements, and the ecosystem of certified third-party assessment organizations, known as C3PAOs. The November 2025 DFARS rule is the acquisition counterpart: it is the mechanism through which CMMC requirements actually appear in contracts and subcontracts.
Together, these two rules form a complete regulatory framework. The program rule tells you what CMMC is and what certification entails. The acquisition rule tells you when and how it applies to specific procurements. Both must be understood together to navigate compliance.
The Three CMMC Levels Explained
CMMC 2.0 streamlined the original five-level model down to three levels, each mapped to a specific class of federal information and a corresponding assessment type.
- Level 1 (Foundational): Applies to contractors handling Federal Contract Information (FCI). Requires implementation of 17 basic safeguarding practices from FAR 52.204-21. Self-assessment is permitted, and organizations must affirm compliance annually.
- Level 2 (Advanced): Applies to contractors handling Controlled Unclassified Information (CUI). Requires implementation of all 110 security requirements from NIST SP 800-171 Revision 2. Most Level 2 contractors must undergo a third-party assessment by a DoD-authorized C3PAO every three years. A subset of lower-priority programs may use annual self-assessments.
- Level 3 (Expert): Applies to contractors on DoD's highest priority programs handling CUI. Requires NIST 800-171 plus additional requirements from NIST 800-172. Assessments are conducted by the Defense Contract Management Agency.
Who Is Affected and When
The DFARS rule implements a phased rollout. Beginning November 10, 2025, CMMC requirements are being added to select DoD solicitations. This does not mean all contracts immediately require CMMC certification. The DoD is incorporating requirements into solicitations over time, starting with programs that present higher cybersecurity risk.
Critically, the requirements flow down to subcontractors. A prime contractor subject to CMMC Level 2 must ensure that any subcontractor handling CUI on that contract also meets CMMC Level 2 requirements. This makes CMMC a supply chain issue, not just a prime contractor issue. Small businesses operating as second-tier or third-tier subcontractors need to understand where they sit in the information flow.
The Role of SPRS Scores and Self-Attestation
For Level 1 and Level 2 self-assessment paths, contractors must submit their scores to the Supplier Performance Risk System (SPRS). This score represents the contractor's current implementation status against NIST 800-171 requirements, on a scale from negative 203 to positive 110. A score of 110 indicates full implementation of all 110 controls.
The SPRS score is visible to contracting officers and is increasingly used as a risk signal in source selection. A low or missing score is a red flag. Contractors who submitted Plans of Action and Milestones (POA&Ms) under prior DFARS rules need to understand that the CMMC framework has more limited tolerance for unimplemented controls at the time of contract award.
What Contractors Should Do Now
- Determine your CMMC level. Identify whether your contracts involve FCI, CUI, or both. Review your existing contract clauses and reach out to your contracting officer if your CUI classification is unclear.
- Conduct or update your NIST 800-171 self-assessment. If you have not submitted a score to SPRS or your score is outdated, this is the first concrete step.
- Identify gaps and build a remediation roadmap. A POA&M can still address certain gaps, but critical requirements must be implemented before award. Work with your leadership team to prioritize.
- Engage a C3PAO early if you anticipate needing Level 2 third-party assessment. Assessment availability is limited and wait times are real.
- Audit your subcontractor chain. Ensure that any subcontractor handling CUI understands their CMMC obligations. This is now your contractual responsibility as prime.
The CMMC program is no longer a future requirement. It is in active solicitations now. Contractors who begin their compliance journey today are better positioned than those waiting for a contract clause to force action.