CMMC, Current Events, Rules

CMMC IS a Real Boy!

September 15, 2025September 15, 2025By 0 comments0 likes

What Contractors Need to Know About the 48 CFR Final Rule

On November 10, 2025, the Department of Defense will cross the line from policy to enforcement. The 48 CFR Final Rule will go into effect, and the Cybersecurity Maturity Model Certification (CMMC) will be a contractual requirement. If you want to win or extend DoD contracts, having a current CMMC status in SPRS is no longer optional.

The Rules Behind CMMC

CMMC rests on two rules that work together:

32 CFR Part 170 (effective Dec 16, 2024) created the program. It defined the levels, assessment types, scoping rules, POA&Ms, and affirmations.

  • 48 CFR DFARS (published Sept 10, 2025, effective Nov 10, 2025) brings enforcement by adding CMMC requirements into solicitations and contracts through DFARS 252.204-7025 and 252.204-7021.

One provides the framework, the other makes it binding.

The Rollout Timeline

Like Sands of the hourglass….

CMMC is coming in two waves:

  • Phase 1 (Nov 10, 2025 – Nov 9, 2028): CMMC clauses appear only when directed by DoD program offices. Not every contract will have them, but some already do.
  • Phase 2 (On or after Nov 10, 2028): Mandatory for all contracts involving FCI or CUI. Exemptions apply only to COTS-only awards.

Important note: Level 2 certifications can be required as early as Phase 1 for sensitive CUI contracts. Waiting until 2028 is not an option.

The Three Levels

The model is broken into three levels:

  • Level 1 (Foundational): 17 practices, annual self-assessment. Final status required at award.
  • Level 2 (Advanced): 110 practices (NIST SP 800-171). Self-assessment allowed for non-critical CUI; C3PAO certification required for critical CUI every 3 years. Conditional status allowed for 180 days with a valid POA&M.
  • Level 3 (Expert): Additional practices from NIST SP 800-172. Government-led assessments by DIBCAC every 3 years. Conditional status allowed for 180 days.

DFARS Clauses and the UID

Two clauses drive enforcement:

  • DFARS 252.204-7025 (Solicitation): Pre-award gatekeeper. Requires contractors to list their current CMMC status in SPRS, provide UID(s) for in-scope systems, and submit an affirmation of continuous compliance. No UID or no current status means no award.
  • DFARS 252.204-7021 (Contract): Post-award obligations. Contractors must maintain status, update affirmations annually, submit new UID(s) as systems come into scope, and flow requirements down to subcontractors.

CMMC UID: Every assessment scope gets a 10-character alphanumeric UID in SPRS. It links the certification to the systems that process FCI or CUI, making scoping auditable and contract eligibility verifiable. Primes submit UIDs directly to contracting officers, while subs record theirs in SPRS and typically provide screenshots or certificates to primes.

"IMPORTANT MESSAGE!" text words inscription on the background of a megaphone
IMPORTANT

Prime and Subcontractor Responsibilities

Everyone in the supply chain must comply, but obligations differ.

Subcontractors:

  • Obtain the required CMMC level for their scope.
  • Enter UID(s) in SPRS and affirm annually.
  • Provide proof of compliance to primes.
  • Flow requirements down to lower-tier subs if they handle FCI or CUI.

Prime Contractors:

  • Maintain Final or Conditional CMMC status in SPRS.
  • Provide UID(s) to contracting officers with proposals.
  • Insert DFARS 7021 in all subcontracts involving FCI or CUI.
  • Verify subcontractor compliance before sharing data.
  • Bear the risk if subs fail, since the government has no privity with subcontractors.

POA&Ms and Their Limits

Plans of Action and Milestones provide some breathing room but only in specific circumstances.

  • Allowed only at Levels 2 and 3.
  • Valid for no more than 180 days.
  • High-priority requirements cannot be deferred.
  • Level 1 contracts must be at Final status at award, no exceptions.

POA&Ms buy short-term time, not long-term flexibility.

Scope and Exemptions

CMMC requirements are intentionally broad. 48 CFR makes it clear that this program is not confined to the largest contracts or the most complex programs.

  • Contracts and Subcontracts with FCI or CUI: If your systems touch Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) in any way, the rule applies. This includes prime contracts, subcontracts, task orders, and delivery orders. The obligations don’t stop at the prime contractor level; they flow down to every tier in the supply chain.
  • Below the Simplified Acquisition Threshold (SAT): CMMC isn’t limited to large-dollar awards. The threshold for simplified acquisitions is generally $250,000, but CMMC still applies below that level. This is a key shift. Smaller companies that may only see low-value awards are still expected to meet the same cybersecurity standards if they handle FCI or CUI.
  • Commercial Acquisitions: The rule applies even to commercial products and services bought under FAR Part 12. Just because something is “commercial” doesn’t mean it’s exempt. The only carve-out is for COTS-only awards.
  • COTS-Only Exemption: Commercially available off-the-shelf (COTS) items are excluded. If your contract is solely for buying something off the shelf with no modifications and no handling of FCI or CUI, CMMC does not apply. If that same item is bundled with services or customization where data is exchanged, the exemption no longer applies.
  • Classified Systems and Fundamental Research: CMMC does not extend to classified environments, which are already governed by separate security frameworks. Fundamental research, defined as research published and broadly shared within the scientific community, is also excluded. However, once research data transitions into CUI, CMMC comes into play.
  • Cloud Environments: For contractors using cloud service providers, FedRAMP authorization provides an important equivalency. Using platforms like AWS GovCloud or Microsoft GCC High gives contractors a strong starting point, since FedRAMP standards overlap with many of the CMMC controls. It does not eliminate the need for a contractor’s own compliance work, but it reduces risk and simplifies alignment.

Unless you’re working solely with COTS-only awards, expect CMMC requirements to apply. The scope is deliberately wide to ensure that sensitive defense data is protected consistently across the entire supply chain.

Why You Can’t Wait

CMMC is here….now….really.

  • Contracting officers cannot award, extend, or exercise options without a current CMMC status in SPRS.
  • The average time from solicitation to award is 32–45 days. Achieving compliance takes 9–12 months. Waiting until you see CMMC in a solicitation is too late.
  • DoD projects more than 125,000 Level 2 certifications by Year 4. Assessors and consultants will be booked solid.

How to Get Ready

  1. Run a gap analysis against NIST SP 800-171 (and NIST SP 800-172 if applicable).
  2. Implement missing controls and document policies, procedures, and evidence.
  3. Post results in SPRS, get UID(s), and keep affirmations current.
  4. Schedule C3PAO assessments early if required.
  5. Flow requirements down to subcontractors and verify their compliance.
  6. Treat CMMC as an ongoing program, set up continuous monitoring of the controls

Wrightbrained Can Help You Prepare

The 48 CFR Final Rule made CMMC unavoidable. It is no longer an aspirational program or a future requirement. Contractors who prepare now will be ready when CMMC shows up in solicitations. Those who delay will find themselves without contracts.

Submit the form below and let us know how we can help you prepare for a successful assessment.

Leave a Reply

Your email address will not be published.

Social Share Buttons and Icons powered by Ultimatelysocial