As of September 10, 2025, the 48 CFR CMMC Acquisition rule officially cleared regulatory review and was published in the Federal Register. The rule will become enforceable in 60 days, at which point Phase 1 of the CMMC rollout will begin.

This means CMMC requirements will begin appearing in DoD contracts on November 10, 2025, with Level 1 and Level 2 self-assessments required in most cases. In select cases, third-party Level 2 assessments may be required during this phase.

Keep reading for a full breakdown of what this means for the Defense Industrial Base (DIB), what to expect from the phased rollout,  and how Secureframe can help you get assessment-ready in time.

What’s the 48 CFR rule and clause 204.7503 specifically?

To understand the significance of this announcement, it’s helpful to be familiar with the rulemaking process behind CMMC 2.0.

CMMC 2.0 has already been finalized through the 32 CFR rule, which governs the overall structure and policy of the CMMC program and went into effect in December 2024. However, CMMC requirements have not yet appeared in DoD contracts.

That’s because it takes a second rule — the 48 CFR CMMC Acquisition rule — to implement the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7021, Cybersecurity Maturity Model Certification Requirements, which will formally require CMMC certification as a condition for contract award. It will do so with clause 204.7503, the Contract clause, which outlines exactly how and when those requirements must be included. 

Here’s what clause 204.7503(b) says:

“The Contractor shall have a current (i.e. not older than 3 years) CMMC certificate at the CMMC level required by this contract and maintain the CMMC certificate at the required level for the duration of the contract."

Previously, this clause referenced October 1, 2025 as a start date, but that was an old reference from CMMC 1.0 and has officially been removed.

The 48 CFR rule was submitted to the Office of Information and Regulatory Affairs (OIRA), a part of the Office of Management and Budget (OMB) on July 22, 2025 and cleared regulatory review approximately six weeks later, on August 25, 2025.

Source: Open DFARS Cases as of 8/29/2025

It was published in the Federal Register on September 10, 2025 and becomes enforceable 60 days from the publish date. Meaning, Phase One will officially start on November 10, 2025 and the DoD will begin rolling out CMMC requirements in most new contracts, starting with self-assessments. These requirements will likely apply to 65% of the DIB, according to DoD estimates in the 32 CFR rule.

Bottom line: CMMC will become enforceable starting in November 2025, with most new DoD contracts requiring at least CMMC Level 1 or Level 2 (self) certification at the time of award.

What happens next in the phased rollout?

Now that the 48 CFR rule has been published in the Federal Register, it will become enforceable in 60 days on November 10, 2025.

On that day, the CMMC phased rollout will officially begin.

According to this phased implementation plan detailed in 32 CFR § 170.3(e), CMMC requirements will be added incrementally to DoD contracts in four phases, with each kicking off one year after the preceding phase:

• Phase 1 (November 10, 2025): Requires CMMC Level 1 or Level 2 self-assessments in applicable contracts and solicitations. Level 2 third-party assessments may be required at the DoD’s discretion. Begins 60 days after the 48 CFR rule was published as final in the Federal Register..
• Phase 2 (2026): Requires third-party assessments for Level 2 certifications for new contracts. 
• Phase 3 (2027): Requires CMMC Level 2 certifications to exercise option periods on applicable contracts awarded after the effective date of the CMMC rule and introduces Level 3 certifications. 
• Phase 4 (2028): Full implementation of CMMC requirements across all applicable DoD contracts. 

While the full rollout is expected to extend through 2028, organizations cannot wait until then. 

Phase 1 will impact the majority of contractors and may require self and third-party assessments depending on contract criticality. In short, most of the DIB will have to implement CMMC as soon as possible.

What this means for the Defense Industrial Base

If you handle Federal Contract Information (FCI), Security Protection Data (SPD), or Controlled Unclassified Information (CUI) and plan to bid on DoD contracts this year, or want to remain a subcontractor for prime contractors doing so, you’ll need to be CMMC certified starting in November.

The DoD estimates that 99% of the entities that get CMMC certified will be at Levels 1 and 2: 63% for L1 (self), 2% for L2 (self) and 35% for L2 (C3PAO).

• CMMC Level 1: For organizations handling FCI, Level 1 requires implementation of 15 basic safeguarding requirements from FAR 52.204-21 and a self-assessment.
• CMMC Level 2: For organizations handling CUI or SPD, Level 2 requires implementation of all 110 requirements and 320 assessment objectives from NIST 800-171 and a C3PAO-led assessment for most contracts (self-assessments are limited to select non-critical contracts).

To meet Level 1 requirements, contractors should:

• Understand what FCI is and where it resides in your environment
• Implement controls to meet the 15 requirements from FAR 52.204-21
• Maintain documentation and evidence showing these practices are in place and operating effectively
• Ensure access controls, device protections, and data handling procedures align with the CMMC scoping guide for Level 1
• Perform and submit a self-assessment, including an affirmation from a senior company official

While Level 1 is less complex than Level 2, organizations should not underestimate the effort required. Self-assessments can still be time-consuming, especially without tools to help track and document control implementation across teams and systems.

To meet Level 2 requirements, contractors should:

• Identify your assessment scope by mapping where CUI and/or SPD resides and what systems, users, and vendors interact with it
• Fully implement the 110 controls and 320 assessment objectives from NIST SP 800-171
• Document your control implementation in a detailed System Security Plan (SSP) and Plan of Actions and Milestones (POA&M)
• Inventory in-scope vendors, assets, and data flows and confirm vendor compliance
• Conduct a gap assessment to validate implementation and readiness
• Select a C3PAO with certified assessors, clear communication processes, and audit availability aligned with your timeline

CMMC Level 2 compliance is much more complex and time-intensive, especially compared to other frameworks like SOC 2 and ISO 27001. 

Since these steps must be completed before contract award and demand for assessment services will surge, the time to get ready is now.

Are you just getting started with CMMC? Check out our Pocket Guide to CMMC for a high-level overview of the CMMC 2.0 history, levels, and requirements to help orient your compliance journey.

Why now is the time to get started

Now that the 48 CFR rule is final and published in the Federal Register and the countdown to the CMMC phased rollout is official, pressure to achieve CMMC certification is at an all-time high, especially for small and midsize contractors who may be new to CMMC 2.0. 

Here are five of the most compelling reasons to get started on your compliance journey now:

1. Enforcement is no longer theoretical

CMMC will begin showing up in DoD contracts on November 10, 2025, starting with self-assessments and some C3PAO assessments for Level 2. If you delay CMMC readiness until 2026, you may already be out of the running. 

Preparing for CMMC certification, especially for a Level 2 certification, can take several months—or longer—depending on your current posture, resource availability, and assessment readiness. The earlier you start, the more options you’ll have.

2. CMMC is significantly more complex than other frameworks

Many organizations mistakenly assume that CMMC will be similar to frameworks they’ve already achieved, like SOC 2 or ISO 27001. But that’s not the case.

“Coming from an organization that has gone through SOC 2 and ISO 27001 certification — and as an auditor who has performed hundreds of PCI audits — I can say that CMMC is on another level,” said Marc Rubbinaccio, Head of Security and Compliance at Secureframe, said in a recent IQT GPA webinar.

That complexity shows up in every stage of the process — from defining your scope and implementing 110 NIST 800-171 controls, to developing extensive documentation like your System Security Plan (SSP), which can stretch well beyond 150 pages. Waiting too long to prepare means you’re not just racing against the clock — you’re doing so with one of the most demanding federal compliance frameworks out there.

3. The CMMC ecosystem is already showing signs of strain

Demand is already outpacing supply in the CMMC ecosystem, and that pressure will only grow as the deadline becomes finalized:

• There are more Organizations Seeking Certification (OSCs) than authorized assessors available
• C3PAO waitlists and costs are rising as demand for assessors grows
• Primes putting pressure on subcontractors to prove CMMC readiness ahead of contract flow-downs

The longer you wait, the harder (and more expensive) it may be to get on an auditor’s calendar before the deadline.

4. You may be in scope even if CMMC or CUI isn’t in your contract

For some service providers, CMMC certification is the most efficient way to meet their responsibilities, even if they’re not directly under contract with the DoD.

Cloud platforms, SOCs, and MSSPs that support defense contractors are often pulled into CMMC assessments as part of the contractor’s boundary and/or as part of flow-down requirements. These providers are then responsible for supplying evidence of their control implementation to every customer undergoing an audit.

Getting CMMC compliant yourself can reduce the burden of participating in each of your customers’ assessments, and strengthen your security posture and competitive advantage.

5. CMMC certification will be competitive advantage

While some view CMMC compliance as a cost of doing business, others see it as an opportunity to stand out in a crowded market.

As of June 2025, Secureframe customer Manufacturing Consulting Concepts (MCC) already achieved CMMC Level 2 compliance and is able to provide that assurance when customers reach out for proof.

Getting CMMC certified will open doors if you’re planning to work directly with the DoD or their contractors.

Whether you’re a subcontractor handling FCI, SPD, or CUI or a prime bidding on major defense contracts, starting your compliance journey now is the best way to avoid a last-minute scramble—or worse, losing eligibility for new business.

How Secureframe can help you get ready before the CMMC deadline

With this rulemaking milestone and enforcement imminent, the window for CMMC preparation is closing fast. If you’re a defense contractor or subcontractor, your organization needs to be ready for a Level 1 or 2 assessment sooner rather than later.

Secureframe can help you fast-track your assessment readiness with everything needed to meet CMMC requirements in one centralized platform:

• Automatically assess compliance gaps and collect and organize evidence from across your tech stack to support all 15 requirements for Level 1 or 110 requirements and 320 assessment objectives for Level 2
• Generate your SSP, POA&M, and SPRS score without relying on spreadsheets and manual formatting
• Continuously monitor controls for misconfigurations and failures across 300+ integrations
• Get guided support from former federal auditors with FedRAMP and CMMC expertise — including our own first-hand experience navigating both frameworks
• Map CMMC controls to over 40+ other frameworks including FedRAMP, GovRAMP, and NIST 800-53 
• Access pre-built policy templates mapped to NIST 800-171 and CMMC 2.0
• Collaborate seamlessly with Coalfire Federal or your chosen C3PAO within the platform to streamline the assessment process

CMMC is happening. Whether you’re just getting started or need to accelerate in the final stretch, Secureframe gives you the tools and support to get assessment ready fast. Don’t wait until the last minute. 

Schedule a demo to see how Secureframe can help you hit the deadline with confidence.

This post was originally published on July 24, 2025 and has been updated for accuracy and comprehensiveness based on updates in the 48 CFR rulemaking process.