9/9/2025

On September 9, 2025, the Department of Defense released the long-awaited final CMMC rule for public inspection. The following day, September 10, it will be officially published in the Federal Register. And on November 10, 2025—exactly 60 days later—the rule goes into effect.

From that day forward, all new DoD solicitations and contracts will include some level of CMMC requirement as a condition of award. In other words: no CMMC, no contract.

It has been 3 years, 9 months, and 24 days since the DoD announced CMMC 2.0 rulemaking. Now, the waiting is over.

A Quick Refresher on CMMC

The Cybersecurity Maturity Model Certification (CMMC) builds on the requirements of NIST SP 800-171. It establishes a tiered system of assurance designed to protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) across the defense supply chain.

The final rule formally integrates CMMC into the Defense Federal Acquisition Regulation Supplement (DFARS), making it a binding condition of contract performance

Key Features of the Final Rule

The final rule clarifies several aspects of CMMC implementation:

• Defined Certification Levels
  • Level 1: Self-Assessment (basic safeguarding of FCI)
  • Level 2: Self-Assessment or C3PAO Certification (for CUI)
  • Level 3: DIBCAC Assessment (highest sensitivity CUI)
• Conditional Certification – Contractors may receive an award with a conditional status (valid for up to 180 days) if they have approved Plans of Action & Milestones (POA&Ms) in place.
• Subcontractor Flowdown – Requirements extend down the supply chain—if a subcontractor touches FCI or CUI, they must meet the appropriate CMMC level.
• Exclusions for COTS – Contracts exclusively for commercial off-the-shelf (COTS) items are exempt.
• Continuous Compliance – Contractors must maintain status in the Supplier Performance Risk System (SPRS) with an annual affirmation of compliance.

The Phase-In Timeline

• November 10, 2025 (Day 1): CMMC requirements begin appearing in all new solicitations.
• First 3 Years: Program managers decide which contracts include CMMC, except COTS-only awards.
• After Year 3: CMMC requirements apply broadly to all contracts where FCI or CUI is handled.

Impact on the Defense Industrial Base

Prime Contractors will need to ensure subcontractors comply before passing on CUI or FCI.
Subcontractors can no longer fly under the radar—if you handle sensitive information, you need certification.
Small Businesses face the same baseline as large primes; while there is conditional status flexibility, there are no blanket exemptions.
International Companies may participate if accredited but still must comply with U.S. requirements.

What Contractors Should Do Now

With only 60 days until the rule takes effect, the time to act is now:

1. Update your NIST 800-171 self-assessment.
2. Identify the scope of your contractor information systems.
3. Register and update SPRS with your CMMC UID(s).
4. Develop or close out POA&Ms.
5. Engage a C3PAO if a Level 2 certification is required.

Final Thoughts

The CMMC program is no longer a “future requirement.” It is here, it is final, and it is enforceable. Contractors who delay risk losing eligibility for new opportunities.

At Edwards Performance Solutions, we’ve been involved in the CMMC ecosystem from the beginning—as an RPO, C3PAO, APP, and ATP—and we’re here to help organizations prepare, certify, and thrive under the new rule.

Need help getting ready? Click here to schedule your free consultation.