The CMMC Final Rule: Everything You Need to Know [Updated for 2025]
On September 10, 2025, the Department of Defense (DoD) published the CMMC Final Rule. Here's what it means for DoD contractors.
After years of speculation and delays the Department of Defense (DoD) has published the Cybersecurity Maturity Model Certification (CMMC) final rule, signaling the era of self-attestation for defense contractors is ending.
This shift in cybersecurity policy will impact an estimated 300,000 companies in the Defense Industrial Base, from prime contractors down to the smallest subcontractors in the supply chain.
If you build, service, or supply anything for the DoD, this rule applies to you and may mean your government contracts are at risk if you don’t take action.
This guide breaks down the complex final rule into actionable terms, giving you what you need to know and how it may impact your organization.
The CMMC Timeline
The DoD published the final version of the CMMC Defense Federal Acquisition Regulation Supplement (DFARS) Procurement Rule in the Federal Register on September 10, 2025.
Under this new Clause Rule, the DoD can include CMMC requirements in contracts that require handling Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) from November 10, 2025.
Thought CMMC requirements can start appearing in DoD contracts from November 2025, there will be a phased rollout meaning the DoD will not require CMMC in all contracts immediately. It will be implemented in phases, with CMMC requirements beginning to appear in new DoD solicitations shortly after the effective date.
CMMC will be a requirement in all applicable DoD contracts by October 1, 2028.
Get more details on the CMMC timeline and deadlines here.
How We Got Here
The DoD released two complementary regulations that, together, formalize and enforce the entire CMMC program:
The Program Rule (Effective Dec. 16, 2024)
This rule formally established the CMMC Program as the DoD's official validation mechanism for supply chain partners. It codified the three CMMC levels (Level 1, Level 2, and Level 3) that determine the security standards you must meet based on the type of government information you handle (FCI or CUI).
It also set out the level of assessment organizations will need at each level of CMMC: self-assessment (for Level 1), third-party assessment (for Level 2), or government assessment (for Level 3).
The purpose of this is to give the DoD a way to valudate the contractors across the supply chain are compliant with the required security controls.
The Procurement Rule (Effective Nov. 10)
This rule, which amends the DFARS (Defense Federal Acquisition Regulation Supplement), is the enforcement engine for CMMC.
Starting November 10, this rule requires DoD contracting officers (COs) to include specific CMMC level requirements in new solicitations and contracts.
And here is the line that should have every CISO and CEO in the DIB paying attention:
When CMMC requirements are applied, contracting officers will not make an award, exercise an option, or extend the period of performance on a contract if the contractor does not have:
- A passing assessment result (self-assessment or certification) for the required CMMC level.
- An affirmation of continuous compliance in the SPRS (Supplier Performance Risk System).
How This Impacts Your Business Today
This is where the rubber meets the road. These rules create three immediate, high-stakes scenarios for every contractor in the DIB.
1. The Hard Stop on New Contracts
The most obvious impact is on new business. If a solicitation comes out with a CMMC Level 2 requirement, and you don’t have a current C3PAO (CMMC Third-Party Assessor Organization) certification posted in SPRS, you are not eligible and can’t win the award.
2. Existing Contracts May Also Require CMMC
If you’re sitting on a 5-year agreement and think you’re safe, think again. While the rule doesn't automatically apply to existing contracts, contracting officers already have the discretion to incorporate CMMC clauses into existing contracts.
If you work with any DoD contracts, your existing revenue is likely to become contingent on your CMMC status. Don’t wait around to start the process, begin certification now.
3. Your Supply Chain is Your Problem
CMMC isn't just about prime contractors, the Procurement Rule mandates that CMMC requirements flow down to all covered subcontractors.
This means two things:
- If you are a subcontractor: You will be required by your prime contractor to get CMMC certification or risk losing the business.
- If you manage subs: You are now responsible for verifying their CMMC status. Your ability to perform on a contract is tied to their compliance.
Why the DoD is Doing This
The DoD isn't just trying to increase paperwork (and your CMMC certification costs). They are trying to stop the bleed of sensitive information and intellectual property to.
By requiring verification, the DoD gains real assurance that its partners can protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). This protects U.S. national security, and it also protects your intellectual property, the very IP that makes you competitive.
How to Start Preparing for CMMC
1. Identify Your Required Level
First, determine which CMCC level your organization needs. This will depend on the type of data your handle and the specific security requirements in your DoD contracts.
Level 1 generally applies to organizations handling FCI, whereas Level 2 is for those working with CUI. Level 3 is only needed by companies handling the most sensitive data on behalf of the DoD.
Most small and mid-sized defense contractors needing CMMC will fall under Level 2.
If you need assistance with this step or the following, consulting with compliance experts like Workstreet can help you identify exactly what CMMC Level fits your needs.
2. Perform a Self-Assessment
Next up, perform a self-assessment covering your current cybersecurity practices to help you determine where your organization stands against the CMCC compliance requirements.
To achieve Level 1 self-assessment, you’ll need to meet the 17 foundational safeguards in FAR 52.204-21.
For Level 2, you must meet the 110 controls in NIST SP 800-171. Though a self-assessment isn’t enough to be certified for Level 2, it’ll help you identify any gaps in your policies, processes, and technical controls as you develop a System Security Plan (SSP) to achieve compliance.
3. Engage a Registered Provider Organization (RPO)
Engaging a Registered Provider Organization (RPO) isn’t a CMMC requirement but we strongly recommended it. An RPO knows the CMMC process and can help your busines achieve the correct level of CMMC compliance in a smooth and timely fashion.
At Workstreet, we can help you achieve CMMC compliance, fast. We can automate your CMMC Level 2 compliance, protect CUI, and win contracts with a complete, AI-enabled security program from the only AI-powered RPO.
4. Remediate Gaps
Once gaps are identified, start the process of remediation. This can involve implementing missing security controls, updating policies, training employees, and documenting all completed actions.
Plans of Action & Milestones (POA&Ms) should be created for security controls that cannot be implemented before the audit.
5. Schedule the Assessment
To meet CMMC Level 2, you’ll need to pass an assessment with a Certified Third-Party Assessment Organization (C3PAO). C3PAO assessors will review your documentation, policies, and procedures, interview staff and verify the implementation of security controls.
Once you’ve passed your CMMC audit, you’ll need to continue to run internal audits to keep on top of any security changes, issues, and overall network security.
Don't Wait Around
The time to prepare for this was yesterday. The next best time is now.
Achieving a CMMC Level 2 certification is a heavy lift. It means implementing all 110 security controls from NIST 800-171, defining your CMMC scope correctly, gathering hundreds of pieces of evidence, and passing a high-stakes assessment. If you have gaps, you'll need a CMMC CAP (Corrective Action Plan) and a firm timeline to close them.
This isn't something you can spin up in a weekend.
At Workstreet, we’ve guided dozens of DIB contractors and tech companies through this exact process. Our CMMC services are designed to get you audit-ready, fast. We don't just hand you a to-do list, we partner with you to conduct a gap assessment, build your security program, and stand by you during the audit.
The rules are final. The deadlines are real. Don't wait, start building your defensible security program today.
