CompassMSP October 06, 2025

On September 10, 2025, the Department of Defense (DoD) published its CMMC final ruling in the Federal Register regarding the Cybersecurity Maturity Model (CMMC) Program, which is implemented by the Defense Federal Acquisition Regulation Supplement (DFARS 252.204-7021) and is part of Title 48 of the Code of Federal Regulations (CFR). 

This CMMC final ruling will take effect on November 10, 2025, with a three-year rollout plan for DoD contracts. By year four (2029), every contractor will be required to be fully compliant to maintain their active contract, regardless of company size.  

What Does the Final Ruling Mean?

  • Beginning November 10, 2025, any new DoD contracts will now include CMMC Level 1 and 2 requirements. 
  • Companies will need to self-assess and submit their scores in the Supplier Performance Risk System (SPRS).  
  • After the three-year rollout, CMMC will be mandatory on all DoD contracts. 

What about the December 2024 CMMC final ruling? 

This ruling differs from 32 CFR Part 170, which governs the CMMC program itself and was finalized in December 2024.  With that CMMC final ruling, contractors have to be certified before the contract award, rather than after the project launch. This shift removed the prior leniency that allowed companies to catch up during performance. Requirements are enforced earlier and more strictly than before. 

The current structure includes three tiers: Level 1 (Foundational), Level 2 (Advanced), and Level 3 (Expert). Each level builds on the previous one.  

Depending on your level of CMMC, the requirements and timelines differ: 

  • Level 1 is on an annual basis and self-attested for 17 controls ( FAR 52.204-21) 
  • Level 2 certification now requires assessment through a certified third-party organization (C3PAO) unless the contract includes only low-risk FCI. This level must be assessed every three years with yearly affirmations in between. 
  • Level 3, designed for the most sensitive data environments, includes direct DoD evaluations.  

All organizations are required to report progress in the Supplier Performance Risk System (SPRS). Provisional Plans of Action and Milestones may allow for some flexibility, but time limits are firm. Organizations must close gaps within 180 days and demonstrate a long-term strategy to maintain compliance. Delayed remediation or incomplete documentation will result in the disqualification of future contract eligibility.  

What Is CMMC Compliance?

CMMC compliance means adhering to Department of Defense cybersecurity rules designed to safeguard sensitive government data. The model draws from  NIST SP 800-171  and  800-172  frameworks depending on the required maturity level. Certification is obtained through either self-assessments or third-party audits, depending on the level. 

graphic-cmmc-levels-controls-17-110
CMMC at a glance: Level 1 has 17 practices; Level 2 aligns to 110 requirements; Level 3 adds enhanced protections.

Organizations can retain certification for three years once approved, provided they affirm compliance annually. Documentation must remain current, and the company must address security gaps by official remediation timelines. Conditional acceptance is allowed under strict deadlines for completing  Plans of Action and Milestones. Failing to meet those requirements may result in revoked eligibility for defense contracts. 

Maintaining certification demands proactive cybersecurity governance across policies, procedures, and technical safeguards. Organizations need to continuously monitor security performance and assess compliance against any requirements. Training, internal audits, and vendor oversight remain essential to sustaining certification. Leaders should treat CMMC as an ongoing commitment, not a one-time task.

Who Needs CMMC Compliance?

Any business under contract with the Department of Defense that handles Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) must achieve the corresponding CMMC level. Requirements extend throughout the supply chain, including subcontractors who support prime contractors. Even organizations that do not work directly with the government may still be subject to these rules.  

Companies storing sensitive drawings, email correspondence, or logistics schedules tied to defense efforts also need to comply. Only vendors providing commercial off-the-shelf products with no access to protected information are exempt from this requirement. International businesses doing work with the U.S. Department of Defense also need to comply with CMMC. Location does not remove the requirement if U.S. government data is accessed or processed.  

Early certification puts businesses at a competitive advantage ahead of contract deadlines. Many prime contractors now require compliance evidence from subcontractors before signing teaming agreements. Failing to meet even Level 1 standards can exclude small vendors from critical defense programs. Investing in certification now  protects the long-term viability of your contracts. 

How to Achieve and Maintain CMMC Compliance

Successful compliance begins with a readiness assessment to understand existing security gaps. Companies must compare current practices against the control list for their target CMMC level. Internal policies, asset inventories, incident response plans, and staff training records must be documented thoroughly. Gaps should be prioritized based on risk and remediated before official assessment. 

Smaller organizations without internal compliance teams may benefit from engaging experienced CMMC consultants. External support helps map controls, develop required policies, and validate system security configurations. Partnering with specialists also improves audit preparation and response planning.  

Once compliant, organizations must continue monitoring their environments to maintain certification. Change management, vulnerability scanning, and log review processes help maintain system security between assessments. Scheduled internal audits and training refreshers reduce human error and improve response capabilities. Documented updates should be kept in alignment with ongoing compliance expectations. 

Investing in CMMC compliance improves overall cyber readiness and reduces the chance of future breaches. Security controls that protect DoD data also protect internal business operations. Clients, partners, and regulators recognize certified organizations as more trustworthy. Certification creates both operational and reputational advantages in an increasingly regulated environment. 

cybersecurity-3-5x-more-attacks
Smaller businesses are 3x more likely to be victims of a cyberattack than larger organizations.

What Can Your Company Do Now to Prepare?

CMMC compliance is no longer optional for businesses in the defense industrial base. Preparing early protects your company from costly delays and missed opportunities: 


Frequently Asked Questions

Q: When does the CMMC final rule take effect? 

A: The final rule takes effect on November 10, 2025. All new DoD contracts issued after this date will include CMMC Level 1 and 2 requirements. The DoD will implement a three-year rollout, with full compliance mandatory for all contractors by 2029. 

Q: What is the difference between CMMC Level 1, Level 2, and Level 3? 

A: Level 1 (Foundational) requires annual self-attestation for 17 controls under FAR 52.204-21. Level 2 (Advanced) requires assessment by a certified third-party organization (C3PAO) every three years with yearly affirmations, unless the contract involves only low-risk FCI. Level 3 (Expert) is designed for the most sensitive data and includes direct DoD evaluations. 

Q: Does my company need CMMC certification? 
 
A: Your company needs CMMC certification if you have a DoD contract and handle Controlled Unclassified Information (CUI) or Federal Contract Information (FCI). This requirement extends to subcontractors throughout the defense supply chain. Companies providing only commercial off-the-shelf products with no access to protected information are exempt. 

Q: Do international companies need to comply with CMMC? 

A: Yes. International businesses working with the U.S. Department of Defense must comply with CMMC if they access or process U.S. government data, regardless of location. 

Q: What is the Supplier Performance Risk System (SPRS)? 

A: SPRS is the system where contractors must report their CMMC compliance status and self-assessment scores. All organizations are required to submit their progress in SPRS to maintain contract eligibility. 

Q: How long does CMMC certification last? 

A: CMMC certification is valid for three years once approved, provided your company affirms compliance annually. Documentation must remain current, and security gaps must be addressed within official remediation timelines. 

Q: What happens if my company cannot meet all requirements immediately? 
 
A: Provisional Plans of Action and Milestones may provide some flexibility, but time limits are strict. Your organization must close gaps within 180 days and demonstrate a long-term strategy to maintain compliance. Delayed remediation or incomplete documentation will disqualify you from future contract eligibility. 

Q: How is the September 2025 ruling different from the December 2024 ruling? 
  
A: The December 2024 ruling (32 CFR Part 170) requires contractors to be certified before contract award rather than after project launch. The September 2025 ruling addresses implementation through DFARS 252.204-7021 and establishes the timeline for when CMMC requirements will appear in DoD contracts. 

Q: Where can small businesses find help with CMMC compliance? 
 
A: The DoD Office of Small Business Programs created Project Spectrum, a resource center that includes webinars, educational courses, and free assessments for Level 1 and 2. Companies may also benefit from working with experienced CMMC consultants. 

Q: What should my company do now to prepare? 
 
A: Start by conducting a self-assessment and submitting your scores in SPRS. Determine which CMMC level applies to your DoD contracts and whether you need third-party certification or a DoD assessment. Keep your NIST SP 800-171 implementation current, and conduct an audit to identify and remediate cybersecurity gaps. 

CompassMSP offers tailored compliance and security solutions designed for small and mid-sized businesses working in the defense sector. Our team provides assessments, remediation planning, and ongoing support to help you meet and maintain CMMC requirements. Contact CompassMSP today to start your CMMC readiness journey with expert guidance.

CompassMSP

Trending

The Role of Employee Training in Cybersecurity

The Role of Employee Training in Cybersecurity

October 14, 2025
Telecom Made Simple: How Organizations Can Power Remote Work with Scalable Connectivity

Telecom Made Simple: How Organizations Can Power Remote Work with Scalable Connectivity

October 13, 2025
The Complete Email Security Guide for Small to Mid-Sized Businesses

The Complete Email Security Guide for Small to Mid-Sized Businesses

October 09, 2025
Cost of a Cyber Breach: A CEO’s Guide

Cost of a Cyber Breach: A CEO’s Guide

October 06, 2025
What Does the CMMC Final Ruling Mean for DoD Contracts?

What Does the CMMC Final Ruling Mean for DoD Contracts?

October 06, 2025