On September 10, 2025, the Department of Defense (DoD) published its CMMC final ruling in the Federal Register regarding the Cybersecurity Maturity Model (CMMC) Program, which is implemented by the Defense Federal Acquisition Regulation Supplement (DFARS 252.204-7021) and is part of Title 48 of the Code of Federal Regulations (CFR).
This CMMC final ruling will take effect on November 10, 2025, with a three-year rollout plan for DoD contracts. By year four (2029), every contractor will be required to be fully compliant to maintain their active contract, regardless of company size.
This ruling differs from 32 CFR Part 170, which governs the CMMC program itself and was finalized in December 2024. With that CMMC final ruling, contractors have to be certified before the contract award, rather than after the project launch. This shift removed the prior leniency that allowed companies to catch up during performance. Requirements are enforced earlier and more strictly than before.
The current structure includes three tiers: Level 1 (Foundational), Level 2 (Advanced), and Level 3 (Expert). Each level builds on the previous one.
Depending on your level of CMMC, the requirements and timelines differ:
All organizations are required to report progress in the Supplier Performance Risk System (SPRS). Provisional Plans of Action and Milestones may allow for some flexibility, but time limits are firm. Organizations must close gaps within 180 days and demonstrate a long-term strategy to maintain compliance. Delayed remediation or incomplete documentation will result in the disqualification of future contract eligibility.
CMMC compliance means adhering to Department of Defense cybersecurity rules designed to safeguard sensitive government data. The model draws from NIST SP 800-171 and 800-172 frameworks depending on the required maturity level. Certification is obtained through either self-assessments or third-party audits, depending on the level.
Organizations can retain certification for three years once approved, provided they affirm compliance annually. Documentation must remain current, and the company must address security gaps by official remediation timelines. Conditional acceptance is allowed under strict deadlines for completing Plans of Action and Milestones. Failing to meet those requirements may result in revoked eligibility for defense contracts.
Maintaining certification demands proactive cybersecurity governance across policies, procedures, and technical safeguards. Organizations need to continuously monitor security performance and assess compliance against any requirements. Training, internal audits, and vendor oversight remain essential to sustaining certification. Leaders should treat CMMC as an ongoing commitment, not a one-time task.
Any business under contract with the Department of Defense that handles Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) must achieve the corresponding CMMC level. Requirements extend throughout the supply chain, including subcontractors who support prime contractors. Even organizations that do not work directly with the government may still be subject to these rules.
Companies storing sensitive drawings, email correspondence, or logistics schedules tied to defense efforts also need to comply. Only vendors providing commercial off-the-shelf products with no access to protected information are exempt from this requirement. International businesses doing work with the U.S. Department of Defense also need to comply with CMMC. Location does not remove the requirement if U.S. government data is accessed or processed.
Early certification puts businesses at a competitive advantage ahead of contract deadlines. Many prime contractors now require compliance evidence from subcontractors before signing teaming agreements. Failing to meet even Level 1 standards can exclude small vendors from critical defense programs. Investing in certification now protects the long-term viability of your contracts.
Successful compliance begins with a readiness assessment to understand existing security gaps. Companies must compare current practices against the control list for their target CMMC level. Internal policies, asset inventories, incident response plans, and staff training records must be documented thoroughly. Gaps should be prioritized based on risk and remediated before official assessment.
Smaller organizations without internal compliance teams may benefit from engaging experienced CMMC consultants. External support helps map controls, develop required policies, and validate system security configurations. Partnering with specialists also improves audit preparation and response planning.
Once compliant, organizations must continue monitoring their environments to maintain certification. Change management, vulnerability scanning, and log review processes help maintain system security between assessments. Scheduled internal audits and training refreshers reduce human error and improve response capabilities. Documented updates should be kept in alignment with ongoing compliance expectations.
Investing in CMMC compliance improves overall cyber readiness and reduces the chance of future breaches. Security controls that protect DoD data also protect internal business operations. Clients, partners, and regulators recognize certified organizations as more trustworthy. Certification creates both operational and reputational advantages in an increasingly regulated environment.
CMMC compliance is no longer optional for businesses in the defense industrial base. Preparing early protects your company from costly delays and missed opportunities: