This article was updated to reflect the finalized Cybersecurity Maturity Model Certification (CMMC) acquisition rule under 48 CFR Parts 204, 212, 217, and 252. The rule was published in the Federal Register on September 10, 2025, and will go into effect 60 days later on November 10, 2025.
The Cybersecurity Maturity Model Certification (CMMC) Programmatic Rule was published to the Federal Register on October 15, 2024 and went into effect on December 16, 2024. Contractors should be taking steps to ensure compliance, as failure to comply with these standards can result in exclusion from Department of Defense (DoD) contracts, posing significant risks to business operations and financial stability.
The CMMC Program is designed to provide increased assurance to the DoD that defense contractors and subcontractors are compliant with information protection requirements for federal contract information (FCI) and controlled unclassified information (CUI), and are protecting such information at a level commensurate with risk from cybersecurity threats, including Advanced Persistent Threats (APTs). It establishes prescribed cybersecurity standards that all contractors handling FCI and CUI must meet to qualify for DoD contracts.
Current Status of the CMMC Acquisition Rule (48 CFR)
The DoD finalized the CMMC acquisition rule under 48 CFR Parts 204, 212, 217, and 252. The rule was published in the Federal Register on September 10, 2025, and will go into effect 60 days later, on November 10, 2025.
Beginning November 10, 2025, DoD contracting officers will be authorized to include CMMC requirements in new solicitations and contracts, enabling formal enforcement of cybersecurity standards across the defense industrial base.
The rule outlines phased implementation over three years, with full applicability to all relevant contracts by November 10, 2028, excluding those solely for commercially available off-the-shelf (COTS) items.
Phased Implementation of CMMC Requirements
The DoD has adopted a phased approach to implementing the CMMC requirements to ensure contractors have sufficient time to achieve compliance while securing the DIB. This gradual rollout allows organizations to align their cybersecurity practices with federal requirements while avoiding disruptions to critical defense operations. Below is an overview of the key phases:
| Phase | Summary | Timeline |
| Phase 1 |
|
Begins on November 10, 2025. |
| Phase 2 |
|
Begins one calendar year following the start date of Phase 1. |
| Phase 3 |
|
Begins one calendar year following the start of Phase 2. |
| Phase 4 |
|
Begins one calendar year following the start date of Phase 3. |
Structure and Requirements of the Final CMMC Programmatic Rule (CFR 32)
The finalized CMMC Programmatic Rule introduces a framework (“CMMC Model”) to ensure that contractors in the DIB implement robust cybersecurity practices to protect sensitive information such as FCI and CUI. The CMMC Model incorporates the security requirements from: 1) FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems, 2) NIST SP 800-171 Rev 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, and 3) a subset of the requirements from NIST SP 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800—171. The CMMC Model consists of domains that map to the Security Requirement Families defined in NIST SP 800-171 Rev 2. There are three levels within CMMC, Level 1, Level 2, and Level 3, as described below:
- Level 1: Level 1 focuses on the protection of FCI and consists of the security requirements that correspond to the 15 basic safeguarding requirements specified in 48 CFR 52.204-21, commonly referred to as the FAR Clause.
- Level 2: Level 2 focuses on the protection of CUI and incorporates the 110 security requirements specified in NIST SP 800-171 Rev 2.
- Level 3: Level 3 focuses on the protection of CUI and encompasses a subset of the NIST SP 800-172 security requirements with DoD-approved parameters where applicable, as identified in 32 CFR § 170.14(c)(4).
Implications for Defense Contractors
Now that the CMMC Programmatic Rule (CFR 32) went into effect on December 16, 2024 and the CMMC acquisition rule under 48 CFR Parts 204, 212, 217, and 252 was published in the Federal Register and will go into effect 60 days later, on November 10, 2025, defense contractors must take immediate steps to ensure compliance. This allows C3PAOs granted reauthorization to commence CMMC Level 2 certification assessments and issue Level 2 certificates of CMMC Status without the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). The following actions are recommended for all contractors within the defense supply chain:
- Evaluate Current Cybersecurity Practices: Contractors should conduct a thorough assessment of their existing cybersecurity posture to determine which CMMC level applies to their operations.
- Implement Necessary Cybersecurity Controls: Based on the applicable CMMC level, contractors must implement the required controls to meet certification standards. This may involve significant investment in technology, processes and personnel training.
- Develop Program Documentation: Contactors must develop certain required documentation supporting their CMMC program including a system security plan, shared responsibility matrix, incident response plan, and other supporting policies and procedures.
- Engage in Readiness Activities: Contractors should begin engaging with a qualified provider to schedule a gap or mock assessment to identify any potential deficiencies that could hinder certification.
- Conduct a Self-Assessment: Contractors are required to complete a self-assessment before undergoing the certification assessment conducted by an authorized C3PAO.
Support and Guidance from Cherry Bekaert
Navigating CMMC compliance can be challenging. Cherry Bekaert offers tailored services to support organizations through every stage of the process. Whether you need a readiness assessment, gap analysis or help with achieving certification, our qualified team provides the guidance needed to meet CMMC standards and secure your position in the defense supply chain.
Conclusion
Once the CMMC Acquisition Rule (CFR 48) goes into effect on November 10, 2025, the rule will contractually enforce CMMC requirements upon contractors. Failure to comply with CMMC once enforceable could result in being barred from award or executing on DoD contracts.
It is imperative for all defense contractors to prepare for certification and ensure compliance with these new cybersecurity requirements. The future of national security and defense contracting depends on the successful implementation of these standards, which will play a critical role in protecting the integrity and resilience of the Defense Industrial Base.
For more information on the CMMC rule and its implications, please refer to the below references:
References:
- https://www.federalregister.gov/documents/2024/10/15/2024-22905/cybersecurity-maturity-model-certification-cmmc-program
- https://www.federalregister.gov/documents/2024/08/15/2024-18110/defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of
- https://dodcio.defense.gov/Portals/0/Documents/CMMC/ModelOverviewv2.pdf
Contact Us
If you have any questions regarding CMMC, Cherry Bekaert’s Information Assurance & Cybersecurity and Government Contracting advisors are available to discuss your situation with you.
Related Insights
- Article: CMMC 2.0 Frequently Asked Questions and What You Need to Know to Prepare for Compliance
- Article: DoD CMMC Requirements: A Guide for Defense Contractors
- Podcast: How Will NIST Special Publication (SP) 800-171, Revision 3 Impact CMMC?
- Podcast: CMMC 48 CFR Deep Dive: Navigating the New Rule Rollout
