Defense Contractors: Are You Ready for the CMMC Final Ruling?

Submitted By Matt Suber, Back to Business I.T. on Wednesday, 10/15/2025

On September 10, 2025, the Department of Defense (DoD) issued its long-awaited final CMMC rule, which takes effect November 10, 2025. This marks the start of Phase 1, requiring Level 1 or Level 2 self-assessments for applicable solicitations. With the final barrier to implementation removed, contractors must now focus on meeting the specific standards outlined in the CMMC framework to ensure compliance and maintain eligibility for defense contracts.

The CMMC program is structured into three assessment levels, each building on the last to ensure the proper protection of government information.

• Level 1: Basic Safeguarding of FCI This foundational level is for companies that handle Federal Contract Information (FCI). It requires you to perform an annual self-assessment against security requirements found in FAR clause 52.204-21 and formally affirm your compliance to the DoD each year.

• Level 2: Broad Protection of CUI Designed for companies handling the more sensitive Controlled Unclassified Information (CUI), this level requires compliance with security controls from NIST SP 800-171. The specific contract will dictate whether you need to perform a self-assessment or undergo an assessment by a certified third-party organization (C3PAO) every three years. In either case, annual affirmation of your compliance is also mandatory.

• Level 3: Higher-Level Protection Against Advanced Threats This expert level is for protecting CUI from Advanced Persistent Threats (APTs). To qualify, a company must first achieve a final CMMC Level 2 status. The assessment is then conducted every three years. This requires an annual affirmation verifying compliance with additional, more advanced security controls from NIST SP 800-172.

The DoD's CMMC final rule solidifies the requirements and sets a clear path for implementation. Here are some key takeaways for your business:

• Phased Rollout: For the first three years, starting November 10, 2025, the DoD will implement CMMC requirements in phases. This means they will begin including the requirements in some contracts at their discretion, with a full rollout across all applicable new contracts expected after the initial three-year period. This approach gives contractors time to prepare, but it's crucial to start now as you won't know which contracts will require it.

• SPRS is Key: The Supplier Performance Risk System (SPRS) is the DoD's database for tracking CMMC compliance. You are required to submit your CMMC Unique Identifier (UID) for each information system, as well as the results of your self-assessments and affirmations, into SPRS to be eligible for contract awards.

• Subcontractor Compliance: If you're a prime contractor, you are responsible for ensuring your subcontractors also meet the required CMMC level for the information they handle. This "flow-down" requirement makes supply chain cybersecurity management a critical part of your own compliance.

• Plan of Action & Milestones (POA&M): For Levels 2 and 3, the final rule allows for a temporary, conditional CMMC status based on a POA&M. This allows a contractor up to 180 days to correct any deficiencies found during an assessment. This provides a path to certification while still allowing you to be eligible for contract awards, provided you resolve the issues within the timeframe. It will, however, result in additional expenses getting the remaining controls assessed.

The time to act is now. With CMMC requirements officially in place, waiting is no longer an option. Every day counts toward securing your eligibility and protecting your business. At The Greentree Group, we simplify compliance by combining deep regulatory expertise with practical, hands-on solutions tailored to your operations. From gap analysis to full certification readiness, we’re here to help you turn cybersecurity compliance into a strategic advantage. Connect with us today and take the first step toward safeguarding your future in the defense supply chain.

Interested in submitting an article? Email info@daytonrma.org for more information.