SecureSlateSecureSlate
Log inGet started for free
Blog / CMMC
Back to CMMC

The final CMMC rule is here—what enforcement starting Nov 10 means for DoD contractors

by SecureSlate Team in CMMC
4.8(214 reviews)

Photo: Unsplash

Key takeaways

  • Understand the core concepts and terminology behind The final CMMC rule is here—what enforcement starting Nov 10 means for DoD contractors.
  • Learn practical steps to apply the guidance and stay audit-ready.
  • See where SecureSlate can help centralize evidence, ownership, and ongoing compliance workflows.

After years of drafts and shifting timelines, the Cybersecurity Maturity Model Certification (CMMC) program is moving from “future requirement” to contract reality.

In September 2025, the Department of Defense (DoD) made the final CMMC contracting rule (48 CFR) available for public inspection and then published it in the Federal Register. Combined with the earlier publication of CMMC policy (32 CFR), CMMC is now positioned to show up as enforceable contract language.

If you sell to the DoD—or plan to—this changes the urgency. Contracting teams may begin including CMMC requirements in solicitations and awards starting November 10, 2025.

Related guides:

What changed with the final CMMC contracting rule

CMMC was introduced to improve cybersecurity across the defense industrial base by ensuring contractors protect:

  • Federal Contract Information (FCI)
  • Controlled Unclassified Information (CUI)

The key shift is that CMMC is no longer only guidance or “expected posture.” With the contracting rule in place, CMMC requirements can be written into contracts—meaning eligibility can depend on demonstrating the right level of compliance.

Key dates to know (and what “enforcement” means)

Here’s the timeline most contractors are planning around:

  • Late 2024: CMMC becomes official DoD policy through 32 CFR.
  • September 2025: The final CMMC contracting rule (48 CFR) is released/published.
  • November 10, 2025: CMMC clauses can begin appearing in new solicitations and contracts.

“Enforcement” in practice typically means contracting officers may be limited in awarding, renewing, or extending certain contracts unless the vendor can meet the required CMMC level for the work and data involved.

CMMC levels at a glance

Which level you need depends on what kind of information you handle and what the contract requires.

CMMC Level 1 (Self-assessment)

  • Who it’s for: Organizations handling FCI only (no CUI).
  • Assessment model: Self-assessment and annual affirmation, aligned to Level 1 practices.

CMMC Level 2 (Third-party assessment for many CUI environments)

  • Who it’s for: Organizations handling CUI.
  • Assessment model: Often requires a Certified Third-Party Assessor Organization (C3PAO) assessment, aligned to NIST 800-171 expectations.

CMMC Level 3 (Government-led assessment for highest-priority programs)

  • Who it’s for: Contractors supporting select high-priority DoD programs.
  • Assessment model: A government-led assessment model and additional requirements aligned to NIST 800-172.

If you’re not sure whether you have CUI, treat that as a risk to resolve early. CUI scope decisions drive everything: system boundaries, SSP/POA&M strategy, and assessment readiness.

The phased rollout (what to expect through 2028)

The DoD has communicated a phased approach, with full implementation expected over several years.

What that means operationally:

  • You may see CMMC requirements selectively first (new awards, higher-risk programs, or specific data types).
  • Requirements are likely to broaden over time as acquisition teams standardize clauses and assessment capacity increases.

Even if your next recompete is a year away, the safest planning assumption is that CMMC language can arrive sooner than your internal roadmap.

What to do now (a practical readiness checklist)

If you want to stay eligible as requirements land, focus on readiness that reduces schedule risk.

1) Confirm your data and contract scope

  • Identify where FCI and CUI enter your environment.
  • Define the system boundary and data flows.
  • Validate assumptions with your prime or contracting stakeholders when possible.

2) Build your control baseline (and evidence plan)

  • Map current controls to the target level (often Level 1 or Level 2).
  • Define what evidence you’ll need for each control and where it will come from.

3) Close high-impact gaps first

Prioritize gaps that commonly slow assessments:

  • Asset inventory and configuration baselines
  • MFA/identity hardening and privileged access
  • Vulnerability management + patch SLAs
  • Logging, alerting, and incident response readiness
  • POA&M governance (if applicable)

4) Pressure-test your documentation

Have your SSP, policies, and procedures ready to survive a real audit conversation—not just exist as PDFs.

A checklist being reviewed line-by-line

GIF via GIPHY

Why assessor capacity can become a bottleneck

As CMMC clauses appear in more contracts, assessment demand can spike.

If your program likely requires a C3PAO assessment, don’t assume you can book an assessment on short notice. Readiness work you do now reduces the risk of missing a contract window later.

How SecureSlate helps you get audit-ready

SecureSlate helps teams prepare for CMMC and related public sector requirements by centralizing readiness work in one place:

  • Control mapping and gap tracking across CMMC and NIST-aligned requirements
  • Evidence collection and organization so artifacts are audit-ready, not scattered
  • Task tracking and approvals to drive accountability across engineering and IT
  • Integrations with tools many teams already use (cloud, identity, ticketing, endpoint, and more)

If you’re early in the journey, SecureSlate can help you build a defensible plan and keep the scope realistic. If you’re already underway, it helps you standardize evidence and reduce manual audit prep.

Ready to start your CMMC journey? Talk with our team to map your target level, clarify scope, and build a readiness plan that matches your contract timelines.

FAQs

When does CMMC start being required in contracts?

Starting November 10, 2025, CMMC clauses can begin appearing in new solicitations and contracts, depending on the acquisition and program.

Do all defense contractors need the same CMMC level?

No. The required level depends on what information you handle (FCI vs CUI) and what the contract specifies.

Can Level 2 be self-assessed?

Some environments may allow self-assessment depending on contract and risk factors, but many CUI scenarios are expected to require a C3PAO assessment. Plan based on your specific solicitation language.

What’s the biggest readiness mistake contractors make?

Waiting to define CUI scope and system boundaries. Scope drives cost, timeline, and what “done” looks like in an assessment.

How long does CMMC preparation take?

It varies widely. Timelines depend on current maturity, environment complexity, and how quickly you can implement controls and produce consistent evidence.

Disclaimer (legal note)

SecureSlate is not a law firm, and this article does not constitute or contain legal advice or create an attorney-client relationship. When determining your obligations and compliance with respect to relevant laws and regulations, you should consult a licensed attorney.

Need compliance without the complexity?

SecureSlate automates ISO 27001, SOC 2, GDPR, HIPAA, and more. Built for growing teams. See it in action.

Get started for free

No credit card required

Filed under: CMMC

Author: SecureSlate Team

Related blogs

May 4, 2026 · CMMC

Government contracting compliance 101: Everything you should know (FAR, DFARS, NIST 800-171, CMMC & FedRAMP)

SecureSlate Team

May 1, 2026 · CMMC

CMMC certification checklist: get started (quick start)

SecureSlate Team

May 1, 2026 · CMMC

CMMC certification checklist (Levels 1–3): full guide

SecureSlate Team

View more posts