/

September 14, 2025

Unlocking GovCon Success: The New CMMC Rule

New CMMC Rule

What’s the New CMMC Rule Anyway?

It happened. The U.S. Department of Defense (DoD) officially confirmed the final rule for the Cybersecurity Maturity Model Certification (CMMC). If you’re a contractor or thinking about becoming one, this means big changes are on the horizon. In this article, I’ll walk you through what the CMMC final rule is, when it starts, what it requires, and what you should do first — all in friendly, clear language.

Think of this rule like a big safety checklist the DoD is putting into contracts. Before, many contractors had to follow cybersecurity rules. But there wasn’t always proof or a way for DoD to check that these rules were actually met. The final CMMC rule changes that:

– It makes cybersecurity certification part of actual contracts. If you handle certain kinds of info for DoD, you’ll need a CMMC level.
– The rule covers companies that process, store, or transmit Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
– It builds on earlier rules, especially DFARS clauses and the CMMC Program Rule (which was finalized in 2024).

When Does It Kick In?

Mark your calendar:

  • Effective date: November 10, 2025 — that’s when the CMMC final rule becomes official in new contracts and solicitations.
  • Phase‑in period: There will be a three‑year rollout where DoD gradually adds CMMC requirements into contracts. Not all contracts will have them at first. But over time, more will.

What Are the Levels, Assessments, and Requirements?

Here’s a breakdown of how the levels work, what is required, and what changes the rule brings:

CMMC Level

What Data It Covers

Type of Assessment

What’s New / Important

Level 1

Federal Contract Information (FCI)

Self-assessment annually

Basic safeguarding; must show you protect FCI.

Level 2

Controlled Unclassified Information (CUI)

Either self-assessment or third-party (C3PAO) every three years, plus annual affirmation

More detailed controls (110 security practices). You may have conditional status while fixing some gaps under a Plan of Action & Milestones (POA&M).

Level 3

High-sensitivity CUI, risks, etc.

Always third-party or DoD’s Defense Industrial Base Assessment Center (DIBCAC) assessments every three years, plus annual affirmations

This level is for the most critical contracts.

Some extra bits:

  • The rule introduces conditional certification: for Levels 2 & 3, you might get a temporary status while you fix gaps. You’ll have up to 180 days to close those.
  • The rule defines “current CMMC status”, “CMMC Unique Identifier (UID)”, “POA&M”, etc. These definitions matter because they tell you what counts as compliant.

Why This Final Rule Matters

If you thought cybersecurity rules for DoD contracting were optional or flexible, this changes things. Here’s why the final rule is a game‑changer:

  • Contracts now enforce certification. If you don’t have the required CMMC level, you can lose out on contracts.
  • Accountability is higher. Annual affirmations, status being visible in the DoD Supplier Performance Risk System (SPRS), the need to maintain compliance continuously.
  • Flow‑down to subcontractors is required if they handle FCI or CUI. So primes will need to ensure their subs are ready.
  • Phased implementation is helpful. It gives companies time to learn, adjust, prepare. Smaller contractors will especially need that. But you can’t wait too long.

What Should Contractors Do Now?

If this is your business or you’ll be affected, here are steps to get ready. Don’t wait until November if you can start now.

1. Figure out which level you’ll likely need.
2. Review your current cybersecurity posture.
3. Get your system inventory and identify information systems.
4. Develop policies and system security plans (SSPs).
5. If needed, prepare a POA&M (Plan of Action & Milestones).
6. Talk to your subcontractors.
7. Train your staff and get support.

Watch‑Outs & Things To Clarify

Here are some cloudy areas contractors should watch:

  • Knowing exactly what is “in‑scope” vs “out‑of‑scope.”
  • The risk of false claims if you assert continuing compliance and then some change happens you didn’t account for.
  • Budget and resource constraints, especially for small businesses.
  • How DoD will decide which contracts get the clause first during the phased rollout.

Bottom Line

The CMMC final rule confirmed means that as of November 10, 2025, DoD contracts will start demanding true, verifiable cybersecurity credentials. The three levels, assessments, POA&Ms, and new definitions are all part of making things stricter and more formal. If you work in defense contracting, you’ll want to gear up now.

Next Steps (for DoD Contractors & Subcontractors)

  • Audit your current systems against what CMMC Level(s) require.
  • Start building or updating your SSPs and policies.
  • Establish internal monitoring so you can stay compliant over time.
  • Reach out for help (consultants, C3PAOs, training programs).
  • Keep an eye on how the phased approach rolls out so you know when the rule applies to your contracts.
  • Review DoW documents CMMC 101, DoD CMMC Overview PDF

At Greypike, we specialize in working with small DoD contractors on CMMC compliance. Contact us and learn how you can get compliant quickly