CMMC Rule Goes into Effect November 2025

By: Laura Fawcett, CISM, CGEIT | Managing GRC Consultant

September 9, 2025

Executive Summary

  • The rule will go into effect 11/9/2025.
  • The final rule has been slimmed down from the draft with a focus on CMMC status and no other requirements (e.g., reporting security events).
  • Once in effect, solicitations can include a required CMMC level (level 1 self, level 2 self, level 2 C3PAO, or level 3 DIBCAC), and associated contracts will include the CMMC clause DFARS 252.204-7021 requiring compliance at time of award.
  • The CMMC level is required for all information systems used in performance of the contract (prime and sub) that will process, store, or transmit FCI and/or CUI.
  • Contractors must maintain the level of required compliance through the life of the contract and/or associated task order or delivery order.
  • CMMC status must be reported in SPRS for all involved information systems. This will generate a CMMC UID, and all UIDs must be provided to the contracting officer.
  • Contracting officers are required to check SPRS and not award a contract, task order, or delivery order (or exercise an option or period extension) if the offeror doesn’t have a current CMMC status equal to or higher than required in the solicitation.

Key Questions

  • How do we know what CMMC level will be required and how quickly this will roll out? While we don’t have any insight into how Program Managers will evaluate the requirements, we can point to some of the guidance they will be using and estimates from the rule.
    • CMMC Memo Regarding CMMC Levels – Describes criteria. One key takeaway is that any project with DoD specific CUI (e.g., CTI), the contract will require Level 2 CMMC C3PAO certification.
    • eCFR :: 32 CFR 170.5 -- Policy. – Outlines the information that Program Managers should consider when determining CMMC level.
    • Within the text of the rule, and in the previous 32 rule, the DoD estimates that during the phased implementation period, the estimated number of small entities to which the rule will apply is:



    • For “other than small” the following estimates are provided:



    • The rule estimates in year 4 (fully rolled out) the following total numbers:




  • How do I know what CUI, if any, I will need to handle and if I will need to share it with subcontractors?
    • Understanding the CUI associated with and/or generated by the contract is critical to determining the required CUI level, so it is expected that the solicitation should speak to the project CUI.
    • We do understand this is hard to flesh out currently and are hopeful this will improve as part of this program.

DFARS 252.204-7021 Details

  • Contractor shall have and maintain for the duration of the contract a current CMMC status at the following CMMC level, or higher: <APPLICABLE CMMC LEVEL> for all information systems used in performance of the contract, task order, or delivery order that process, store, or transmit (P/S/T) FCI or CUI; and
  • Flow down the correct CMMC level to subcontractors and other contractual instruments (based on 32 CFR 170.23 guidance)
  • Only P/S/T FCI or CUI on contractor information systems that have a CMMC status at the CMMC level required above.
  • Complete an annual affirmation in SPRS of continuous compliance (by affirming official) for each CMMC UID applicable to each of the contractor information systems that P/S/T FCI and/or CUI.
  • Ensure all subcontractors and suppliers complete, prior to subcontract award, and maintain annually, an affirmation by affirming official of continuous compliance for subcontractor systems that will P/S/T FCI and/or CUI.
  • If contractors have CMMC conditional status, successfully close out POA&M(s) within 180 days of status to achieve final status.
  • Report to the Contracting Officer the CMMC UID(s) issued by SPRS for contractor information systems that will P/S/T FCI and/or CUI and report any changes to CMMC UIDs throughout the life of the agreement.
  • The contractor must insert the substance of this clause, including this paragraph in subcontracts if the contract will contain a requirement to P/S/T FCI and/or CUI; and
  • Prior to awarding a subcontract ensure the sub has a current CMMC certificate or status at the level appropriate for the information that is flowing down.