CMMC is officially moving from policy to procurement. The Department of Defense has published the final DFARS rule in Title 48 of the CFR, wiring CMMC requirements directly into contracts. The rule is effective 60 days after publication in the Federal Register, which makes November 10, 2025, the start of phase one.
We knew this was coming. No alarms. No panic. The Title 32 rule finalized last year put CMMC into policy. Today’s DFARS rule makes it enforceable at the contract level.
Back to the Future
As someone who runs compliance delivery every day, this feels like going back in time. Years ago, when DFARS 7019 and 7020 first went live, we would get the same call again and again from defense contractors: “Our contracting officer is withholding award until we get a scored assessment posted to SPRS. Can you help us now?”
That scramble is about to return, but with higher stakes. This time, it is not just a score that unlocks an award. It is proof of compliance. If you treated scoring as a one-time ticket punch and moved on, you are going to find yourself stopped cold. If you stood up the controls and keep them operating, you will keep moving.
The lesson is the same: do not wait for a contracting officer to be the one who tells you it is too late.
What Changed in the DFARS CMMC Final Rule
The program rule at Title 32 CFR part 170 defined the model: levels, scoping, statuses, and affirmations. What it did not do was tie eligibility to contract awards. The Title 48 DFARS rule closes that gap.
Contracting officers now have clear authority to name a CMMC level in solicitations, verify contractor status in SPRS, and withhold awards if a contractor is not current. The rule makes the following explicit:
- Eligibility is verified in SPRS. A self-assessment score and the annual affirmation of continued compliance must be posted and kept current.
- Offerors reference a CMMC UID. This is the identifier created when you post your status in SPRS. It ties your offer to your compliance record.
- SPRS postings must be current. Contracting officers are instructed to treat an out-of-date posting the same as no posting at all.
- Subcontractors must comply. Flowdown is mandatory, and primes must verify subs before award.
This is how a policy framework becomes a procurement filter.
What To Expect First
On November 10, contracting officers can begin including Level 1 or Level 2 self-assessment requirements as conditions of award. Expect levels named directly in RFPs, SPRS checks before award and at option points, and real consequences if postings or affirmations are not current.
The three-year phased rollout continues. For the first three years, program offices decide when to include the clause, excluding COTS-only awards. After that point, the clause is standard in all contracts requiring protection of FCI or CUI.
What This Means For Contractors
For contracts involving Federal Contract Information, Level 1 self-assessment with an annual affirmation is now the baseline.
For contracts involving Controlled Unclassified Information, Level 2 is required. In Phase 1, self-assessments will be enough. In Phase 2, certification by a C3PAO becomes a requirement for many solicitations.
For the highest risk work, Level 3 assessments will not appear until Phase 3, three years into the rollout, and will be conducted by the government.
Eligibility will be visible before evaluation begins. If you are already on your compliance path, stay the course. If you are not, it is not too late, but the time for speculation is over. Contracting officers will expect proof, and you will either have it or you will not.
A Practitioner’s Checklist
- Decide the level by contract and data. Review the DFARS clauses in your solicitation or award to determine whether FCI or CUI is in play. Use that as your starting point, then scope your systems and users based on where that data is created, processed, stored, or transmitted.
- Finish the fundamentals. Build a defensible SSP and POA&M. Harden baselines, enforce configuration standards, patch predictably, and turn on logging with retention. Document every control decision.
- Make eligibility visible. Post to SPRS, complete the affirmation, and keep it current. Track status by site, enclave, and contract.
- Stand up a repeatable program. Move from project to operations with policies, named control owners, workflows, and evidence repositories. Automate where possible.
- Book assessment capacity early. If a C3PAO will be required, reserve a window, run a dry run, and stage your evidence.
- Flow down with intent. Include level and evidence expectations in teaming agreements and purchase orders. Verify supplier status before proposal, not after award.
- Tie compliance to revenue. Make CMMC status a bid gate. No SPRS posting means no bid submission.
Common Pitfalls
- Paper SSPs with no implementation
- One-time projects that decay without cadence
- Enclaves scoped wrong on purpose or by mistake
- Suppliers not ready when you need them
How CyberSheath Helps Clients meet CMMC Readiness
CyberSheath runs CMMC as an operating program, not a one-time project. That means:
- Registered Practitioner Organization credentials and a delivery model proven across the defense supply chain
- vCISO leadership paired with managed operations for policies, evidence, detection and response, patch cadence, and SPRS updates
- Enclave design and operation, Microsoft government licensing expertise, and managed security aligned with cadenced evidence collection
- Supplier compliance management to ensure your team is ready end-to-end
- Assessment readiness that reduces rework and accelerates certification
We can step in to lead or augment. The outcome is straightforward: Eligible at award. Compliant in operation. Audit ready on demand.
The DFARS CMMC final rule is here.
November 10 is the start of phase one. This is not about being surprised. It is about being ready. If you are already on the path, stay the course. If you are not, start now. Because you have to.
Execution wins. That is where CyberSheath lives. As Andrew Zoppi, our Director of Compliance Operations, puts it: “All gas, no brakes.”