CMMC Final Rule: Clear Steps for DoD Contractors

Key Takeaways

• Contractors must be certified before they can be selected for any contract that includes the CMMC DFARS clause.
• Requirements vary by level based on FCI, CUI, or critical program access.
• All controls must be fully implemented; no POA&Ms allowed.
• DoD-defined ODPs preview tighter rules under NIST 800-171 Rev. 3.
• Contractors should assess, remediate, and document now to stay ready.

November 10, 2025: CMMC Enforcement Goes Live

November 10, 2025, marks the point when the Department of Defense began actively enforcing CMMC requirements for contracts that include the DFARS clause. Contractors must be fully certified at the time of contract award. This milestone is a turning point. Organizations that act now stay ready and ahead of the game.

Contracts issued on or after this date require verified certification. The DoD evaluates contractors based on:

• Control implementation: All required cybersecurity controls must be fully in place.
• Documentation readiness: Evidence must be organized, complete, and available for review.
• Alignment with ODPs: Organizationally Defined Parameters from NIST SP 800-171 Rev. 3 guide specific values for controls like passwords, audit frequency, and system updates.

Immediate Actions for Contractors

Contractors can use this milestone to ensure they are fully prepared:

1. Confirm Your Level
   Review each contract to determine whether Level 1, Level 2, or Level 3 applies. Understanding your level drives which controls to implement and the type of assessment required.
2. Complete Control Implementation
   Focus on critical areas that matter most for enforcement:
   • Identity and access management, including multi-factor authentication and least privilege
   • Incident response planning, detection, and audit logging
   • System configuration and encryption, using FIPS-validated cryptography for CUI
3. Prepare Audit-Ready Documentation
   Maintain clear, organized evidence for each control:
   • System Security Plans mapping each control
   • Policies and procedures showing daily enforcement
   • Evidence artifacts such as screenshots, logs, tickets, and remediation records
4. Align With ODPs
   Review Organizationally Defined Parameters to ensure all required values and frequencies are applied. This alignment positions organizations to meet enforcement expectations efficiently.
5. Schedule Assessment Completion
   Depending on your level and contract type:
   • Level 1 and non-prioritized Level 2 contracts use self-assessment and executive affirmation
   • Prioritized Level 2 contracts require third-party assessment
   • Level 3 contracts undergo DoD-led review

Understanding the CMMC Final Rule

For years, the Cybersecurity Maturity Model Certification (CMMC) has been discussed as a future requirement for defense contractors. But until recently, it served as a framework under development, not enforceable by law. That changed in October 2024, when the Department of Defense (DoD) published the CMMC Final Rule, officially codified in 32 CFR Part 170. The rule went into effect in December 2024.

The Final Rule transitions CMMC from a voluntary model to a mandatory program. It establishes certification expectations based on the type of federal data a contractor handles and outlines the assessment paths (self-assessment, third-party review, or government-led audit) that must be followed.

Which CMMC Level Applies to You?

Not all DoD contractors need to meet the same CMMC level. Your obligations depend on the sensitivity of the data you handle:

Level 1 – Foundational

• For contractors that handle Federal Contract Information (FCI) only
• Based on 17 basic cybersecurity practices from FAR 52.204-21
• Requires annual self-assessment and executive affirmation

Typical contractors: Product or service vendors without access to sensitive technical data. Think logistics, facility services, training, or office supply vendors.

Level 2 – Advanced

• For contractors that handle Controlled Unclassified Information (CUI)
• Requires implementation of all 110 controls in NIST SP 800-171 Rev. 2
• “Prioritized” contracts require third-party certification
• “Non-prioritized” contracts allow for self-assessment + affirmation

Typical contractors: Software vendors, defense manufacturers, IT service providers, and primes/subs with direct access to DoD technical data.

Level 3 – Expert

• For a small subset of contractors working on high-value DoD programs
• Based on select controls from NIST SP 800-172
• Requires DoD-led assessments

Typical contractors: Those supporting highly sensitive or classified systems (e.g., weapons platforms, advanced 

What the Final Rule Changes

Before the Final Rule, CMMC was advisory in nature. Contractors could prepare based on draft guidance, but no official enforcement existed at the time. 

Now, the Final Rule:

• Codifies CMMC in federal regulation
• Defines CMMC as a precondition for DoD contract awards
• Requires contractors to complete assessments before contract award
• Specifies roles for self-assessments, third-party audits, and DoD oversight

A DFARS rule is expected in 2025 to embed these requirements into defense contract language. Once the clause appears in a solicitation, compliance is mandatory.

CMMC Compliance Dates You Need to Know

Understanding the CMMC implementation timeline behind the Final Rule helps clarify when enforcement begins and how quickly your organization must act.

• October 17, 2024 – The Department of Defense published the Final Rule in the Federal Register, officially codifying CMMC as 32 CFR Part 170.
  
• December 26, 2024 – The rule went into effect, making CMMC a binding regulation, not just a framework.
  
• 2025 Onward – A corresponding DFARS clause is expected to follow, embedding CMMC requirements directly into defense contracts. Contractors will not be required to comply with CMMC until:
  
  • A contract solicitation includes the DFARS clause
    
  • Or a modification is made to an existing contract that introduces the clause
    

DoD has signaled that initial contract solicitations with CMMC requirements will begin appearing in the second half of 2025, ramping up gradually over a three-year phase-in period. This gives contractors a limited window to prepare; however, once the clause appears, compliance becomes a condition for award.

Step-by-Step Guide: How to Prepare for CMMC

Step 1: Identify Your Level

• Confirm whether your contracts involve FCI, CUI, or support for critical programs
• Review contract clauses and DoD guidance to determine the applicable level and assessment type

Step 2: Perform a Readiness Assessment

• For Level 1: Use the FAR 52.204-21 checklist to conduct a self-assessment
• For Level 2: Use NIST 800-171A to evaluate control implementation across your systems
• Consider a GRC platform to automate mappings and identify gaps quickly

Step 3: Close Gaps

• POA&Ms are not accepted at certification time (especially for Level 2)
• Controls must be fully implemented and effective
• Prioritize:
  • MFA and strong access controls
  • Incident response capability
  • System audit logging and regular review

Step 4: Prepare Documentation

• System Security Plan (SSP) with clear references to implemented controls
• Policies, procedures, and evidence artifacts (logs, screenshots, tickets, etc.)
• Documentation of assessment findings and remediation actions

Step 5: Complete Your Assessment

• Level 1 and non-prioritized Level 2: Conduct self-assessment; submit executive affirmation
• Prioritized Level 2: Schedule third-party assessment with a C3PAO
• Level 3: Coordinate with your DoD contract manager for DoD-led review timeline and support.

Understanding NIST SP 800-171 Revision 3

As part of broader cybersecurity modernization, NISTmaintains the framework that CMMC is built on: NIST SP 800-171. This framework outlines the procedures for protecting Controlled Unclassified Information (CUI) in non-federal systems. In late 2023, NIST proposed a major update: Revision 3. While not yet adopted into CMMC, it’s already shaping expectations across the defense sector and is widely viewed as the foundation for future updates to CMMC (possibly CMMC 3.0). While CMMC 2.0 currently aligns with Revision 2, the National Institute of Standards and Technology released Revision 3 as a proposed update to modernize and clarify existing requirements.

Revision 3 introduces:

• A clearer structure for control families
• Enhanced guidance and examples to support implementation
• A new concept called Organizationally Defined Parameters (ODPs), which give agencies or oversight bodies the ability to specify required values for certain controls (e.g., timeframes, password lengths, update frequencies)

While the CMMC Final Rule still points to Revision 2, the DoD has issued its own list of defined ODPs, effectively previewing what could come in future updates, potentially as part of CMMC 3.0.

What Contractors Are Grappling With

As organizations dig deeper into the evolving guidance, a growing concern is the increasing specificity of requirements under NIST SP 800-171 Revision 3, particularly the newly defined Organizationally Defined Parameters (ODPs). These preset values, issued by the DoD, dictate how controls should be interpreted, reducing ambiguity but also introducing rigid expectations.

For example:

• Preventing the reuse of user identifiers for 10 years could challenge how Microsoft 365 and Active Directory environments manage deactivated accounts.
• System component inventories must be updated at least quarterly.
• Passwords must be at least 16 characters, even for non-privileged users.
• Encryption controls require FIPS-validated cryptography for all CUI.

These updates signal a shift from flexible interpretation to prescriptive compliance. And while they aren’t officially embedded in CMMC 2.0 yet, many expect them to shape future enforcement (possibly under CMMC 3.0).

Organizations are now evaluating how these ODPs intersect with tools they already use (like Entra ID, Azure AD, CIS benchmarks, and STIGs), and whether full alignment is technically feasible without overhauling systems. Some are expressing concern that the administrative complexity may not always lead to proportional security benefits.

That tension is driving a more strategic conversation around how to stay prepared not just for current CMMC enforcement, but for what’s next.

Looking Ahead

While CMMC currently aligns with NIST SP 800-171 Rev. 2, contractors should:

• Monitor how ODPs may be formalized through rulemaking
• Anticipate a future shift to Rev. 3, especially with Canada already using it in its own CMMC-equivalent
• Recognize that greater specificity (via ODPs) may limit flexibility but increase audit consistency

This is the time to:

• Strengthen internal documentation practices
• Normalize quarterly reviews, system audits, and security literacy training
• Choose tools that evolve alongside federal guidance

Final Word

The CMMC compliance framework is now embedded in the federal acquisition process. With the Final Rule in effect, DoD contractors at all levels must understand their obligations and chart a realistic, well-supported path to compliance.

Whether you’re preparing for a Level 1 self-assessment or a Level 2 certification, the key is to act now before the clauses appear in your next contract.

Use Centraleyes to map NIST 800-171 controls, generate your SSP Report and SPRS score, and generate audit-ready documentation.

FAQs

When did the CMMC Final Rule go into effect?

The CMMC Final Rule was published by the Department of Defense in the Federal Register on October 17, 2024. It officially went into effect on December 26, 2024. While the rule is now in force, contractors are only required to comply once a contract includes the CMMC-related DFARS clause. That clause is expected to begin appearing in solicitations during 2025, with a gradual phase-in over the next three years.

What are the main requirements of the CMMC Final Rule?

The Final Rule:

• Mandates cybersecurity certification as a condition for receiving certain DoD contracts
  
• Assigns contractors to CMMC Levels 1, 2, or 3 based on the type of federal data handled (FCI or CUI)
  
• Requires either self-assessment, third-party certification, or DoD-led audits, depending on level and contract prioritization
  
• Establishes clear criteria for compliance, including documentation and executive affirmations
  
• Specifies that certification must be complete prior to contract award

Who needs to comply with the CMMC Final Rule?

All Department of Defense contractors and subcontractors who process, store, or transmit:

• Federal Contract Information (FCI) must meet Level 1 requirements
  
• Controlled Unclassified Information (CUI) must meet Level 2 or Level 3, depending on program sensitivity.
  

CMMC applies to both prime contractors and their supply chains, making compliance a shared responsibility across the defense industrial base (DIB) partners.

How does CMMC 2.0 differ from previous versions?

CMMC 2.0 simplifies and streamlines the original model by:

• Reducing the number of levels from five to three
  
• Aligning Level 2 directly with NIST SP 800-171, the same standard required by DFARS
  
• Allowing self-assessments for non-prioritized Level 2 contracts, while still requiring third-party certification for prioritized ones
  
• Eliminating the “process maturity” requirements from earlier versions
  
• Offering a more phased and flexible rollout, while still enforcing compliance prior to contract award
  

CMMC 2.0 maintains strong security standards while aiming to reduce unnecessary burdens on small to mid-sized contractors.