On September 10, 2025, the Department of Defense published the Final Rule to implement the Cybersecurity Maturity Model Certification (CMMC) program in the Defense Federal Acquisition Regulation Supplement (DFARS) with an effective date of November 10, 2025. This means that CMMC clauses and requirements will begin appearing in defense solicitations and contracts on or after that date.
This guide will explain what the 48 CFR final rule is and how it changes CMMC requirements, how your organization can prepare for government contract solicitation requirements, and the resources we provide to prepare your business to meet the CMMC deadline.
What is the 48 CFR Final Rule?
48 CFR is short for “Title 48 of the Code of Federal Regulations” and is part of the Federal Acquisition Regulation System (FAR). 48 CFR outlines acquisition standards for defense-related activities, and its final rule adapts CMMC 2.0 requirements to the FAR framework. In essence, the final rule establishes how government contractors prove their compliance with cybersecurity frameworks like NIST SP 800-171.
There are two regulations that govern the CMMC Program:
- 32 CFR Part 170: Lays out various elements of the CMMC Program, including department policy, roles, levels, requirements, waivers, and assessments.
- 48 CFR Parts 204, 212, 217, and 252: Put forth acquisition policy and standardized contract language.
While 32 CFR establishes CMMC as a policy, 48 CFR integrates its requirements into the FAR system, which gives them practical applications for defense contractors.
Now that the final 48 CFR rule has been published in the Federal Register, it could render CMMC enforceable in contracts as early as November 10, 2025. Now, If you’re a government defense contractor or even a subcontractor and aren’t compliant with CMMC, the alarm bells should be going off.
In just two months, contractors and subcontractors will need to demonstrate compliance at their relevant CMMC level in to to bid on or retain national defense contracts. Beyond that, other government agencies that are not within the Defense Industrial Base (DIB) may also follow suit and adopt these provisions in the future.
What the Latest Rule Update Means for You
The 48 CFR rule doesn’t change main CMMC requirements; it clarifies them. Here are the most important updates:
1. The rule inserts the DFARS 252.204-7021 clause into contracts. DFARS 252.204-7021 dictates:
Contractors must 1) Pass CMMC assessment and gain certification 2) Certification must be present at time of contract award 3) Certification assessment must be completed every three years
- DoD contractors must maintain the appropriate CMMC level with respect to each contract, while also ensuring any subcontractors are compliant to the same CMMC level (Flowdown) for the duration of the contract.
- Suppliers must include DFARS 7021 language in their subcontract agreements and documentation.
2. The rule authorizes contracting officers to include CMMC requirement language in solicitations.
3. The rule’s effective date marks the first part of the CMMC phased rollout.
- Phase 1: Beginning on the effective date (November 10, 2025) of the 48 CFR final rule, the DoD will start requiring CMMC Level 1 and CMMC Level 2 self-assessments for specific contracts. This includes an up-to-date score in the DoD’s Supplier Performance Risk System (SPRS) database along with confirmation from a senior leader that the organization’s score is accurate.
- Phase 2: One year after Phase 1, the DoD will start requiring CMMC Level 2 certification based on third-party assessments.
- Phase 3: One year after Phase 2, the DoD will start requiring CMMC Level 3 certification for specific contracts that demand higher security protocols.
- Phase 4: One year after Phase 3, CMMC requirements will be fully established across all DoD contracts.
How to Prepare
CMMC certification is structured into three primary levels, reflecting progressively stringent cybersecurity standards based on NIST SP 800-171. Most organizations need from 9-12 months to implement NIST SP 800-171 controls, validate their compliance, and pass a C3PAO assessment.
If your organization is part of the DIB and processes, stores, or transmits Controlled Unclassified Information (CUI), it must achieve at least CMMC 2.0 Level 2, which consists of all 110 security controls (320 control objectives) from NIST SP 800-171, plus all CMMC Level 1 requirements. Level 2 C3PAO assessments can be required as early as November 2025 or before the CMMC certification deadline.
If your organization handles CUI and plans to bid on contracts in 2026, you should be well into the control implementation and self-assessment process in order to stay ahead of the DoD CMMC compliance deadline. Is your team running behind? BD Emerson’s CMMC Advisory Services can get you back on track and winning business by cutting your CMMC ramp time in half while ensuring you stay competitive in the marketplace.
BD Emerson’s CMMC Readiness Consulting Services
BD Emerson offers a holistic, streamlined, and expert-led approach to achieving CMMC compliance. Leveraging advanced tools and a global network of cybersecurity and data privacy professionals, our services ensure your security program satisfies contract requirements and scales as you grow.
Level 1: Self-Assessment Support With Phase 1 having begun, some solicitations will begin to require annual Level 1 self-assessments from organizations handling FCI. The Level 1 self-assessment targets the 15 controls required by FAR clause 52.204-21. BD Emerson’s experienced CMMC consultants are ready to guide your team throughout the self-assessment process and help you navigate entering the results into the Supplier Performance Risk System (SPRS).
Level 2: C3PAO Assessment Preparation
If your business handles CUI, solicitations will require your organization to complete either a self-assessment or a C3PAO assessment every three years as well as an annual affirmation of your compliance with the 110 security requirements in NIST 800-171 Revision 2. Our consultants provide expert support to your team as you complete the self-assessment and prepare for your C3PAO assessment with a C3PAO authorized auditor.
Learn more about our NIST Compliance Consulting Services.
Talk to our CMMC Experts and Get Audit-Ready by November
We know that building out cybersecurity controls to fulfill rigid government regulations can be daunting. That’s why we offer consulting at a fixed price, so that you can implement CMMC requirements with guidance from experts.
Schedule a consultation and book your CMMC Readiness Assessment today!
