Media Mosiac Gov Solutions Book a Strategy Call
DoD Finalizes CMMC Rule: What Contractors Need to Do Now | MediaMosaic Gov

DoD Cybersecurity Policy · September 2025

DoD Finalizes CMMC Rule: What Contractors Need to Do Now

Clear, practical steps you can use this week.

DoD Finalizes CMMC Rule — What Contractors Need to Do Now
By Simon Khan — GovCon Growth Manager September 19, 2025

On 10 September 2025, the Department of Defense published the final DFARS rule to implement the Cybersecurity Maturity Model Certification program. The rule becomes effective 60 days later on 10 November 2025 and begins a three-year phase-in. This newsletter explains what changed, who is affected, and exactly what to do next.

Reference: DFARS Case 2019-D041 — Federal Register

TL;DR — The Few Things That Matter Most

Key Takeaways
  • The DoD can start adding CMMC requirements to solicitations and contracts on 10 November 2025. Federal Register
  • Contractors must have and keep a current CMMC status in SPRS or eMASS before award, option exercise, or when adding CUI/FCI processing to a contract. Final CMMC Acquisition Rule Published
  • CMMC has three levels: Level 1 (basic, annual self-assessment), Level 2 (NIST 800-171; mostly third-party assessments for many contracts), and Level 3 (highly sensitive; government assessment). Overview of the CMMC Program

Part 1: What the Final Rule Does

  • Adds new DFARS clauses and a solicitation provision to require CMMC status for systems that process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). DFARS Part 204
  • Requires contractors to post self-assessments and affirmations in the Supplier Performance Risk System (SPRS) or to record third-party/government assessments in eMASS, depending on level and assessment type. SPRS · Cyber Reports
  • Phases in requirements over three years so DoD can require higher assessment levels over time rather than all at once.

Part 2: Who Is Affected

  • Any contractor or subcontractor that will process, store, or transmit FCI or CUI on contractor systems for DoD work. This includes many service providers, IT vendors, and systems integrators.
  • Offerors will be ineligible for award if they have not reported the required CMMC status to DoD when the clause is in the solicitation. That makes SPRS/eMASS entries critical.
Source: Federal Register — CMMC Final Rule

Part 3: Assessment & Reporting Rules by Level

Level 1
Annual self-assessment posted in SPRS; annual affirmation in SPRS.
Level 2
Self-assessment: self-assessment every 3 years posted in SPRS; annual affirmation in SPRS.
C3PAO: independent assessment every 3 years recorded in eMASS; annual affirmation in SPRS.
Level 3
Government (DIBCAC) assessment every 3 years, recorded in eMASS; annual affirmation in SPRS.
Sources: U.S. Department of War (DoD) · cyberab.org · SPRS

Part 4: Immediate Actions to Take This Week

  1. Identify systems that process FCI or CUI and map them to contracts and proposals. Start with systems used on your top 5 DoD efforts. DoD CMMC resources
  2. Confirm your SPRS record and eMASS readiness. Fix missing or incorrect SPRS data — it will block awards. Use SPRS guides. SPRS
  3. If you expect Level 2 work, decide now whether you need a C3PAO assessment or a self-assessment route. Schedule assessors early — C3PAO capacity is limited. CMMC assessment process: cyberab.org
  4. Update subcontractor flow-downs. Primes must ensure subcontractors have a current CMMC status when their systems handle FCI or CUI. Add verification steps to your subcontractor intake.
  5. Prepare affirmations and internal controls to support the required annual affirmations in SPRS. Assign an "affirming official." Federal Register / DFARS rule
"CMMC compliance is no longer optional horizon planning — it is an award eligibility requirement starting November 10, 2025. Firms that have not posted their SPRS entries risk being frozen out of DoD solicitations the moment a CMMC clause appears."

Part 5: Things to Remember

  • This rule does not add new technical controls beyond what NIST SP 800-171 / SP 800-172 already require. It requires formal assessments, attestations, and DoD reporting.
  • If a solicitation includes the DFARS CMMC clause, reporting a current CMMC status is a condition for award. Don't wait until the RFP drops to check SPRS.
  • Primes remain responsible for flow-downs and must confirm subcontractor status before awarding subcontracts that involve FCI or CUI. Plan for verification in your intake process.

Quick Checklist You Can Use Now

  • Inventory systems that process FCI or CUI and tie them to contract line items. U.S. Department of War
  • Confirm SPRS entries and eMASS access. Fix missing or stale entries. SPRS
  • If you need a C3PAO assessment, contact accredited assessors and get on the calendar. cyberab.org
  • Update subcontractor onboarding to require proof of CMMC status before subcontract award.

Helpful Links

CMMC DoD DFARS Cybersecurity GovCon SPRS FCI CUI Federal Contracts
S
Simon Khan GovCon Growth Manager