BACKGROUND
The Department of Defense finalized the CMMC rule under 32 CFR Part 170 in late 2024, and the related DFARS/48 CFR rule was published in September 2025. Beginning November 10, 2025, new DoD solicitations may begin including CMMC requirements—so contractors should expect to see Level 1 self-assessments and some Level 2 self-assessments appearing in solicitations at that time.
The more formal certification requirement arrives on October 31, 2026, when all new DoD contracts involving Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) will include CMMC clauses. For organizations handling CUI under CMMC Level 2, this may include a required third-party assessment prior to award, depending on the sensitivity and risk profile of the contract. Existing contracts may differ based on options and modifications, but new awards will follow this timeline.
Full implementation across the defense industrial base is expected by 2028. Because preparation, remediation, and documentation development can take months, the earlier a contractor begins aligning with NIST SP 800-171, the smoother their assessment process will be. If your team needs help understanding the level that applies to your work or what steps are required to prepare, we're here to assist.
Contact Us
Questions or Comments?
We know that our clients have unique needs. Send us a message, and we will get back to you soon.
Close the Gap - Cyber Consulting
Hours
Open today | 09:00 am – 05:00 pm |
