CMMC Final Rule Published: What You Need to Know Now
Posted by: Jason Spencer
The Final Rule is Official
The Department of Defense published the Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041) on September 10, 2025. This rule becomes effective on November 10, 2025, marking the beginning of a 3-year phased rollout for implementation. You need to review this rule, along with the CMMC Program itself (32 CFR Part 170), and act immediately — waiting will put your organization behind on compliance requirements.
| CMMC, or Cybersecurity Maturity Model Certification, is a Department of Defense (DoD) program that requires defense contractors and subcontractors to implement specific cybersecurity measures to protect sensitive information, including Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). SPRS (Supplier Performance Risk System) score is a self-assessment score for U.S. DoD contractors that measures their compliance with the NIST SP 800-171 cybersecurity controls. |
Current Compliance Requirements
In accordance with 32 CFR Part 170, there is a requirement for contractors to provide a CMMC self-assessment Supplier Performance Risk System (SPRS) score or CMMC certification, based on contract language at time of award. An organization at minimum must upload a SPRS score to https://www.sprs.csd.disa.mil/ as part of any existing contracts, or in preparation for bidding or being awarded a contract. Starting November 10, 2025, solicitation clauses requiring CMMC compliance and/or certification will begin appearing in contracts. After the three-year phased rollout is completed, all organizations will need formal CMMC certification to qualify for DoD contracts.
Key Language from the Final Rule
The updated solicitation provision clearly states that offerors will not be eligible for contract awards if they lack:
- Current CMMC status in SPRS at the required level specified in paragraph (b)(1) of the provision
- Current affirmation of continuous compliance with security requirements identified in 32 CFR Part 170 for each contractor information system that will process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI)
Beginning November 10, 2025, DoD contracting officers have discretion to include clauses requiring Level 2 certification for CUI protection, even during Phase 1 of the rollout. Organizations that work with or expect to work with CUI data should, at minimum, have a developed System Security Plan (SSP) and Plan of Action and Milestones (POA&M) ready.
The table below provides timing and expectations specific to each phase of the rollout.
| Phase | Timing | Requirements During Each Phase |
|---|---|---|
| Phase 1 | Starts November 10, 2025 | At minimum CMMC Level 1 (Self-Assessment), or Level 2 (Self-Assessment, SPRS score). Contracts can require Level 2 third-party (C3PAO) assessments. |
| Phase 2 | Starts November 10, 2026 | New contracts more likely to require Level 2 third-party (C3PAO) assessment/certification. |
| Phase 3 | Starts November 10, 2027 | Level 2 third-party (C3PAO) certification will be required for award and exercising options on existing contracts. |
| Phase 4 | Starts November 10, 2028 | All solicitation and contracts will be required to be certified at the CMMC program level and have appropriate assessment type/certification. SPRS scores will no longer be accepted or sufficient for contract award or continuation. |
As an RPO (Registered Provider Organization), GuidePoint Security can provide expert guidance with your CMMC compliance efforts. GuidePoint offers CMMC gap assessment and advisory services, delivered by Registered Practitioner(s) (RP) and Registered Practitioner Advanced (RPA) consultants with operations backgrounds who understand how to apply the CMMC controls to your environment, as well as advise on figuring out the in-scope environment and any changes/additions need to close compliance gaps.
A gap assessment can be viewed as a “practice run” for formal CMMC certification by a C3PAO (CMMC Third-Party Assessor Organization).
Jason Spencer
Senior Security Consultant, Compliance,
GuidePoint Security
Jason Spencer is a Senior Security Consultant in GuidePoint Security's Compliance practice. He began his career in the security industry in 2010 and his professional experience includes security assessments, specializing in network, wireless, and vulnerability management. Jason has led and participated in compliance assessments throughout the world for industries such as banking, commercial, and federal agencies. Jason’s extensive experience in network security assessments includes perimeter, network, and wireless, database auditing, workstation review, social engineering, firewall auditing, assessments. He also has worked within Network Operations Center (NOC), and Security Operations Centers (SOC).
Jason earned a Bachelor of Arts degree in Geology with Teacher certification and holds several certifications to include the Certified Information Systems Security Professional (CISSP).