CMMC Final Rule Published: What You Need to Know Now
Posted by: Jason Spencer
The Final Rule is Official
The Department of Defense published the Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041) on September 10, 2025. This rule becomes effective on November 10, 2025, marking the beginning of a 3-year phased rollout for implementation. You need to review this rule, along with the CMMC Program itself (32 CFR Part 170), and act immediately — waiting will put your organization behind on compliance requirements.
| CMMC, or Cybersecurity Maturity Model Certification, is a Department of Defense (DoD) program that requires defense contractors and subcontractors to implement specific cybersecurity measures to protect sensitive information, including Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). SPRS (Supplier Performance Risk System) score is a self-assessment score for U.S. DoD contractors that measures their compliance with the NIST SP 800-171 cybersecurity controls. |
Current Compliance Requirements
In accordance with 32 CFR Part 170, there is a requirement for contractors to provide a CMMC self-assessment Supplier Performance Risk System (SPRS) score or CMMC certification, based on contract language at time of award. An organization at minimum must upload a SPRS score to the SPRS website as part of any existing contracts, or in preparation for bidding or being awarded a contract. Starting November 10, 2025, solicitation clauses requiring CMMC compliance and/or certification will begin appearing in contracts. After the three-year phased rollout is completed, all organizations will need formal CMMC certification to qualify for DoD contracts.
Key Language from the Final Rule
The updated solicitation provision clearly states that offerors will not be eligible for contract awards if they lack:
- Current CMMC status in SPRS at the required level specified in paragraph (b)(1) of the provision
- Current affirmation of continuous compliance with security requirements identified in 32 CFR Part 170 for each contractor information system that will process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI)
Beginning November 10, 2025, DoD contracting officers have discretion to include clauses requiring Level 2 certification for CUI protection, even during Phase 1 of the rollout. Organizations that work with or expect to work with CUI data should, at minimum, have a developed System Security Plan (SSP) and Plan of Action and Milestones (POA&M) ready.
The table below provides timing and expectations specific to each phase of the rollout.
| Phase | Timing | Requirements During Each Phase |
|---|---|---|
| Phase 1 | Starts November 10, 2025 | At minimum CMMC Level 1 (Self-Assessment), or Level 2 (Self-Assessment, SPRS score). Contracts can require Level 2 third-party (C3PAO) assessments. |
| Phase 2 | Starts November 10, 2026 | New contracts more likely to require Level 2 third-party (C3PAO) assessment/certification. |
| Phase 3 | Starts November 10, 2027 | Level 2 third-party (C3PAO) certification will be required for award and exercising options on existing contracts. |
| Phase 4 | Starts November 10, 2028 | All solicitation and contracts will be required to be certified at the CMMC program level and have appropriate assessment type/certification. SPRS scores will no longer be accepted or sufficient for contract award or continuation. |
As an RPO (Registered Provider Organization), GuidePoint Security can provide expert guidance with your CMMC compliance efforts. GuidePoint offers CMMC gap assessment and advisory services, delivered by Registered Practitioner(s) (RP) and Registered Practitioner Advanced (RPA) consultants with operations backgrounds who understand how to apply the CMMC controls to your environment, as well as advise on figuring out the in-scope environment and any changes/additions need to close compliance gaps.
A gap assessment can be viewed as a “practice run” for formal CMMC certification by a C3PAO (CMMC Third-Party Assessor Organization).
Jason Spencer
Senior Security Consultant, Compliance,
GuidePoint Security
Jason Spencer is a Cybersecurity Consultant with more than a decade of experience in security assessments, compliance, and risk management. Since beginning his cybersecurity career in 2010, he has specialized in network security, wireless security, vulnerability management, and regulatory compliance assessments across commercial, banking, and federal environments.
Jason has extensive experience conducting NIST 800-171 and CMMC assessments, having led and participated in more than 100 assessments since 2017. He is a Certified CMMC Professional (CCP) and also supports organizations with NIST 800-53, HITRUST, DFARS, HIPAA, and PCI compliance initiatives. Additionally, Jason has served as a Qualified Security Assessor (QSA) since 2019 and is trained on PCI DSS 3.2.1 and 4.0.1.
His technical expertise includes perimeter, network, wireless, and firewall security assessments, database auditing, workstation reviews, social engineering, and security operations support within both Network Operations Center (NOC) and Security Operations Center (SOC) environments.
Jason holds a Bachelor of Arts degree in Geology with teacher certification and maintains several industry certifications, including CISSP. He has also presented at Converge in Anaheim, California.