Happy C-Day! After 5+ Years, CMMC Is Finally Here

The CMMC Acquisition Rule Starts Today

It’s been a long time coming, but the day has finally arrived. The CMMC Acquisition Rule (formally the Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041)) is effective today (November 10, 2025).

What Does that Mean?

As of today, the U.S. Department of War (DoW) can now start adding into all of its contracts, at its discretion, clauses requiring entities to hold a CMMC certification as a condition of contract award. Yes, all of its contracts, even though the program is technically being phased in over a three-year period (see Jason Spencer’s prior blog post for more details). At the end of that three-year period, all contracts will contain this clause in some form or fashion.

Keep in mind that the DoW has legally required all its contractors to be compliant with NIST SP 800-171 since the beginning of 2018, and the implementation of the DFARS rule (252.204-7012) and self-attest to same.

What Does It Do?

The CMMC program effectively adds a third-party certification and attestation layer, with False Claims Act implications, to what was originally a self-attestation scenario.

So, theoretically, this should just be a certification exercise, right?

Does CMMC Impact My Organization?

Unfortunately, the reality is that many prime and sub-contractors handling Federal Contract Information (FCI) and/or Controlled Unclassified Information (CUI) are not fully compliant with NIST SP 800-171. In many cases, it may not be entirely clear on what FCI and/or CUI they store, process, transmit, or generate, or to which they have access as a subcontractor.

If you are a prime contractor to the DoW, or if you are a subcontractor to a prime, and if you have not already started exploring this critical compliance driver, you need to start that conversation today and figure out if you store, process, transmit, generate, and/or have access to FCI and/or CUI.

• If you are a prime, talk to your DoW Contracting Officer and Program Office. They should have already spelled out for you in contract documentation what is CUI and should have marked it accordingly.
• If you are a sub, talk to your prime. In both cases, always include your legal and contracts personnel.

How Can GuidePoint Help?

GuidePoint is a CMMC Registered Provider Organization (RPO). As an RPO, GuidePoint Security can provide expert guidance with your CMMC compliance efforts. We offer CMMC gap assessment and advisory services, delivered by Registered Practitioner(s) (RP) and Registered Practitioner Advanced (RPA) consultants. This team has operations backgrounds and understand how to apply the CMMC controls to your environment. They can also advise on figuring out the in-scope environment and any changes/additions need to close compliance gaps. A gap assessment can be viewed as a “practice run” for formal CMMC certification by a C3PAO. For more information, visit https://www.guidepointsecurity.com/cybersecurity-maturity-model-certification-cmmc-readiness/.