Starting November 10, 2025, the DoD will begin enforcing new requirements under the CMMC (Cybersecurity Maturity Model Certification) 2.0 regime via the 48 CFR rule that implements the defense acquisition (DFARS) clauses. This is a pivotal moment for contractors in the Defense Industrial Base (DIB) — contracts issued on or after that date can require proof of CMMC compliance or self-attestation depending on the level.
Under the phased rollout, the November 2025 date begins Phase 1, where solicitations and contracts may require Level 1 or Level 2 self-assessments (or third-party assessments at the DoD’s discretion) for systems that handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). Later phases will have stronger assessment requirements, including mandatory third-party assessments for many Level 2 environments, and eventually Level 3 requirements.
What the November 10 Rule Means in Practice
1. DFARS Clauses Become Contractual Mandates
With the 48 CFR rule’s effective date, the DoD will be authorized to insert DFARS 252.204-7021 (and the solicitation provision 252.204-7025) into contracts. These clauses specify the required CMMC level and the obligation to maintain a valid CMMC certificate for the duration of the contract. Contracting officers will choose the level based on sensitivity and risk.
2. Self-Assessments for Level 1 & Some Level 2
In Phase 1, Level 1 obligations (FCI only) will require annual self-assessments and affirmation in the Supplier Performance Risk System (SPRS). No third-party audit is mandated at Level 1.
For Level 2 environments, some contracts may allow self-assessment, though higher-risk CUI environments will still require third-party assessments (C3PAO) depending on contract specifics. Verify which DFARs requirements are associated with your contract – we are happy to assist in identifying exactly what level of assessment is needed for your compliance.
Level 3 assessments carried out by DIB will be very minimal and your contracting officer will specifically identify if this is a requirement.
3. Graduated Phases Toward Full Implementation
The DoD will phase in stricter requirements over the next several years. This gives contractors the ability to work towards compliance while still maintaining contracts without having to ‘have this done yesterday’.
- Phase 2 (2026): more Level 2 contracts demand third-party assessments
- Phase 3 (2027): Level 2 certification becomes mandatory for exercising contract options; Level 3 requirements introduced
- Phase 4 (2028): Full deployment, including for all eligible DoD contracts, especially those with CUI or higher risk profiles
What Contractors Should Do Now — Strategic Preparation
⚙️ Assess your current state
Conduct a gap analysis against CMMC Level 1 and Level 2 (NIST 800-171) controls. Identify undocumented controls, weaknesses, and areas needing remediation.
🛠 Build or mature your cybersecurity program
Ensure you have documented policies, procedures, logging, incident response, access controls, and vulnerability management practices. Everything must align not just with CMMC modules but with audit expectations.
🧰 Select assessment partners early
Because demand for C3PAOs (third-party assessment organizations) will spike, early planning and selection can reduce wait times.
📝 Track and affirm compliance
Prepare to submit self-assessment results in SPRS and complete required affirmations annually. For contracts requiring third party assessments, ensure you maintain certification currency (not older than 3 years) and continuous compliance.
🧭 Watch for evolving rules & enforcement
Stay attuned to DoD memos, updates from the Cyber AB, and contracting office guidance — nuances may arise in interpretation or waiver policies.
Risks & Considerations
- Assessment capacity may be limited: Some recent audits revealed the DoD’s oversight of C3PAO authorizations had weaknesses. This could slow or complicate your assessment pipelines.
- Conditional Certification & Plan-of-Action allowances: Minor deficiencies may be permitted as “temporary deficiencies” or under conditional certifications, with time to remediate.
- Contract risk for non-compliance: If your contract requires a particular CMMC level and you fail to maintain it (or submit required certification/affirmations), contract awards, option exercises, or performance extension could be jeopardized.
Looking Ahead: Why November 10 Matters
The November 10, 2025 date is not just a symbolic milestone — it marks the first day when new contract awards can require enforceable CMMC proof. For many contractors, successful bidding will require not just cybersecurity readiness but documented, auditable compliance. The phased approach gives some breathing room, but early movers will have a competitive edge.
If your organization works with the DoD or as a subcontractor in that ecosystem, now is the time to act, not wait. Begin audit preparation, bring in experts, and ensure your systems, policies, and personnel are ready to meet the challenge. November 10 will be here before you know it — and when it does, the rules of engagement change.
Contact DTD Security to discuss your current status as well as what is needed to get you fully in compliance with CMMC.
David.hall@dtdsecurity.com or call us at 720-297-3001
