The CMMC 48 CFR Final Rule is now officially in effect, reshaping cybersecurity requirements for the entire Defense Industrial Base. The Department of Defense (DoD) published the final rule in the Federal Register on September 10, 2025, with an effective date of November 10, 2025. That date marks the start of CMMC Phase 1, where cybersecurity assessments become a condition of award for new DoD contracts.
If your organization handles Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), this rule changes what you must do to stay eligible.
What the CMMC 48 CFR Rule Means
Beginning November 10, 2025, CMMC requirements will start appearing in solicitations. During Phase 1:
- CMMC Level 1 self-assessments are required for contractors handling only FCI
- CMMC Level 2 self-assessments are required for contractors handling CUI
- Assessments must be completed before award
- Scores must be submitted to SPRS
- Contracting officers will verify these results
Failure to complete a CMMC self-assessment will make your organization ineligible for award.
This is the DoD's first enforcement phase. The full program rollout continues through 2028, eventually requiring third-party Level 2 assessments and government-led Level 3 assessments for the highest-risk contracts.
Why You Must Act Now
Even though CMMC enforcement begins under 48 CFR in 2025, the underlying requirements already exist.
Contractors must comply with:
- DFARS 252.204-7012 (implement NIST SP 800-171)
- DFARS 252.204-7019 (SPRS score submission)
- DFARS 252.204-7020 (DoD validation reviews)
CMMC simply measures your actual implementation of the required cybersecurity controls.
Core Actions to Take Before CMMC Phase 1
1. Complete a NIST SP 800-171 Self-Assessment
Use the official DoD Assessment Methodology, not a simplified checklist. Every score must be defensible.
2. Build or Update Your System Security Plan (SSP)
Your SSP must fully describe how controls are implemented, including policies, procedures, network boundaries, and CUI flows.
3. Create a Plan of Action & Milestones (POA&M)
Document all gaps, owners, timelines, and remediation steps. Our compliance readiness services can help you build a comprehensive POA&M that meets CMMC requirements.
4. Submit Your Score to SPRS
CMMC Phase 1 requires SPRS scores before award, and contracting officers will check them.
5. Prepare for Future C3PAO Assessments
Phase 2 and Phase 3 will introduce mandatory third-party CMMC Level 2 assessments. Working with an experienced cybersecurity services provider ensures you're building the right security foundation now.
Get Ready for CMMC 48 CFR Compliance
The launch of CMMC Phase 1 marks the beginning of real enforcement across the DIB. Contractors who prepare now will stay competitive and contract eligible as the DoD phases in CMMC through 2028.
Navigating through the complexities of CMMC can be both complex and overwhelming. That's why having an experienced partner like us can help ease the pressure. Contact us today to get our authorized C3PAO experts in your corner.
Need Help with CMMC Compliance?
BomberJacket Networks is Minnesota's only C3PAO-authorized MSP with 25 years of expertise. Get a free consultation to assess your CMMC compliance readiness.