×

48 CFR CMMC Final Rule: What It Means for the DIB and How to Prepare

18-Sep 2025 Securitybricks

By: Diana Salazar

A Big Change Is Here

The Department of Defense has finalized the rule that makes the Cybersecurity Maturity Model Certification (CMMC) part of actual contracts. This rule was published on September 10, 2025, and takes effect November 10, 2025. What does that mean for you? Starting November 10, contracting officers can include CMMC requirements in new solicitations and awards. Over the next three years, this will become standard for most DoD contracts.

Here’s the good news: you still have time, and you can prepare without blowing your budget. We want to help you cross the CMMC compliance finish line and stay compliant. Keep reading to learn what’s changing, what you’ll see in RFPs, what steps you can take now to stay competitive, and how Securitybricks can help you.

What changed with 48 CFR?

Until now, CMMC was more of a policy than a contract requirement. That changes with the 48 CFR final rule. This rule adds CMMC language into the Defense Federal Acquisition Regulation Supplement (DFARS), which means it’s now enforceable in contracts.

Two key pieces of language make this happen:

  • DFARS 252.204-‑7025 – This is the notice in the solicitation. It tells you what CMMC level you need to have to be eligible.
  • DFARS 252.204-‑7021 – This is the contract clause. It says you must keep that CMMC level for the entire contract, including any extensions.

In plain English:

  • You need to comply with the correct CMMC level before you can win government contracts.
  • You need to maintain that level of compliance for as long as you’re on the contract.
  • Your subcontractors need to meet the same standard for their part of the work.

What Levels Mean and What’s Required

Here’s a quick refresher:

Level 1: For contracts with Federal Contract Information (FCI). Requires an annual self-assessment.

Level 2: For contracts with Controlled Unclassified Information (CUI). Requires either a self-assessment or a third-party certification (C3PAO), depending on the program.

Level 3: For the most sensitive programs. Requires a DoD-led assessment.

What you’ll see in RFPs and Contracts

Here’s how these changes will show up in real life.

Section I: The Legal Stuff

This is where the DFARS clauses live. Expect to see language like:

“The Offeror shall have a current CMMC status for each information system proposed to be used in performance of this contract, at or above the level identified in the solicitation.” (DFARS 252.204-‑7025)

And:

“The Contractor shall maintain the CMMC level identified in this contract for the in-scope information system(s) throughout contract performance, including option periods.” (DFARS 252.2047-‑021)

Translation: You need the right CMMC level to win, and you need to maintain it throughout the life of the contract, including any extensions or renewal period.

Section L: What You’ll Need to Submit

Expect instructions like these:

  • Tell us your CMMC level for each system you’ll use.
  • Give us your official and unique DoD UID from SPRS (the government’s database).
  • Share the date and score of your last self-assessment and who signed off on it.
  • If Level 2 certification is required, provide the certification date and the name of your assessor (C3PAO).
  • Explain how you’ll make sure your subcontractors meet the right level and how you’ll keep checking during the project.

Section M: How You’ll Be Evaluated

Think of this as a pass/fail check. The government will confirm your CMMC status before awarding the contract. They’ll check SPRS for self-assessments or the official CMMC database for Level 2 certifications. If you don’t meet the 110 security requirements from NIST SP 800-171, you won’t be in full compliance, and you won’t win the award.

Subcontractor Flow Down

If you’re the prime contractor, you’re responsible for your sub-contractors. You must:

  • Verify their CMMC level before you sign them on.
  • Keep records of that verification.
  • Monitor their status during the contract.

Start With a Simple 30-60-90 Day Plan

You can’t do everything at once. Here’s a practical roadmap to follow:

Days 1–30: Get Clarity

  1. Identify which contracts or bids will need CMMC and determine if they have CUI or FCI information.
  2. Create a CUI boundary that will be used to assess your Level 2 controls.
  3. Identify your FCI or CUI assets, as well as Security Protection Assets (SPA) and Contractor Risk Managed Assets (CRMA) to understand your data flow and determine scope.
  4. Gather your current documentation (System Security Plan, policies, procedures and dataflow diagrams).

Days 31–60: Close Gaps

  1. For Level 1: Make sure the 15 basic safeguards are in place and documented.
  2. For Level 2: Complete NIST SP 800-171 requirements and evidence them.
  3. Post your self-assessment score in SPRS and set up your annual affirmation process.

Days 61–90: Test it

  1. Run a mock assessment to catch any gaps.
  2. If you need a C3PAO, book them now as slots will fill up fast.
  3. Put a process in place to check subcontractor compliance before award and during performance.

4 Common Pitfalls to Avoid

  1. Over-scoping: Don’t pull your entire company into scope if you can isolate the systems that handle CUI.
  2. Leaving  documentation for last: For Level 2, most of the work is in policies, procedures, and evidence. Build documentation as you implement it, not after.
  3. Delaying your C3PAO booking: If you need a third-party assessment, schedule early.
  4. Ignoring subs: If your subcontractor isn’t compliant, you’re not compliant.

This plan seems simple, but it is not. The reality is that it is a very time-consuming, highly detailed exercise that requires skill and knowledge. Where we find the biggest challenge with most of our customers is almost always in determining the scope of the CMMC assessment.

How Securitybricks can Simplify your CMMC Journey

CMMC compliance is complex and time-consuming, especially when you’re juggling spreadsheets, chasing down evidence, and trying to keep up with requirements. Securitybricks can take the weight off your shoulders and streamline your CMMC compliance.  We pair automation with human insight. Our deep knowledge of compliance enables us to understand the requirements and determine the scope of your CMMC assessment. We leverage automation to assess the gaps, find remediation and develop the evidence.

Our CMMC readiness services along with Securitybricks CMM Accelerator included in our enclave implementations works behind the scenes to:

  • Design a CUI boundary
  • Implement a CUI enclave using Microsoft GCCH cloud
  • Provide CMMC Level 2 artifacts including SSP, policies and procedures
  • Automatically Validate technical controls
  • Continuously monitor your environment

Whether you’re adding new tools or updating your setup, the automation we add shows you exactly what needs attention to become compliant and remain compliant without guesswork and back-and-forth; all with a team that understands both the technical and audit sides of CMMC. With Securitybricks you’re not just getting software, or service, you’re getting a partner. Securitybricks is the only Azure-native solution in Marketplace that’s built specifically to automate and simplify the CMMC journey from start to finish.

Why This Matters

Starting November 10, 2025, CMMC will no longer be optional; it becomes part of the contracting process. But it won’t all happen overnight. The Department of Defense is implementing CMMC in three phases over three years. In the first phase, you will see self-assessments, then third-party certifications for Level 2, and finally Level 3 assessments for the most sensitive programs.

This phased approach gives you time to prepare, but don’t wait, as things change rapidly. Many solicitations will start including CMMC language right after the effective date, and primes will expect their subs to be ready. If you start now, you’ll avoid last-minute scrambles and position your company as a trusted, compliant partner.

DateMilestone
Sept 10, 2025Final Rule Published
Nov 10, 2025Rule Effective – Phase 1 Begins (Self-Assessments)
2026Level 2 C3PAO Certifications Appear in More Contracts
2027Level 3 DoD-Led Assessments Begin
2028Full Integration Across DoD Contracts

Book a 30-minute CMMC strategy session or request a live demo of the Securitybricks CMMC Accelerator to see compliance status and guided remediation in Azure cloud environments. Contact us now at: info@securitybricks.io