CMMC is officially in effect November 10: enforcement is real
CMMC has cleared the final hurdle. Starting November 10, the DoD (DoW?) can require CMMC in contracts and check SPRS before award. Here is what changed and what you should do next.
Risk Level
Read Time
“Ok, hold up what actually happened?”
It’s finally happened: the DoD published the final DFARS rule that ties the CMMC program to contracts. It is a Final Rule and becomes effective 60 days after Federal Register publication - the document is scheduled for 09/10/2025, which makes the effective date November 9, 2025 (though it will go into effect on the next Federal business day aka November 10, 2025).
“When is this enforced - and how?”
Beginning on the effective date, contracting officers must check SPRS and cannot award to an offeror that lacks a current CMMC status at the required level for the systems used on the contract. That is the enforcement lever and the final piece to CMMC being required moving forward for the Defense Industrial Base.
There is also a phased implementation: until three years after the effective date, the clause is applied when program offices choose to require CMMC; after three years and one day, the clause is prescribed wherever contractor systems will handle FCI or CUI. Plan for CMMC appearing in more and more solicitations over that period.
“What level do I need?”
Solicitations will call out one of the recognized levels: CMMC Level 1 (Self), CMMC Level 2 (Self), CMMC Level 2 (C3PAO), or CMMC Level 3 (DIBCAC). The required level is set by the program office per 32 CFR part 170 and will be filled into the DFARS clause.
“Is there any grace period?”
For Levels 2 and 3 only, DoD can accept a conditional CMMC status for up to 180 days while a valid POA&M is closed out. A final CMMC status is achieved after successful POA&M close. Use this carefully - it is time-boxed and tracked in SPRS.
“What should I do right now?”
Confirm your target CMMC level for each environment that will process, store, or transmit FCI or CUI.
If you need a Level 2 Certification Assessment (conducted by an authorized C3PAO), schedule your assessment and prep evidence now.
Enter your self-assessment results and affirmation of continuous compliance in SPRS, and make sure your CMMC CAGE codes and UEIDs are accurate. You must provide them with proposals, and contracting officers will check them.
Build a POA&M you can actually close inside 180 days if you plan to use conditional status.
“Bottom line for the DIB”
CMMC is no longer theoretical. On November 10, the DoD can include the clause and make award decisions based on your posted CMMC status in SPRS - and that footprint will expand over the next three years. If you have been waiting, the window just closed. Get started with our free CMMC resources.
CMMC is here. Get ready or get assessed with Hive Systems.
Follow us - stay ahead.
