CMMC compliance just became mandatory.
On September 10, 2025, the Department of Defense will publish the final CMMC rule. This rule starts November 10, 2025. Defense contractors now have a hard deadline.
What This Rule Does
The new rule changes defense contracts. It makes CMMC status required before contract award. Before this, companies could self-report their cybersecurity. Now outside checks are often required.
What Changes:
- You must have CMMC status before winning contracts
- Contract officers cannot award contracts to companies without current CMMC status in the government system
- All subcontractors handling sensitive data must also meet CMMC rules
- You must stay compliant during the entire contract
The Two-Phase Plan
Phase 1: November 10, 2025 - November 9, 2028
Program offices can choose to require CMMC for contracts. Not all contracts will have CMMC rules during this phase. The rule excludes contracts only for basic store-bought items.
Phase 2: Starting November 10, 2028
Program offices must require CMMC when contractors will handle government data on their computers. Contracts only for basic store-bought items are still excluded.
Why You Need to Act Now
The Assessment Challenge: Many companies will need CMMC compliance. There are not enough assessors. Companies that wait will face:
- Longer waits for assessments
- Higher costs
- Risk of missing contract chances
The Competition Edge: Ready contractors will be set when CMMC rules appear in contract bids. Unprepared companies may be shut out from bidding.
What You Must Do
Right Now (Next 30 Days)
- Check your cybersecurity against government rules
- Find out which CMMC level applies to your work
- Make a timeline to get ready before contracts require CMMC
Soon (Next 6 Months)
- Write your security plan
- List your current security steps
- Start fixing missing security controls
- Sign up for the government tracking system if needed
Later (6-12 Months)
- Finish self-checks for CMMC Level 1 or Level 2
- Book outside assessment if CMMC Level 2 check is required
- Train your team on ongoing rules
- Set up processes for yearly compliance checks
The Cost of Waiting
The rule is clear. Contract officers must check the government system. They cannot award contracts to companies without the required CMMC status posted at the right level.
This means:
- No CMMC status = No contract award
- No exceptions
- No extra time
Supply Chain Impact
Prime contractors must check subcontractor CMMC status before giving them work. This applies when subcontractors will handle government data.
This creates rules throughout the defense supply chain. Even small suppliers may need CMMC compliance to work on defense projects.
Bottom Line
The CMMC rule creates clear requirements. Starting November 10, 2025, contract bids may include CMMC rules based on program office decisions.
Prep time is limited. Companies that start CMMC compliance work now will be ready to compete when rules appear in bids. Those that wait risk being shut out from opportunities.
Ready to start? Prescott helps defense contractors understand CMMC rules and develop compliance plans. Our experts guide companies through the process to stay competitive in defense work.
Contact Prescott today to check your CMMC readiness and create your compliance plan.
The full rule is at https://public-inspection.federalregister.gov/2025-17359.pdf.
