On October 15th, 2024, the CMMC ruling – known formally as the 32 CFR Part 170 ruling, or the “Program Rule” for CMMC – was published, establishing the framework for CMMC. On September 10, 2025 the 48 CFR Final Rule, or “contract rule”, was published, making that framework applicable to contracts beginning November 10, 2025.
This CMMC Program Rule creates a framework for contractors and subcontractors to demonstrate that FCI and CUI being processed, stored, or transmitted is adequately safeguarded. While the government’s phased rollout won’t be complete until 2028, prime contractors are already expecting subcontractors to meet CMMC requirements, securing their supply chains.
Long story short, you need to be CMMC compliant We encourage you to act now, as the demand for compliance services will grow and strain MSPs and C3PAOs, which could mean much longer wait times for implementation and assessments.
It typically takes organizations anywhere from 6-18 months to prepare for an assessment, but it can take longer depending on your baseline security posture and whether you take advantage of MSP services.
Check your existing contract requirements to determine your appropriate level of CMMC. If you have existing DFARS 7012 requirements and you handle CUI, it is likely that you'll need to be CMMC Level 2 compliant.
Starting with the CMMC Phase One rollout, DFARS provision 252.204-7025 stipulates that contract solicitations will specify the required CMMC level to bid on a given contract. The solicitation will say, “The CMMC level required by this solicitation is ____.” The contracting officer fills in one of these options:
It also specifies that level or higher is required for each contractor information system that will process or transmit FCI or CUI. In any case, all DIB contractors will need at least CMMC Level 1 to handle federal contract information.
Short answer: CMMC will be in defense contracts starting in November of 2025.
As of November 10, 2025, program managers will include CMMC requirements in new solicitations and contracts. Until November 2026, PMs have the discretion to include CMMC level 2 (C3PAO) status requirements – achievable only through 3rd-party assessment.
Current DoD guidance requires contractors handling any of the defense categories of CUI must achieve CMMC Level 2 (C3PAO) status at a minimum.
Indeed, there are two separate CMMC rules, 32 CFR and 48 CFR.
The first rule, known as the "32 CFR CMMC," codifies the CMMC program. This rule, published as a final rule on October 2024, officially makes certification assessments available on the market. National Security programs like CMMC are codified in Title 32 of the Code of Federal Regulations.
The second rule updates the DFARS contract clause 252.204-7021, which outlines the CMMC requirements, to align with the 32 CFR CMMC program details. This clause, originally published in 2020, was finalized in September 2025. It takes CMMC requirements and makes them applicable to contracts. This rule is the one that enforces CMMC guidelines beginning in November 2025.
With two distinct CMMC rules on separate publication schedules, the CMMC program will undergo two different roll-outs. The "market roll-out” started when 32 CFR CMMC rule became effective, allowing early adopters and competitors to seek certification voluntarily starting in Q1 2025, even before the DoW requires it in contracts.
The official "phased roll-out" began November 10, 2025, enabling the DoW to include specific CMMC level requirements in contracts and solicitations.
Many large prime contractors are requiring their suppliers to get certified early, accelerating the market roll-out. Hundreds of companies are already certified at level 2.
Speak with an expert from Summit 7 or see our 7 Steps to CMMC Compliance to get clear next steps for your organization.
To learn more about CMMC phase one as a whole, watch our free webinar.