CMMC is here! Register for our free webinar with guests from C3PAOs – Nov 18 @ 1PM EST. Save Your Spot →

CMMC DFARS Rule Now in Effect: Do You Need to Certify?

What to Know About the November 10 Rule

You may have heard that November 10, 2025 was a big day for cybersecurity compliance in the defense industry. But what does it really mean for your business? Should you already be CMMC certified? Do you need to update your SPRS score? And most importantly, how can you stay compliant and competitive for future contracts?

In this article we’ll answer:

  • What changed on November 10, 2025?
  • Who must comply with CMMC requirements?
  • When will CMMC begin appearing in contracts?
  • When do I actually need to be CMMC certified to win contracts?
  • How do I know which CMMC level I need to meet?
  • Does CMMC apply to subcontractors?
  • Do I need to update my SPRS score?
  • Is there a grace period or waiver process during the rollout?
  • What do I need to do now to prepare?

What Changed on November 10, 2025?

Beginning November 10, 2025, contracting officers are now required to include CMMC levels in solicitations and contracts, and organizations must have their current CMMC status (self-assessment or certification, depending on the required level) posted in the Supplier Performance Risk System (SPRS) to be eligible for award.

This means CMMC is going to start appearing in your contracts soon.

Who must comply with CMMC requirements?

The CMMC rule is wide-reaching and applies to most DoD acquisitions, including:

  • Commercial products and services
  • Contracts at or below the simplified acquisition threshold (but not micro-purchases)

The only broad exemption applies to contracts exclusively for commercially available off-the-shelf (COTS) items.

When will CMMC begin appearing in contracts?

CMMC requirements will begin appearing in Department of Defense (DoD) contracts starting November 10, 2025, as part of a phased implementation under the finalized acquisition rule and revised DFARS clauses. Here’s how the rollout works:

Phase 1 — November 10, 2025:

  • Most contracts require Level 1 or Level 2 self-assessments.
  • Some may require Level 2 third-party assessments at DoD discretion.

Phase 2 — November 10, 2026:

  • Third-party Level 2 certifications through C3PAOs become mandatory for more contracts, particularly those handling sensitive data.

Phase 3 — November 10, 2027:

  • Level 3 certifications (by DIBCAC) may be required for high-sensitivity contracts.
  • Most defense contracts will now require some form of external certification.

Phase 4 — November 10, 2028: Full enforcement:

  • All applicable DoD contracts must include CMMC, except COTS items. Contractors and subcontractors must be certified at the required level before award or exercising options.

When do I actually need to be CMMC certified to win contracts?

To win new Department of Defense contracts that include CMMC requirements, you must be certified at the required level (Level 1 or 2, as detailed in the solicitation) at the time of contract award, starting November 10, 2025.

If you expect to hold or bid on a contract that requires a Level 2 third-party certification (C3PAO), allow 12–18 months for readiness, as the DoD can require these at its discretion even in the early phases.

How do I know which CMMC level I need to meet?

The primary way to determine your required CMMC level is through your DoD contract. Each contract will specify whether you must meet Level 1, Level 2 (self-assessment or C3PAO-certified), or Level 3.

Here’s how the contract requirements typically break down:

  • Level 1 is listed when the work involves only Federal Contract Information (FCI).
  • Level 2 (Self-Assessment) appears when you handle lower-sensitivity CUI that the DoD does not classify as critical to national security.
  • Level 2 (C3PAO Certified) is required when the contract involves high-priority or more sensitive CUI and the DoD mandates independent verification.
  • Level 3 is specified only for high-sensitivity or national-security–critical information that requires advanced protection.

Even though the types of information you handle determine why the DoD assigns a level, the final and authoritative source is always the contract language. If the contract explicitly states the needed level or that a third-party assessment is required, you must follow that requirement.

Does CMMC apply to subcontractors?

Yes, and this often causes stress for prime contractors. Subcontractors must meet the same level as the prime contractor, ensuring consistency across the supply chain. Read about how Alluvionic helped a client and their subcontractor tackle CMMC level 2 compliance. https://alluvionic.com/cybersecuritycompliance/cmmc/cmmc-compliance-for-your-supply-chain/

Do I need to update my SPRS score?

Yes. Contracting officers cannot award a contract unless the offeror has a current CMMC status at the required level in SPRS (Supplier Performance Risk System). Read our quick SPRS guide for everything you need to know about SPRS. https://alluvionic.com/what-is-sprs/

Is there a grace period or waiver process during the rollout?

There is no grace period for CMMC certification during the rollout phase; contractors must have the required CMMC status at the time of contract award to be eligible. The Department of Defense will immediately enforce CMMC requirements for new contracts starting November 10, 2025, and delayed implementation is not permitted for new bidders.

While there is no general waiver process, CMMC 2.0 does allow Level 1 and some Level 2 self-assessments, which makes compliance more accessible for smaller businesses and those working with less sensitive information. If you’re looking for practical, budget-friendly ways to achieve CMMC compliance as a small business, explore how Alluvionic helped Sandem Industries reach CMMC Level 2 readiness through a customized, cost-effective engagement. https://alluvionic.com/customer-success-story-sandem-industries-prepares-for-cmmc-level-2-certification/

What do I need to do now to prepare?

CMMC certification is a challenging, time-consuming investment, but the process becomes far more manageable when you begin with a few simple, foundational steps:

  1. Identify Your CMMC Level: Clarify whether your contracts involve FCI or CUI. This drives your required level of compliance and determines the assessment path (self-assessment vs. third-party certification).
  2. Complete a Gap Assessment: Don’t wait. Benchmark your current practices against the CMMC requirements using a Registered Practitioner Organization (RPO) like Alluvionic or internal review aligned with the CMMC Assessment Guides.
  3. Budget Beyond Certification: Certification is not a one-time event. Sustainment costs, such as continuous monitoring, documentation updates, and assessment preparation, are a critical part of long-term compliance.

How Alluvionic Can Help

Alluvionic is one of the earliest RPOs and has seen multiple clients successfully through certification.

What Makes us Different:

  1. We are CMMC level 2 certified ourselves.
  • We’ve been through the certification process ourselves, so we know exactly what it takes. With proven CMMC expertise and exceptional project and change management capabilities, we support the full scope of a cybersecurity transformation.
  1. We Make CMMC Crystal Clear.
  • CMMC is packed with jargon, acronyms, and complex regulations, but we strip away the confusion. No tech-speak, no guesswork—just a clear, step-by-step path to certification. Our experts translate cybersecurity into plain English, so you know exactly what to do, why it matters, and how to get compliant quickly.
  1. Trusted by 150+ Government Contractors.
  • We’ve helped 150+ contractors cut through the complexity of DFARS, NIST, and CMMC to turn confusion into clear, actionable plans. Our streamlined approach eliminates wasted time, overspending, and uncertainty, getting you certification-ready faster than the competition.
  1. An Established CMMC Partner.
  • As one of the first Cyber-AB RPOs (since 2021), our battle-tested processes and expert support have been vetted, refined, and trusted for years, not hastily assembled. While others rushed in to chase quick profits, we built a solid foundation for efficient, stress-free compliance that stands the test of time.
  1. Women-Owned. Small Business Focused.
  • We get the unique challenges of small and mid-sized contractors, because we are one. Our solutions are built for business owners, ensuring compliance is practical, affordable, and stress-free.

Contact Us

Contact Alluvionic today https://alluvionic.com/contact/ to schedule a free readiness consultation or Download our CMMC Readiness Toolkit https://alluvionic.com/cmmc-resources/ for access to our free CMMC Compliance Checklist, Subcontractor Readiness Guide, C3PAO Selection Guide, and more.

 
Categories

Contact Us

Read From Our Blog

Main Menu
Start Your Project

DOWNLOAD OUR PROJECT ASSURANCE® CHECKLIST

Fill out the form below to access our checklist that will ensure your project's success!