CMMC Program Moves into Implementation Phase

Written By Katie Timmons

CMMC Program Moves into Implementation Phase, Contract Enforcement Expected in Late 2025.

The Defense Department’s long-awaited Cybersecurity Maturity Model Certification (CMMC) program is now in effect, with formal contract enforcement slated for later this year.

The final CMMC Program Rule (32 CFR), published October 15, 2024, took effect December 16, 2024, codifying the framework in federal regulations. A complementary acquisition rule (48 CFR), expected to be finalized in early to mid-2025, will embed CMMC requirements into Department of Defense contracts as a pre-award condition.  The 48 CFR was just sent to OMB for final review on July 22, 2025.

 

 Phased Rollout Underway

The Pentagon has adopted a four-phase, three-year rollout plan. Phase One, beginning with the 48 CFR final publication later this year, lasts one year and allows CMMC self-assessment requirements to begin appearing in solicitations for both Level 1 and Level 2. The second phase, beginning one year after the 48 CFR publication, will require external C3PAO assessments for most companies requiring Level 2 certification.  

Depending on your level, results must be reported into government systems such as the Supplier Performance Risk System (SPRS) or eMASS.

Industry Already Preparing

 Since February 28, 2025, contractors have been able to conduct Level 2 self-assessments in SPRS. More than 350 companies have already undergone government-led assessments, according to Defense Department figures.  Industry consultants say the message is clear: the CMMC framework is here to stay. “This is statutory and regulatory policy — it’s not going away,” one cybersecurity advisory firm said in a June update.

 Next Steps for Contractors

Experts recommend that companies begin aligning with the security practices in NIST SP 800-171 now, even if CMMC requirements have not yet appeared in their contracts. This includes documenting security controls, updating system security plans, and remediating gaps.

Once the acquisition rule takes effect, awards for contracts involving sensitive information will require proof of CMMC certification or self-assessment, along with annual affirmations in SPRS.

 Bottom Line

 With the 32 CFR rule finalized and implementation underway, the CMMC program is shifting from policy to practice. Contractors who delay preparation risk being locked out of future defense work once full enforcement begins later this year.It begins with an idea. Maybe you want to launch a business. Maybe you want to turn a hobby into something more. Or maybe you have a creative project to share with the world. Whatever it is, the way you tell your story online can make all the difference.

Need help navigating your requirements?

Katie Timmons