Yesterday, the Department of Defense published the long-awaited Acquisition Rule under Title 48 of the Code of Federal Regulations (48 CFR/DFARS) in the Federal Register. This rule goes into effect on November 10, 2025 and gives the DoD authority to begin including CMMC requirements directly in solicitations and contracts.
For any business handling Controlled Unclassified Information (CUI) or Federal Contract Information (FCI), this is a turning point. In short: certification will soon be tied directly to your ability to win and keep DoD contracts.
In plain terms: CMMC enforcement is no longer a future possibility, it’s here.
What This Means for Contractors
If your company works with the DoD, whether as a prime contractor or a subcontractor, you need to be ready for new cybersecurity requirements:
- CMMC certification will become a condition of award and performance.
- The 32 CFR Part 170 rule has already established the program structure and certification levels.
- The 48 CFR/DFARS Acquisition Rule is the piece that operationalizes CMMC by embedding it into contracts through a phased rollout plan.
- Depending on the type of information you handle, you may need a Level 1 self-assessment (for FCI), third-party Level 2 certification (for sensitive CUI).
- Certification is required at the time of award. Flow-down obligations apply. If you’re a subcontractor or service provider handling FCI or CUI, you’ll also be required to meet the appropriate level of CMMC. Primes will be responsible for ensuring each subcontractor has the appropriate level of CMMC.
Why It Matters for DoD Contractors
For DoD business owners, the message is clear: “No certification, no contract.” Without the right CMMC level, you may not be eligible to be awarded or renew contracts. And because requirements will phase in starting, November 10, 2025. Waiting until the last minute creates unnecessary risk.
The DoD has also made it clear that many companies handling CUI will need third-party validation and that certification requirements will phase in over the next several years, increasing in scope as time goes on. That means the most proactive contractors will be the best positioned to stay competitive.
How to Prepare Now
We know this change raises big questions: What does CMMC really mean for my business? How do I prepare without overspending? What will assessors be looking for?
That’s why we’re hosting the CMMC-PNW 2025 Conference, a two-day conference designed to bring clarity, strategy, and expert guidance to defense contractors across the Pacific Northwest.
What you’ll take away:
- Practical clarity on how FCI and CUI obligations translate into CMMC activities, documentation, and validation
- How to scope your environments, plan enclaves, and sequence remediation to control cost and risk while staying eligible
- Readiness steps for internal self-assessments and third-party assessments, including what evidence matters most and pitfalls to avoid
CLICK HERE For More Details About the Conference and To Reserve Your Ticket
The bottom line: The 48 CFR CMMC Acquisition Rule has been published with enforcement to follow soon. The organizations that take steps now will be ready to protect their contracts and lead the way, now that CMMC 2.0 has become reality.