The Pentagon’s final DFARS rule implementing the Cybersecurity Maturity Model Certification (CMMC) takes effect on Nov. 10, 2025. Starting on that date, contracting officers can require a current CMMC status in solicitations and awards, making cybersecurity certification a condition of doing business with the Department of Defense.
DoD plans a phased rollout over three years. Early phases emphasize self-assessments, particularly for Level 1 and some Level 2 work – while later phases expand third-party certifications at Level 2 and fully mature program requirements. The approach is intended to give small and midsize firms time to prepare and to scale assessor capacity.
At award time, contracting officers will check the Supplier Performance Risk System (SPRS). If a bidder does not have a current CMMC status at the level required by the solicitation for the systems used in performance, the award cannot be made. That turns CMMC into a practical gate: eligible or not.
For Levels 2 and 3, the rule allows a conditional status for up to 180 days so contractors can close approved Plans of Action and Milestones (POA&M) after award. Miss the deadline and the conditional status expires – a critical planning consideration for firms that are nearly ready.
Scope matters. CMMC can apply to commercial products and services and to buys below the simplified acquisition threshold. Contracts or orders exclusively for commercially off-the-shelf (COTS) items are excluded.
The local stakes are high. As Puget Sound Naval Shipyard advances the Shipyard Infrastructure Optimization Program (SIOP), primes and subs will increasingly require partners who already have the right CMMC level – typically Level 1 for Federal Contract Information or Level 2 for Controlled Unclassified Information. Firms that lack a current SPRS status risk being sidelined from teaming and bid opportunities tied to shipyard modernization.
What to do now: determine your level, tighten your scope (many firms choose a focused CUI enclave), update your System Security Plan and any POA&Ms, and decide whether a self-assessment or a third-party certification is required for the solicitations you plan to pursue. Post your status to SPRS and plan for annual affirmations by your authorized official.
Local help is available next month at the CMMC-PNW 2025 Conference, Oct. 27–28 in Kitsap County. The two-day event brings local and national experts, along with DoD and Defense Logistics Agency officials, to explain requirements, scoping, assessments and how compliance maps to SIOP teaming. Information and registration: www.CMMC-PNW.com
Bottom line: Nov. 10, 2025, starts the clock. For Kitsap’s contractors, CMMC is no longer a future aspiration – it is a bid-eligibility requirement. Start early, align with primes and turn compliance into a competitive advantage.
Steve Treanor leads Help Desk Cavalry, a Kitsap County managed-service provider that has accomplished CMMC Level 2 and is certified as a Cyber-AB Registered Practitioner Organization (RPO), to help Defense Industrial Base Contractors prepare for CMMC certification.
The local stakes are high. As Puget Sound Naval Shipyard advances the Shipyard Infrastructure Optimization Program (SIOP), primes and subs will increasingly require partners who already have the right CMMC level – typically Level 1 for Federal Contract Information or Level 2 for Controlled Unclassified Information.