skip to Main Content

Final CMMC Acquisition Rule Published: Phase 1 Begins November 10, 2025

After years of anticipation, delays, and revisions, the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) program is officially set to begin on November 10, 2025. Contractors now have only a short window left to prepare before the requirements begin appearing in defense contracts.

The DoD has officially published the final CMMC Acquisition Rule, setting the stage for the phased rollout of CMMC 2.0 requirements across the Defense Industrial Base. This marks a significant milestone in strengthening supply chain cybersecurity and ensuring consistent protections for Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). The program’s final rule took effect in December 2024, with the acquisition regulation that enforces it — the 48 CFR rule — released and published in September 2025. On November 10, the 48 CFR rule will take on full effect, enforcing CMMC requirements to officially start appearing in solicitations and contracts.

DoD's Final CMMC Acquisition Rule yellow banner

Reference: Department of Defense CIO official site

Phase 1 Implementation: Self-Assessments Begin

The first phase of CMMC implementation will begin on November 10, 2025. At this stage, organizations will be required to complete self-assessments of their cybersecurity practices, with results entered into the Supplier Performance Risk System (SPRS). Importantly, contractors must also remember to submit affirmations along with their self-assessments. Missing affirmations can jeopardize compliance status, even if a self-assessment score has been reported.

What This Means for Contractors

With the first deadline quickly approaching, contractors should begin preparing now by:

The phased approach provides breathing room, but it also signals that CMMC enforcement is no longer a future concept—it is happening, and organizations that delay preparation risk falling behind.

Preparing for CMMC with RegDOX’s CCE

As contractors update their compliance strategies ahead of Phase 1, many are looking for practical, unified ways to manage CUI and meet DFARS, NIST, and CMMC requirements simultaneously. RegDOX’s Compliant Cloud Environment (CCE) provides exactly that—a secure, FedRAMP Moderate-equivalent platform built within AWS GovCloud to simplify compliance and collaboration.

Our latest blog post, Part 3: Inside RegDOX’s Solution – How the Compliant Cloud Environment (CCE) Excels, explores how CCE integrates storage, applications, access control, and auditability into a single environment designed for federal contractors. Learn how this secure cloud foundation supports CMMC readiness, reduces compliance complexity, and ensures data protection at every stage.

CMMC Implementation Timeline

The Department of Defense has laid out a structured, four-phase timeline for CMMC 2.0, giving contractors a clear roadmap of when requirements will take effect and how they will expand over time.

  • Phase 1: Initial Implementation (Begins November 10, 2025) – The first phase marks the official launch of the CMMC program. Beginning on November 10, 2025, solicitations will start to include requirements for Level 1 and Level 2 self-assessments, where applicable. Contractors will be expected to complete these self-assessments and enter both their results and affirmations into SPRS. This phase emphasizes accountability while giving organizations time to adapt to the new structure without the immediate pressure of third-party certifications.

 

  • Phase 2: Level 2 Certification Requirements (Begins November 10, 2026) – One year later, CMMC requirements expand to include Level 2 certifications. Where applicable, solicitations will require contractors to demonstrate a valid Level 2 certification rather than relying solely on self-assessments. However, the Department of Defense has built flexibility into this phase: in some cases, the Level 2 certification requirement may be delayed and applied later in an option period of the contract. This staggered approach gives companies additional time to undergo formal third-party assessments while still maintaining eligibility for awards.

 

  • Phase 3: Level 3 Certification Requirements (Begins November 10, 2027) – By Phase 3, the bar is raised again. Solicitations will begin to require Level 3 certifications for contracts involving the most sensitive information and mission-critical environments. As with Level 2, the DoD reserves the option to delay the Level 3 certification requirement until an option period of the contract. This flexibility helps ensure that organizations have sufficient time to undergo the more rigorous, government-led assessments required at Level 3.

 

  • Phase 4: Full Implementation (Begins November 10, 2028) – Phase 4 represents the final stage of the rollout, where CMMC is fully integrated into the acquisition process. Starting November 10, 2028, all solicitations and contracts will include applicable CMMC Level requirements as a condition of award. At this point, CMMC will no longer be a phased requirement but a permanent fixture in defense contracting. Contractors will be expected to demonstrate compliance at the appropriate level as part of doing business with the Department of Defense.

By the end of Phase 4 in November 2028, CMMC will move from a gradual rollout to a fully enforced requirement across all defense contracts, making early preparation critical for long-term success.

Early Implementation Possibilities

It is also important to note that in some procurements, the DoD may implement CMMC requirements ahead of the planned phase dates. This means that while the phased approach provides a roadmap, contractors should not assume they have until the official milestone to prepare. Early adoption in select contracts will likely be used to strengthen supply chain security and test readiness among contractors sooner than anticipated.

About RegDOX

At RegDOX Solutions Inc., we help defense contractors and high-security organizations simplify compliance with ITAREARDFARSNIST SP 800-171, and CMMC requirements. Our secure, cloud-based platforms combine end-to-end encryptionaccess controls, and audit-ready documentation to keep your data—and your contracts—safe.

Need help navigating evolving cybersecurity regulations?

Request a Compliance Demo
Or contact us directly at info@regdox.com

Click to rate this post!
[Total: 0 Average: 0]

This Post Has 0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top