Introduction
The long-awaited 48 CFR DFARS 7021 rule, which puts CMMC into contracts and makes it enforceable, was published on September 10, 2025. The rule will go into effect on November 10, 2025. Meaning, on November 10, 2025, CMMC requirements will begin to appear in new contracts through a phased roll-out period, as well as in Option years and period of performance (PoP) extensions awarded on/after November 10. In each circumstance, the solicitation or extensions may require proof of a DIB member’s CMMC certification before an organization can receive the award. Primes, not beholden to the phased implementation, may require it of subcontracting partners earlier, even now, to ensure compliance and solidify their contract teams.
In this blog, we’ll explain more about what is happening and when, and offer some practical advice to help DIB companies benchmark and get started on their CMMC assessment and certification process.
Table of Contents
What’s Happening
After years of refinement and procedural wrangling, CMMC is now fully authorized and implemented. It’s a big deal.
CMMC requirements will be introduced in contracts over a phased roll-out period, and contracts awarded on/after November 10 may require proof of a DIB member’s CMMC certification before an organization can receive the award. DIB members who already hold or are close to certification will have a competitive advantage in bidding on and securing these opportunities.
Those who are behind on certification may still be counting on the phased roll-out to help them. At this point, that is not a safe bet. CMMC’s three phases, correlated to its three levels of certification, will begin on the November 10 effective date. Each phase will run for one calendar year, with full implementation in all contracts at all levels by November 10, 2028. However, agency PMOs are allowed to require a particular certification Level before their phased implementation date if they deem it necessary. At Redspin, we have already seen solicitations in sam.gov with CMMC Level 2 requirements.
Some Practical Guidance
Here’s what defense contractors should be doing right now to stay ahead.
Ask Your KO. To determine if CMMC requirements will be included in a bid opportunity, DIB members should consult with their contracting officer (KO) for details or check on sam.gov. It will be very important to be well prepared when approaching a discussion with a KO. How to initiate that conversation will depend on your relationship with them and with the PMO. While they should already know what kind of CUI is in a contract, given the new rules, it makes sense to ask upfront when Level 2 or Level 3 certification may come into play.
Update your SPRS Score, Now. Level 1 certification will always be required at solicitation, at the start of an option year, and at a PoP extension on current contracts. Level 1 requires DIB members to already have their self-attestation score in the DoD’s Supplier Performance Risk System (SPRS). Make sure your score is accurate and up to date based on the Level 1 Assessment and Scoping guide. It’s also a good idea for contractors to understand what Level they need and to be familiar with the DoD
Team with the Right Partner. Additionally, DIB members who act as subcontractors to Primes, or subcontractors of subcontractors, should be prepared for , their updated/accurate SPRS score, and any proof that the sub is in the CMMC assessment “queue” with a C3PAO. In turn, subs should ask a Prime they are considering working with about that Prime’s status so as not to hitch themselves to an unqualified bidder.
Allocate Costs Correctly. DIB members who are now rushing to catch up on their CMMC qualification need to consider and manage the associated costs in two separate but equally important ways: implementation costs and assessment costs. Both costs can be built into contract bids. It may be helpful to seek professional guidance on the best way to do that. When implementing, select partners, or External Service Providers (ESPs) with existing CMMC experience to avoid wasting time and resources. For example, building a secure CUI enclave in the cloud is a faster and cost-effective option. However, if you work with an ESP, MSP or CSP that lacks CMMC experience, you may be provided with inaccurate information that could lead to a failed assessment, wasting time and budget.
The Best CMMC Advice Now?
CMMC is nothing new. Every defense contractor has had over seven years to prepare for it. This initiative only validates preexisting DFARS 7012 contractual requirements to which DIB members have been self-attesting compliance since 2017. It’s now time to prove it.
If you’re behind, start working with a C3PAO right away. Visit the Cyber AB Marketplace, put a list of potential expert service providers together, and start “shopping” them. Choose one that clearly knows their subject but that also has the “vibes” that will work with your team’s culture. Ask about their assessment experience and approach. Look for things like the number of CCAs and CCPs on their team, and if they are vetted by the ecosystem for example, if they hold a place on the Cyber AB’s advisory council. Earn your certificate and then use it to your advantage.
Finally, get on an assessment schedule―now! Secure your spot based on your projected readiness date to avoid further delays. There are a limited number of assessors and their schedules fill quickly, so don’t slip further behind because you’re in a long queue.
CMMC represents a positive change for the DoD and for the entire DIB community. With the barrage of cyberattacks by nation-states and other actors, unfortunately, we are all targets. CMMC is an important step that will help protect our warfighters and your business. You’ve got this!
How Redspin Helps
We’ve helped hundreds of organizations prepare for CMMC—and we’re one of the first authorized C3PAOs.
Whether you need a readiness assessment, help fixing gaps, or support during your audit, our team can guide you through the process with zero guesswork.
Don’t wait until the RFP drops—start getting compliant now.
Book a meeting to get CMMC certified with Redspin: