The Schellman Blog

The long-anticipated Cybersecurity Maturity Model Certification (CMMC) Final Rule, published on September 10, 2025, officially became effective November 10, 2025. This shift from voluntary guidance to mandatory, enforceable contract requirements under the Defense Federal Acquisition Regulation Supplement (DFARS) marks a turning point for every organization that supports the federal defense supply chain. This critical milestone also signifies that full implementation is just beginning.

In the latest revision of documents pertinent to the ongoing CMMC countdown, NIST SP 800-171 R3 has been released. Though there were only a handful of changes in this new version, there were some significant ones regarding the assessment practices and their presentation that those monitoring the progress of CMMC should know.

Known more commonly as NIST, the National Institute of Standards and Technology provides cybersecurity frameworks that not only are integral for many government and Department of Defense contracts but are also widely accepted as a solid launch point for most organizations’ cybersecurity efforts. Schellman has been operating in the federal compliance space for years as an accredited FedRAMP 3PAO, and now as a CMMC C3PAO. Over that time, we’ve helped many of our clients decipher the many NIST frameworks as they determined the right direction for them and their environment.

Cyber threats continue to escalate in both frequency and economic impact. Where earlier estimates from the U.S. Council of Economic Advisors placed the cost of malicious cyber activity to the U.S. economy between $57 billion and $109 billion in 2016, more recent data shows this threat has grown exponentially. In the U.S., these cyber threats are not a problem our government, and more specifically our military, can leave unchecked, particularly when it comes to the theft of valuable intellectual property and sensitive information from all industrial sectors. The potential backlash on our economic security and national security is too great, so action had to be taken. If you’re doing business in the Defense Industrial Base (DIB) sector, you will soon need to become CMMC certified. Within this newer program meant to protect information within the supply chain of the Department of Defense (DoD), there are three levels and their related assessments. If you’re wondering which level is right for you, don’t worry—in this article, we’ll explore the different levels of CMMC compliance you can achieve, but we won’t be able to do that without first addressing the critical importance of CUI. Then, you’ll understand how all these pieces fit together and have a better idea of which level is right for your organization and what to expect in the process.