Upcoming Webinar | Assuring Agentic AI on March 5th @ 1:00 PM ET

Learn More
866.254.0000
Contact Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
SOC 1 / SSAE 18 Examination
SOC 2 Examination
SOC 3 Examination
SOC for Supply Chain
SOC for Cybersecurity
SOC Essentials for Early-Stage Companies
C5 Attestation
CSA STAR Programs
Payment Card Assessments
Payment Card Assessments
PCI DSS Validation
PCI SSF
PCI P2PE Validation
PCI PIN Assessments
PCI 3DS Compliance
ISO Certifications
ISO Certifications
ISO 27001
ISO 42001
ISO 27701
ISO 9001
ISO 22301
ISO 20000-1
ISO 14001
ISO 45001
ISO 50001
Privacy Assessments
Privacy Assessments
Global CBPR & PRP Certification
GDPR Assessment
International Privacy Assessments
US State Privacy Assessments
Microsoft SSPA/DPR Assessment
FERPA Assessment
EU Cloud Code of Conduct
Federal Assessments
Federal Assessments
FedRAMP®
CMMC / NIST SP 800-171
FISMA/NIST
ITAR
CJIS
IRAP
FTC Consent Decrees
DoD IL6
Healthcare Assessments
Healthcare Assessments
HITRUST Certification
HIPAA Compliance
HIPAA Express
EPCS-DEA Audits
Health Data Host (HDS) Certification
Penetration Testing
Penetration Testing
Application
Network
Mobile
Red Teaming
Social Engineering
Cloud
Physical
Hardware and IoT
Advanced Services
AI Red Teaming
Cybersecurity Assessments
Cybersecurity Assessments
Cloud Configuration Assessments
Ransomware Assessments
NIST Cybersecurity Framework Assessments
Schellman Software Security Assessment (S3A)
TISAX®
SWIFT Customer Security Programme
Internal Audit Co-Sourcing
MTCS Certification
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
Learning Center
About Us
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships
Certificate Directory
Contact Us

«  View All Posts

What to Know About the CMMC Final Rule: Key Changes and How to Prepare Blog Feature
Todd Connor

By: Todd Connor

Print/Save as PDF

What to Know About the CMMC Final Rule: Key Changes and How to Prepare

Federal Assessments | CMMC

Published: Feb 4, 2026

The long-anticipated Cybersecurity Maturity Model Certification (CMMC) Final Rule, published on September 10, 2025, officially became effective November 10, 2025. This shift from voluntary guidance to mandatory, enforceable contract requirements under the Defense Federal Acquisition Regulation Supplement (DFARS) marks a turning point for every organization that supports the federal defense supply chain. This critical milestone also signifies that full implementation is just beginning.

In this article, we’ll explain the implications of the CMMC Final Rule, why it’s important for defense contractors, and steps to take now to prepare for compliance.

What is the CMMC Final Rule?

The CMMC program was first proposed in 2020 to standardize cybersecurity across the defense industrial base (DIB). The Department of War (DoW) then introduced an updated version, known as CMMC 2.0, in 2021 to simplify and align the program with NIST SP 800-171. In October 2024, the DoW issued the CMMC Program Rule (32 C.F.R. Part 170), which became effective that December and established the framework and oversight structure.

The final DFARS amendment took place in September 2025, making CMMC a contractual, legally binding requirement across applicable defense contracts. Compliance with CMMC is now tracked through annual affirmations of continuous compliance posted in the Supplier Performance Risk System (SPRS), signaling the need for ongoing adherence.

There are three CMMC levels:

Level 1

Basic safeguarding of Federal Contract Information (FCI)

Level 2

Advanced protection for Controlled Unclassified Information (CUI), aligned with NIST SP 800-171

Level 3

Expert protection for sensitive CUI, aligned with NIST SP 800-172

Why the CMMC Final Rule Matters for Defense Contractors

As of November 2025, contracting officers must include CMMC clauses in solicitations and enforce compliance verification through SPRS. Enforcement of the CMMC Final rule applies to all contractors and subcontractors within the DoW supply chain handling FCI or CUI. The DoW will introduce requirements across solicitations in four stages, over a three-year phased rollout, detailed below. Despite this gradual enforcement approach, there is still an urgency for early preparation.

Companies that fail to maintain a current CMMC status will be ineligible for new contracts, renewals, or option exercises. This presents business risks for those who are not ready before the phased rollout reaches their current contact obligations and future business opportunities. Alternatively, organizations who achieve CMMC certification early on will have a competitive advantage by demonstrating reliability and security maturity to government partners.

CMMC Phased Implementation Timeline and Requirements

Phase

Timeline

Requirements

Phase 1

November 10, 2025 - November 9 2026

Programs can choose to include CMMC clauses. Focus should be on self-assessments in Level 1 and Level 2 as conditions of award for applicable contracts.

Phase 2

November 10, 2026 - November 9, 2027

Requirements expand to Level 2 Third-Party Certifications (C3PAO) in applicable contracts. The DoW has the discretion to include Level 3 (DIBCAC) requirements.

Phase 3

November 10, 2027 - November 9, 2028

Requirements expand to Level 2 (C3PAO) and Level 3 Certifications (DIBCAC) mandates for applicable contracts.

Phase 4

Beginning November 10, 2028

CMMC requirements become mandatory across all applicable DoW contracts.

During the first three years (and phases) of this rollout, programs have the discretion to decide when and how to include CMMC requirements, meaning some may require Level 2 or Level 3 certification at any point. In anticipation of this variability, contractors should proactively prepare to be faced with potentially accelerated requirements.

How to Prepare for CMMC Compliance

Organizations should start preparing now to ensure they don’t miss out on any contracts due to lack of compliance and to avoid a last-minute scramble as the rule begins to take effect.

Below are strategic steps to prepare for compliance with the CMMC Final Rule:

1. Perform a Gap Assessment

Conduct an inventory of all of your information systems handling FCI or CUI and define your CMMC assessment scope. Benchmark your existing controls against your required CMMC level and identify and remediate gaps early on in the process.

2. Train and Mobilize Stakeholders

CMMC compliance needs to be an organization-wide effort, requiring cross-team collaboration. Ensure leadership, IT, procurement, legal, and compliance teams understand the new obligations, reporting requirements, and enforcement timeline. Identify and designate personnel who will be responsible for ensuring annual affirmation of continuous compliance. Engage leadership teams for strategic decision-making and resource allocation with CMMC requirements in mind.

Ensure that internal processes are established and monitored across teams. Review current and pending DoW contracts for CMMC requirements and ensure proposals feature all necessary information. Monitor solicitations for awareness of required CMMC Levels. Establish a process to ensure subcontractors also comply with CMMC requirements at the necessary level and update subcontract templates accordingly.

3. Engage a Trusted Partner

Partner with a Registered Provider Organization (RPO) or Certified Third-Party Assessment Organization (C3PAO), like Schellman, for readiness reviews, certification planning, and formal assessments.

4. Implement Continuous Monitoring

Establish internal processes to sustain compliance year-round, including logging, incident response, and documentation updates for annual affirmations. Contractors must ensure that information systems are updated to be tracked in SPRS using a CMMC Unique Identifier (UID), which is a 10-character code assigned after an assessment submission that must be provided to contracting officers with proposals.

As you plan for the rollout, monitor DoW guidance for updates as the phased implementation progresses. Failure to comply will become a barrier to entry, so preparation should begin now.

Moving Forward Toward CMMC Compliance

The CMMC Final Rule signals that cybersecurity is a contractual foundation of the DoW supply chain. For contractors, the path forward requires moving from compliance planning to actionable, verified readiness.

Organizations should invest now in assessments, training, and continuous monitoring to not only meet federal requirements, but to strengthen their overall security posture and position themselves as trusted partners.

To learn more about preparing for CMMC certification or beginning your compliance journey, contact us today. In the meantime, discover additional helpful insights here:

About Todd Connor

Todd Connor is a Senior Associate with Schellman based in Jacksonville, FL. Prior to joining Schellman in 2022, Todd worked as a technology manager for a maritime shipping company responsible for architecting and developing their NIST / CMMC compliance program. Todd has over twenty years of information technology leadership experience across various industries including transportation & logistics, pharmacy benefits management, retail pharmacy and big-box retail, during which time, he has been responsible for responding to NIST 800-171, HIPAA, PCI, ISO and Sarbanes Oxley audits. Todd is now focused primarily on Schellman’s FedRAMP practice, specializing in CMMC compliance for organizations across various industries.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.