The final CMMC rule is here—enforcement starts November 10

After years of drafts, revisions, and shifting timelines, the Cybersecurity Maturity Model Certification (CMMC) program is no longer just a concept. It's a contractual requirement, and enforcement begins soon.

‍

On September 9, 2025, the U.S. Department of Defense (DoD) released the final CMMC rule (48 CFR) for public inspection, with official publication in the Federal Register on September 10. From this point forward, all DoD contracts require some level of CMMC certification. 

‍

A turning point for defense contractors

Originally introduced in 2019, CMMC was designed to ensure defense contractors meet cybersecurity standards for protecting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

‍

While CMMC has existed as a draft framework for years, the final rule marks a shift from informal expectations to formal enforcement. With the publication of 32 CFR in late 2024, CMMC became official DoD policy. Now, with 48 CFR, it becomes an enforceable contractual requirement.

‍

Starting November 10, contracting officers will no longer be able to award, renew, or extend contracts unless vendors meet the appropriate CMMC level.

‍

What to expect next: Impact and requirements

DoD will roll out CMMC in four phases, with full enforcement by 2028. But certification clauses will start appearing in new solicitations and contracts starting November 10, 2025.

‍

All DoD contractors will be required to demonstrate CMMC compliance either through self-certification or a certified third-party assessment based on the data you handle:

• CMMC Level 1 (Self-Assessment): The minimum expectation is to self-certify against Level 1 requirements for all organizations handling FCI
• CMMC Level 2 (C3PAO Assessment): A full assessment by a Certified Third-Party Assessor Organization (C3PAO) will be required for any company handling CUI
• CMMC Level 3 (DIBCAC Assessment): Requires an advanced cybersecurity posture, including additional NIST 800-172 controls, and a government-led assessment by DIBCAC for organizations supporting high-priority DoD programs

‍

This is a significant shift from the previous self-attestation model and is intended to ensure verified cybersecurity practices across the defense industrial base. Contractors will need to undergo a full third-party assessment or obtain a conditional approval with a remediation plan to remain eligible.

‍

Plus, with fewer than 80 certified assessors available—and over 300,000 contractors expected to need certification—backlogs are a near certainty. This means the clock is already ticking. Companies that wait risk falling behind not just on compliance, but on contract eligibility and revenue.

‍

How Vanta can help

We’re seeing a major shift toward enforcement that indicates the DoD expects a verifiable, audit-ready cybersecurity posture going forward. Vanta can help you prepare for CMMC, NIST 800-171, and FedRAMP requirements.

‍

Through Vanta’s dedicated CMMC framework, teams can centralize their readiness efforts—mapping controls, identifying gaps, and automating evidence collection in one platform. With task tracking, document management, and integrations with tools like CrowdStrike, Jira, and AWS, we reduce the manual burden of compliance and help you move faster with less risk.

‍

Vanta customers also get access to our network of trusted partners, including Registered Provider Organizations (RPOs) and C3PAOs, who can guide you through the full journey, from readiness to certification.

‍

Plus, as part of our commitment to delivering government-grade security and helping customers meet the evolving expectations of public sector compliance, we recently became one of the first platforms to receive FedRAMP 20x Low Authorization. 

‍

If you haven’t started preparing, now’s the time. Vanta’s public sector experts can help you navigate what’s required, where to start, and how to get audit-ready before enforcement begins.

‍

Ready to start your CMMC journey? Let’s talk.