CMMC Is Here: Enforcement Begins Nov 10—What This Means to GovCons with FCI & CUI
The U.S Department of Defense (DoD) has officially published the final CMMC Acquisition Rule, 48 CFR/ DFARS 252.204-7021 in the Federal Register. The rule goes into effect November 10, 2025—just 60 days from publication.
July 22, 2025 marked a major milestone when the rule was submitted to OIRA for review. It cleared review in just 24 business days, was available for public inspection on September 9th, and published officially on September 10th.
For the first time ever, contracting officers can enforce CMMC requirements at the time of contract award or extension. If you’re a government contractor handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), this rule applies to you. And the clock is ticking.
What’s Changing?
Starting November 10, 2025, CMMC requirements can appear in solicitations and be enforced at award. If you’re not compliant or haven’t posted the right self-assessment or certification in SPRS, you could be ineligible.
This applies to:
- Prime contractors and subcontractors
- Any government contractor that processes, stores, or transmits FCI or CUI
- All government contracts except those solely for COTS (Commercial Off-The-Shelf) items
Implementation Timeline: A Four-Year Rollout
In order to address ecosystem ramp-up issues, allowing contractors time to adapt while enabling the DoD to gradually enforce compliance fully across its supply chain, the DoD will implement CMMC through a phased approach that will scale over time.
| Phase | Start Date | Requirements Introduced |
| Phase 1 | Nov 10, 2025 | Contractors will need to complete and post a self assessment (for Level 1 or Level 2) in the governments SPRS system. In some cases, the DoD might require a third-party certification (C3PAO) for Level 2 contracts. |
| Phase 2 | Nov 10, 2026 | The government will start requiring formal third-party certifications (C3PAO) for Level 2, indicated in certain contracts. Some contracts will also start asking for Level 3 certification for highly sensitive programs. |
| Phase 3 | Nov 10, 2027 | For all relevant contracts, Level 2 (C3PAO) certification will now be required. For high priority contracts and programs deemed critical by the DoD, CMMC Level 3 will be included in solicitations as a condition of award. |
| Phase 4 | Nov 10, 2028 | The rule will apply to all new DoD contracts and renewals of older contracts. Full implementation and enforcement of all CMMC levels ensues across the defense supply chain ensues. |
Compliance Requirements to Prepare For
For small to medium-sized businesses, it is especially important to act now and plan early as enforcement will scale quickly over the next 36 months.
Contractors should expect to meet the following core requirements prior to pursuing or extending contracts involving FCI or CUI:
- Implement required NIST security controls across all systems that store, process, or transmit FCI or CUI. CMMC does not add new requirements — it enforces those already established in FAR 52.204-21 and DFARS 252.204-7012.
- Post a self-assessment in SPRS for each covered information system at CMMC Level 1 or Level 2 (self).
- Include the CMMC Unique Identifier (UID) for every applicable information system in all proposals.
- Maintain an active CMMC status for the life of the contract. Compliance is not a one-time event.
- Verify subcontractor compliance to the same level prior to award.
- Engage a certified third-party assessor (C3PAO) when Level 2 certification is required.
Clarifying Roles: Who Decides What?
CMMC level requirements are not determined by contracting officers alone. They originate with program managers based on whether the contract involves FCI or CUI and taking factors into consideration such as the priority and critical nature of the DoD program.
What To Do Now
If you are a contractor or subcontractor in the DoD ecosystem, here’s how to prepare before enforcement begins:
- Assess and know your data. Determine whether you are handling FCI, CUI or both.
- Identify your CMMC level. Each contract will have different requirements. Understanding what level applies will inform next steps.
- Complete and post your CMMC level 1 and CMMC Level 2 self-assessment and post in SPRS.
- Coordinate with your primes – subcontractors are subject to flow down requirements and must meet the same CMMC level as the prime.
- If you are required to certify at Level 2, engage a Certified Third-Party Organization (C3PAO). The process takes time.
If you haven’t already, engage a trusted external services provider with proven CMMC expertise. A Managed Services Provider (MSP) like NeoSystems reduces risk, cost, and time-to-compliance by delivering a purpose-built secure workspace that is preconfigured, compliant-ready, and fully supported — eliminating the burden of building, maintaining, and securing an environment on your own.
Why NeoSystems is the Partner Contractors Trust
NeoSystems is the most trusted managed services provider for the defense industrial base and was one of the first providers in the ecosystem to certify at Level 2 with a perfect 110/110 score — demonstrating its unwavering commitment to cybersecurity and upholding the highest cybersecurity standards and compliance for its’ clients.
NeoSystems offers a fully managed, CMMC Level 2-certified information system that arrives pre-configured, continuously monitored, and audit-ready, providing defense contractors with an accelerated, low-risk path to compliance without the operational overhead. NeoSystems CMMC Managed Services are purpose built for your users, ready to deliver on your mission.
For government contractors with a select number of CUI users looking to skip costs and complexity of building your own CUI compliant environment, the NeoEnclave provides an affordable, flexible and accelerated path to achieving and maintaining compliance.
Closing
The publication of the final CMMC rule marks a formal shift in how the Department of Defense manages supply chain risk and cybersecurity across the Defense Industrial Base. The enforcement timeline is defined, the expectations are clear, and the responsibility lies with the contractors to act.
Preparing for CMMC takes time, but it’s not too late to begin. Organizations that act now—by aligning with a qualified managed services provider like NeoSystems—will be in the strongest position to succeed as enforcement begins.
