Key Takeaways
-
Defense contractors must achieve Cybersecurity Maturity Model Certification (CMMC) compliance to remain eligible for Department of Defense (DoD) contracts beginning November 10, 2025.
-
The CMMC program will phase in from 2025 through 2028, with escalating requirements across Levels 1, 2 and 3 certifications.
-
Contractors should engage with CMMC Third-Party Assessment Organizations early to help avoid certification delays and lost contract opportunities.
The long-anticipated second rule making the Cybersecurity Maturity Model Certification (CMMC) a reality has been published in the Federal Register as of September 10, 2025. This rule, 48 Code of Federal Regulations (CFR) 7021, gives government contracting officers the ability to insert CMMC requirements into new contracts, option years and contract modifications going forward. This follows the publication of 32 CFR 170, which went into effect on December 16, 2024 and created the CMMC program in regulation.
Significance of the New Rule
Effective November 10, 2025, the CMMC program becomes fully operational, empowering contract officers at the Department of Defense (DoD) to insert CMMC requirements into contracts at that time. All CMMC Level 2 certifications to date have been voluntary, whereby defense contractors have chosen to become certified in advance of any contract requirements. Once the program becomes fully operationalized on November 10, 2025, CMMC contractual requirements must be met prior to taking award of a contract.
Levels of the CMMC Program
Level | Applies To | Percentage of Defense Industrial Base It Applies To | Requirements |
CMMC Level 1 | Defense contractors in receipt of Federal Contract Information (FCI) | 100% | Implement the 15 basic safeguards in Federal Acquisition Regulation (FAR) 52.204-21. Perform an annual self-assessment. An Affirming Official must attest to compliance annually. |
CMMC Level 2 | Defense contractors in receipt of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) | 36%
| Implement the 110 requirements and 320 underlying assessment objectives in National Institute of Standards and Technology (NIST) Special Publication 800-171r2. Most contractors subject to CMMC Level 2 requirements will need to hire a CMMC Third-Party Assessment Organization (C3PAO) to certify them to Level 2. Certifications are valid for three years. A small percentage, those who do not receive covered defense information, will only be required to self-assess against Level 2. All contractors subject to CMMC Level 2 must have an Affirming Official attest to compliance annually. |
CMMC Level 3 | Defense contractors in receipt of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) and whose work or whose CUI is particularly sensitive to the Department of Defense | 0.84% | Implement the 110 requirements and 320 underlying assessment objectives in NIST Special Publication 800-171r2. Obtain a CMMC Level 2 certification from a Certified Third-Party Assessment Organization (C3PAO). Certifications are valid for 3 years. Implement 24 additional requirements from NIST SP 800-172. Request a certification from the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) once the additional requirements are implemented. |
CMMC Requirements Will Phase-In
Phase 1 – Begins on the effective date of the 48 CFR part 204 CMMC acquisition rule, which is November 10, 2025. The DoD will include CMMC self-assessment requirements for all solicitations and as a condition of award.
Phase 2 – Begins one calendar year following the start of Phase 1 or November 10, 2026. In addition to Phase 1 requirements, DoD intends to include requirements of CMMC certification for “applicable DoD solicitation and contracts.”
Phase 3 – Begins one calendar year following the start date of Phase 2 or November 10, 2027. In addition to previous requirements, DoD intends to include the requirement for CMMC certification for all DoD solicitations and contracts and as a condition to exercise an option period. This phase also includes CMMC Level 3 requirements for applicable contractors.
Phase 4 – Begins one year following the start of Phase 3 or November 10, 2028. Full implementation – DoD will include CMMC program requirements in all solicitations and contracts including option periods as part of Phase 4.
Contractors’ Next Steps
Defense contractors with existing contractual obligations in FAR 52.204-21 (equating to CMMC Level 1) and Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 (equating to CMMC Level 2) should continue to implement the requirements specified in those clauses. CMMC self-assessment requirements will be part of every solicitation, effective November 10, 2025. It is critically important that contractors understand the entirety of what is required under these standards by referencing the companion assessment guides for both CMMC Levels 1 and 2. The assessment guides contain all of the detailed requirements an assessor will be looking for in a CMMC Level 2 certification context and represent the criteria to self-assess when your CMMC obligation is merely a self-assessment. Contractors who are expecting CMMC Level 3 requirements have until Phase 3 or November 10, 2027 before those requirements are expected to be enforced.
Why This Matters Beyond Compliance
The activation of 48 CFR 7021 does more than add another requirement to your checklist. It marks a shift in how the DoD views its contractors: cybersecurity is no longer a technical detail, it’s a condition of trust.
For contractors, the message is clear. Without certification, you won’t just face delays, you’ll be shut out of opportunities. With assessment organizations already stretched thin, waiting until the last minute is a real gamble. That’s why contractors should begin engaging with C3PAOs and trusted advisors now, before the backlog makes timely certification impossible.
PKF O’Connor Davies Services for the Defense Industrial Base
PKF O’Connor Davies is both a C3PAO and a Registered Provider Organization (RPO). We work with defense contractors to not only meet the letter of the requirements but to build programs that stand up to real-world scrutiny. That includes gap assessments, System Security Plans, policies and procedures, evidence collection and certification-ready documentation sets. As a C3PAO, we are also authorized to conduct the independent certification assessments required under CMMC.
Because we’ve been working with these standards from the start, we understand where contractors struggle most and how to strike the right balance between compliance, cost and practicality. Depending on the engagement, our role may be as your independent auditor or as your advisor, always with the goal of helping you achieve certification while making smart, sustainable investments in security that strengthen your business long after the audit is over.
Contact Us
We welcome the opportunity to answer any questions you may have related to this topic or any other matters relative to cybersecurity and privacy. Please contact your PKF O’Connor Davies client service team or either of the Cybersecurity and Privacy Advisory team members below:
Thomas J. DeMayo, CISSP, CISA, CIPP/US, CRISC, CEH, CHFI, CCFE
Partner
Cybersecurity and Privacy Advisory
tdemayo@pkfod.com | 646.449.6353
Nick DeLena, CISSP, CISA, CRISC, CDPSE, CMMC-CCP
Partner
Cybersecurity and Privacy Advisory
ndelena@pkfod.com | 781.937.5191