Facebook-f Linkedin-in Phone

CFR 48 Is Published: What the New DFARS CMMC Rule Means for DoD Contractors

Home / Government Contracting Basics / CFR 48 Is Published: What the New DFARS CMMC Rule Means for DoD Contractors
CFR 48 CMMC Final Rule

Big news for the Defense Industrial Base. DoD just published the long-awaited final rule in Title 48 CFR (DFARS) to implement the Cybersecurity Maturity Model Certification (CMMC) in contracts. This includes the CFR 48 CMMC Final Rule. The rule appears in the Federal Register today (September 10, 2025) and becomes effective 60 days after publication—November 10, 2025. Federal Register Public InspectionNational Defense Magazine

Fast facts

  • CMMC is now contract language. Contracting officers must check SPRS and cannot award if an offeror lacks a current CMMC status at or above the level required for each in-scope information system.
  • You’ll see a clause and a provision: DFARS 252.204-7021 (contract clause) and DFARS 252.204-7025 (solicitation provision).
  • POA&Ms are time-boxed. For Levels 2 and 3 only, awards may proceed with Conditional status—but you get 180 days to close valid POA&Ms to reach Final status.
  • Commercial applies (COTS excluded). The rule reaches commercial products/services and even awards at or below the SAT, except COTS.
  • Subs are in scope. Primes must flow down CMMC and ensure subs have a current status at the appropriate level before award.

When will CMMC show up in contracts?

DoD will phase in requirements using a four-phase plan beginning 60 days after today’s publication. Plan on seeing CMMC language in new solicitations and awards as early as November 10, 2025, with coverage increasing through each phase. Defense CIONational Defense Magazine

What level do you need?

  • Level 1 (FCI): Annual self-assessment + yearly affirmation.
  • Level 2 (CUI): 110 controls (NIST SP 800-171). Either C3PAO certification or self-assessment as specified; annual affirmation.
  • Level 3 (high-priority CUI): Additional practices (aligned to NIST SP 800-172); DIBCAC certification + annual affirmation.
    (Assessment types and the phased rollout are detailed by DoD CIO.) Defense CIO

A practical 30-day readiness plan

Week 1 — Scope smart. Map contracts/opportunities by FCI vs. CUI and define the systems in scope; you’ll need a CMMC UID in SPRS per in-scope system.

Week 2 — Close the gaps.

  • L1: Implement the 15 FAR safeguards; gather evidence.
  • L2: Finish NIST 800-171 implementation; harden MFA, logging, access control, IR. Update SSP, policies, inventories.

Week 3 — Make it visible. Post results/scores to SPRS (as applicable) and complete the annual affirmation. If you need L2 certification, get on a C3PAO calendar. Federal Register Public Inspection

Week 4 — Sustain. Stand up quarterly control reviews, an affirmation cadence, POA&M closeout discipline, and subcontractor verification workflows aligned to the new clause.

Join our live briefing next week

How this CFR 48/DFARS rule will affect your company (and what to do now)
👉 Register for our Microsoft Teams webinar

We’ll walk through real timelines, SPRS pitfalls, subcontractor flowdown, and how to prioritize POA&Ms.

How Capitol 50 can help

  • CMMC Readiness Sprint (4 weeks): Scope, gap, roadmap, evidence, SPRS support
  • Supply-Chain Alignment: Subcontract language, questionnaires, verification cadence
  • Certification Coaching (L2/L3): Artifact prep and C3PAO/DIBCAC readiness
  • Program Sustainment: Annual affirmation, internal audits, POA&M closeouts

Not sure where to start? Grab a free readiness call

Recent Posts
Blog Series

Table of Contents

Cap50 Success

Want results like these?

Book a free strategy call with a Capitol 50 expert.
We’ll answer your questions and walk you through the next steps

Book a Strategy Call

Unsure if you are GSA-compliant? We will audit your pricing, terms, and disclosures, highlighting the three most significant risks.

Request Your Free GSA Audit