September 10, 2025
It's here! 48 CFR (CMMC implementation rule) published, takes effect Nov 10
Published this morning, the updated 7021 and the new 7025 clauses can start showing up in new contracts beginning Nov 10. Important points:
What's the timeline? Here's the final version of the phased rollout:
| November 10, 2025 | DoD contracts to require self-assessment and affirmation for both L1 and L2 at the time of award |
| November 10, 2026 | Official L2 certification required for new contracts |
| November 10, 2027 | Official L2 certification required to exercise options on contracts awarded prior to effective date of the rule Official L3 certification required for new contracts |
| November 10, 2028 | Official L2 and/or L3 certifications required for all options on all contracts that involve CUI |
Some contracts or all contracts? Well, that is still up in the air. DoD has been contradicting itself on this point for months now, and the final rule is no different. In the preamble, it states "During the first three years of the phased rollout, the CMMC requirement will be included only in certain contracts for which the CMMC Program Office directs DoD component program offices to include a CMMC requirement." which sounds like really good news. But in the clause itself, part 204.7504, it states "if the program office or requiring activity determines that the contractor is required to have a specific CMMC level" so it seems like it really will be up to KO discretion.
What else do I need to know? Several things. First, this definition:
Cybersecurity Maturity Model Certification unique identifier (CMMC UID) means 10 alpha-numeric characters assigned to each CMMC assessment and reflected in the Supplier Performance Risk System (SPRS) for each contractor information system.
Your assessment (whether self or official) is not for your organization as a whole, it is for the specific information system that was assessed. Each system will be assigned a unique CMMC UID and this must be specified in proposals and will be identified in contracts. If you work with other organizations in joint ventures, this is something you will need to correctly address.
Remember that even self-assessments must be conducted the same as an official assessment. You have to use the Assessment Guides, you must meet every Assessment Objective (AO) in order to mark a control MET, and you have to produce evidence for each AO (and this must be retained for 6 years). This applies to both L1 and L2.
If you work as a subcontractor, keep in mind that primes can require of their subs more than is required in their contract. Many of the big primes have been pushing hard for a long time, so expect them to start requiring CMMC compliance immediately.
What's the first thing I need to do? Start working on your L1 self-assessment! Many people expect this to be required in pretty much all contracts from the get-go, and self-assessing L1 is more difficult than many people understand. I'll be running two virtual workshops next month that will give you the tools you need to self-assessing L1.
Meanwhile, don't panic, but do ask for help.
Sincerely,
Glenda R. Snodgrass, CCP/CCA/Lead CCA
grs@theneteffect.com
The Net Effect, LLC
www.theneteffect.com
251-433-0196 x107