The 2026 CISO Report is Here Download Now

Dark teal and black gradient

Blog

CMMC

CMMC Final Rule: Let’s Break Down the Details and Timelines to Know

September 22, 2025

By Alex Adams

The Department of Defense has cleared the last big hurdle for the Cybersecurity Maturity Model Certification (CMMC) rollout. The 48 CFR rule has officially been finalized, and here’s what that means in plain terms.

The Big Dates You Need to Know

  • November 10, 2025, → The rule takes effect. Starting this date, the DoD can put self-attestation requirements for Level 1 and Level 2 contracts directly into solicitations.
  • November 10, 2026, → One year later, Level 2 certification requirements can show up in contracts.

You can check out the rule here

What Phase 1 Means

Starting November 10, 2025, the DoD can include CMMC self-attestation requirements for both Level 1 and Level 2 in new solicitations and contracts. Even solicitations issued before that date may carry the requirement if the contract hasn’t been awarded yet. From that point forward, contractors will need to have a Conditional or Final Level 2 self-assessment completed and posted in the Supplier Performance Risk System (SPRS) in order to be eligible for award. This gives contracting officers the authority to reject bids that don’t meet CMMC requirements, effectively making self-attestation a gate to winning DoD contracts.

Why This Matters

The finalization of the 48 CFR rule shifts CMMC from planning to enforcement. It means dates are locked, requirements are official, and the DoD can begin holding contractors accountable. For organizations handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), this is the starting point to ensure self-assessments are completed, SPRS records are accurate, and compliance programs are in place.

Put simply: without preparation, contractors risk losing out on new opportunities once the rule goes live.

Final Thoughts

The release of the 48 CFR rule marks the final step in turning CMMC into a binding contract requirement. With Phase 1 kicking off in November 2025, contractors and subcontractors have a clear timeline for when self-attestation becomes essential and when certification will follow.

The message from DoD is clear: cybersecurity is now a condition of doing business.

Organizations that invest the time now to prepare their assessments, update their SPRS entries, and strengthen their security posture will be best positioned to compete when these requirements take hold.

We Can Help

Tevora is an accredited Cybersecurity Inspector for conducting NIST 800-171 services and Registered Practitioner Organization (Learn more here). We can help you plan for and attain CMMC certification through our expert CMMC consulting.

If you have questions about CMMC 2.0, or would like help preparing your organization to comply with the new CMMC framework, just give us a call at (833) 292-1609 or email us at [email protected].

Tevora Resources

Want the latest in CMMC content? Direct link to our CMMC specific resources.

Back to Resource Center

Explore More In-Depth CMMC Resources

View Our Resources