Core Business Solutions United States

866.354.0300

866.354.0300

Login

CMMC is Now Law: What Small Businesses Need to Know

By Scott Dawson
September 10, 2025

September 2025 CMMC Update – Core Business Solutions

The Department of Defense (DoD) has finished the process. The Department of Defense will now require the Cybersecurity Maturity Model Certification (CMMC) for defense contracts. On September 9, 2025 the 48 CFR CMMC final rule was out for public inspection. On September 10, 2025, the rule was officially published in the Federal Register. Sixty (60) days later on November 10, 2025 the rule officially goes into effect.  From that day forward, all new DoD solicitations and contracts will include some level of CMMC requirement as a condition of contract award.

On August 25, 2025, the Office of Information and Regulatory Affairs (OIRA) finalized its assessment. This review was for the CMMC Final Rule (48 CFR). This was the final step before organizations could put it into action.

This quick review took just over 34 days. This is much faster than the usual 90-day process. It shows how urgent the federal government is about cybersecurity. Protecting the defense supply chain is now a top priority.

For small businesses working as prime contractors or subcontractors, the clock is ticking. CMMC requirements will begin appearing in contracts as early as November 2025.

What Is the CMMC  Title 48 CFR Rule?

The 48 CFR rule formally authorizes contracting officers to include CMMC requirements in solicitations and contracts. It:

  • Adds the DFARS 252.204-7021 clause to contracts.
  • Grants contracting officers the authority to enforce CMMC language.
  • Initiates the four-phase rollout of the CMMC program.

CMMC 48 CFR Rule Start Date: It may take effect right after publication or within 60 days. The rule is expected to be published September 10, 2025.

The technical requirements (NIST SP 800-171 controls) have been in place since December 2024 under 32 CFR Part 170. The 48 CFR rule makes these requirements enforceable.

What Happens Next—And How Fast?

The timeline for small businesses is tighter than most expected:

  • Federal Register publication: September 10, 2025
  • Effective date: November 10, 2025
  • All new solicitations will begin, including CMMC requirements tied to the type of information handled—whether Federal Contract Information (FCI), Controlled Unclassified Information (CUI), or Critical Technical Information (CTI).

The reality check: Unlike earlier cybersecurity requirements that allowed for grace periods, CMMC’s rollout offers no extensions or exceptions. If you’re not compliant, you risk being excluded from opportunities right away.

Why This Matters for Small Businesses

For most small defense contractors, CUI protection is the make-or-break requirement. Achieving CMMC Level 2 certification means proving you’ve implemented all 110 controls and 320 objectives outlined in NIST SP 800-171.

Here’s what’s already happening in the supply chain:

  • Prime contractors are not waiting. Many are requiring CMMC readiness attestations from their subcontractors now, in months before the official rollout.
  • Opportunities will shrink quickly. If you’re not prepared, you’re not just at risk of losing future contracts—you could lose current partnerships.
  • Time is short. On average, small businesses need 9–12 months to implement controls, remediate gaps, and pass a C3PAO assessment.
CMMC requirements update 2025
cmmc security controls audit
CMMC Now Law 2025
Request a Quote to Prepare

The Four-Phase Rollout

CMMC will be rolled out in phases, beginning on November 10, 2025. Contracting officers have discretion to require CMMC certification as early as Phase 1. That means some small businesses will see CMMC requirements within just weeks of the rule’s publication.

What You Should Do Next

For small businesses, the message is clear: start now or risk being left behind. Here’s our guidance as a Registered Practitioner Organization (RPO):

  • Conduct a gap assessment. Know where you stand against NIST SP 800-171.
  • Prioritize remediation. Address the critical controls first—multi-factor authentication, logging and monitoring, and documented security policies.
  • Engage with experts. Partnering with an RPO like Core Business Solutions ensures you follow the right path and avoid costly delays.

Final Word

The wait is over. With the 48 CFR rule cleared for publication, CMMC compliance is no longer a future concern—it’s an immediate business imperative.

For small businesses in the defense industrial base, this is your defining moment: act now to protect your contracts, strengthen your partnerships, and position your company as a trusted, secure partner to the DoD.

Core Business Solutions is here to guide you every step of the way. To learn more about how Core can help you prepare, visit our CORE Vault, CUI Enclave page.

Core Business Solutions, established in 2000, is a Registered Practitioner Organization through the Cyber AB and has been providing consulting and technical solutions for NIST/CMMC for over 5 years. Rick Krick is the Director of Security Solutions for Core Business Solutions and directs our Cybersecurity Services solutions including CMMC. Rick has over 25 years of experience in Management System implementations, software development, IT services, and certifications.
Registered Practitioner Organization Logo

Related Articles:

CMMC Title 48 Ruling Progresses

CMMC Title 48 Ruling Progresses

by | Jul 24, 2025

DoD’s CMMC Contract Rule Heads to OMB Review: What Small Contractors Need to Know   On July 22, 2025, the Department of Defense sent its long-awaited CMMC contract rule to the Office of...

(function ($) { $(document).ready(function () { $(".toggle-1").click(function (e) { e.preventDefault(); $(".download-1").fadeToggle(400); }); }); })(jQuery);