The Transition from Policy to Law November 2025
As of November 10, 2025, the 48 CFR rule—often called the “CMMC Contract Rule”—goes into effect, officially embedding the Cybersecurity Maturity Model Certification (CMMC) into the Defense Federal Acquisition Regulation Supplement (DFARS).
This transition makes CMMC certification a legal requirement for defense contracts. In other words, compliance is no longer optional—it’s a condition of award for contracts across the Defense Industrial Base (DIB).
Scott Dawson, President of Core Business Solutions, and Rick Krick, Senior Cybersecurity Consultant and CMMC Lead, broke down what this shift means in practical terms during the company’s latest webinar, “CMMC is Now Law.” Watch the webinar in the video below.
Understanding the Legal Shift
Previously, CMMC existed as policy guidance under 32 CFR, outlining the certification framework. The new 48 CFR rule now empowers contracting officers to enforce CMMC requirements directly within federal contracts.
“The logistics are dealt with, and now we have to get certified,” Dawson said. “The path of ‘certify later’ is now closed to all traffic.”
Under the new rule:
- Contractors must be certified before a DoD contract award, not after.
- According to the Department of Defense, the CMMC Law states that each organization will have a Unique Identifier (UID) in the Supplier Performance Risk System (SPRS) database.
- Top management must act as affirming officials, attesting annually to the accuracy of all data in SPRS—under penalty of the False Claims Act.
The Four-Phase Rollout: 2025–2028
CMMC enforcement will follow a phased implementation:
- Phase 1 (2025) – Level 1 and Level 2 self-assessments begin for selected contracts.
- Phase 2 (2026) – Third-party certifications become mandatory for more contracts.
- Phase 3 (2027) – Level 3 certifications introduced for advanced contractors (roughly 2–3% of the DIB).
- Phase 4 (2028) – Full implementation across all contracts.
Although officially gradual, Dawson cautioned that clauses could appear in contracts “as soon as next week.” Early readiness remains key.
DoD Prime and Subcontractor Responsibilities
CMMC compliance isn’t limited to large contractors. Every organization in the supply chain—from primes to small subs—must meet requirements.
Prime contractors are now responsible for:
- Ensuring their own certification, and
- Flowing down compliance requirements to all subcontractors.
“The government is holding primes accountable to be certified—and accountable to hold their suppliers accountable,” Dawson explained. “If your supplier isn’t compliant, you can lose your contract.”
Primes must maintain internal databases to track supplier certifications, since they cannot directly access the government’s SPRS system.
CMMC Challenges for Small Businesses
Small subcontractors face steep challenges: limited budgets, fewer IT staff, and the complexity of managing 320 assessment objectives. But as Krick emphasized, scope reduction is the key.
“Keep your boundaries small,” he advised. “The larger your network, the greater your risk and cost. Solutions like Core Vault—a secure enclave in AWS GovCloud—can limit exposure and simplify compliance.”
Small businesses are encouraged to:
- Begin Level 1 or Level 2 CMMC compliance efforts immediately.
- Collect evidence to support SPRS scores.
- Use quarterly internal reviews rather than scrambling once per year.
- Assign clear ownership of compliance tasks within the organization.
Readiness Across the Defense Industrial Base
Industry surveys show less than 1% of contractors are fully ready or certified. Many still have negative SPRS scores. Most organizations remain in early preparation stages, leaving the supply chain vulnerable as the rule takes effect.
To accelerate readiness, Core Business Solutions recommends:
- Starting with a gap assessment.
- Narrowing your Controlled Unclassified Information (CUI) scope using enclaves or dedicated environments.
- Leveraging automated compliance tools such as the Core Security Suite.
- Maintaining Continuous CMMC Compliance
- Certification is just the beginning. Continuous compliance means staying audit-ready year-round and protecting against real-world threats.
- Annual affirmations must be updated in the SPRS database.
- Quarterly internal audits are recommended to verify evidence for all 320 objectives.
- Use management systems (like those used for ISO 9001 or ISO 27001) to structure documentation, training, and internal reviews.
“You’ve got to stay ready,” Dawson said. “Attacks don’t wait until you’re prepared.”
Consequences of Non-Compliance
The stakes are high. The False Claims Act introduces potential fines, contract loss, and even legal penalties for misrepresenting compliance.
A single noncompliant supplier could jeopardize an entire prime’s contract. Therefore, it is essential to maintain clear documentation, audit trails, and secure logs.
Key Takeaways for American Small Businesses
- CMMC is now federal law—effective November 2025.
- Certification must precede contract awards. No “certify later” option remains.
- All contractors and subcontractors must comply; primes must track supplier status.
- Early action is critical—readiness gaps remain across the industry.
- Continuous compliance protects not just contracts, but national security.
Core Business Solutions offers practical tools like the Core Vault to help small businesses achieve and sustain compliance efficiently.
