Article

Breaking News - November 10: CMMC Phase 1 Begins

September 10, 2025

What to Expect

  • Overview of the CMMC final rule published in the Federal Register 
  • Key dates and what changes when Phase 1 begins on November 10, 2025
  • What enforcement means for defense contractors handling Controlled Unclassified Information (CUI)
  • Why early scheduling with accredited C3PAOs is critical 

On September 10, the Department of Defense published the Cybersecurity Maturity Model Certification (CMMC) final rule in the Federal Register. This milestone sets the stage for Phase 1 to officially begin on November 10, 2025.

For defense contractors, the implications are immediate and profound. The rule is no longer a draft, and certification is no longer optional. CMMC has moved from theory into enforceable regulation.

What Changes Now

The release of the final rule creates a definitive pivot point:

  • Contracting officers gain authority to include CMMC in solicitations beginning November 10.
  • Certification becomes enforceable, shifting from preparation to a requirement tied directly to eligibility.
  • Awards will begin to carry certification language, raising the stakes for contractors who are not yet assessment-ready.

 

Why Timing Matters

The gap between today’s publication and November’s enforcement date is short. Contractors handling controlled unclassified information (CUI) who have not already scheduled assessments are facing a compressed timeline. The defense industrial base is vast, but the number of accredited C3PAOs remains limited. Demand will rise sharply, and organizations that delay may find themselves competing for scarce assessment capacity.

A Strategic Inflection Point

CMMC is not just about regulatory compliance. It is about trust and competitiveness within the defense supply chain. Contractors who achieve certification early will not only meet requirements but also signal reliability and resilience to their government customers. Those who wait risk being sidelined from future opportunities.

Experience You Can Count On

Since the inception of CMMC, we have been on the front lines supporting contractors through evolving drafts, provisional assessments, and now into the enforceable era. Our mock assessments are designed to provide clarity and confidence, while our official assessments ensure impartiality and continuity so contractors can move forward without disruption.

The transition from planning to enforcement is here. The question is no longer if CMMC will impact your contracts, but when. For many, the answer is starting on November 10.

Ready to talk to an expert about CMMC? 

CMMC certification is a milestone, but it does not have to be a struggle. Our team has been part of this journey since day one, giving contractors the insight and confidence they need to succeed. Connect with us today to take the next step with certainty.

TL;DR FAQs

The CMMC final rule, published by the Department of Defense on September 10, 2025, moves cybersecurity certification from a draft framework into enforceable regulation. Phase 1 begins on November 10, 2025, giving contracting officers the authority to include CMMC requirements in new solicitations.

Beginning November 10, contracting officers can include CMMC certification requirements in solicitations and awards. Contractors must be assessment-ready to remain eligible for future opportunities. The rule marks a shift from preparation to mandatory enforcement across the Defense Industrial Base.

The window between the rule’s publication and enforcement is short. With limited accredited C3PAOs available, demand for assessments is rising. Contractors who delay scheduling risk missing deadlines and losing eligibility for upcoming contracts.

Achieving CMMC certification early signals reliability and resilience to government customers. It strengthens competitiveness in the defense marketplace, reduces compliance uncertainty, and demonstrates proactive cybersecurity maturity.

Contractors should immediately schedule a CMMC readiness assessment, review their System Security Plan (SSP), and close open POA&Ms. Taking these steps now ensures readiness before contracting officers begin enforcing certification.

Contractors that fail to achieve certification risk being ineligible for solicitations and new awards. Without proof of compliance, they may be excluded from future defense contracts under the new CMMC rule.

Recent Resources