Crunch Time: How to Prepare for the CMMC Clause Rule Effective Date

The CMMC Clause Rule effective date—when CMMC requirements will begin showing up in defense contracts—is almost here! As the clock counts down, we’re here with some tips for how to ensure your organization is prepared.

CMMC Clause Rule Effective Date Is November 10^th

The Department of Defense (DoD) finalized the CMMC Program Rule in 32 CFR Part 170 in late 2024. The 32 CFR rule created the CMMC program structure by defining the levels, assessment types, conditional status, POA&Ms, and much more. However, that did not mean CMMC requirements were “in effect.”

The companion rule, DFARS Case 2019-D041, also called the CMMC Clause Rule, updates 48 CFR Parts 204, 212, 217, and 252 to formally add CMMC requirements to DoD contracts through clauses such as DFARS 252.204-7021. That final rule was published on September 10, 2025, and becomes effective November 10, 2025.

Once effective, contracting officers can include CMMC requirements as a condition of award. The rollout will occur in phases over the next three years, beginning in the next few days.

CMMC Rollout Phase 1: What the First Year Looks Like

In Phase 1, DoD will begin inserting CMMC requirements into solicitations and contracts. Most awards will require CMMC Level 1 (Self) or Level 2 (Self), though certain higher-risk contracts may require Level 2 (C3PAO) certification.

It’s worth noting, CMMC requirements will not magically appear in existing contracts on November 10^th. They will begin being included in new contracts, as well as for options/renewals, on November 10^th. Organization will need to be compliant by the time they bid on a new contract or enter into negotiations for exercise of options/renewals.

Here are the key points:

• Level 1 (Self): Applies to systems handling only Federal Contract Information (FCI), which includes any non-public information related to government contracts. Level 1 requires implementation of 15 practices* from FAR 52.204-21 and an annual self-assessment with affirmation in SPRS.

  * Originally, Level 1 included 17 requirements, but this was revised with the September 2024 release of the CMMC Level 1 Self-Assessment Guide v2.13 and made official in 32 CFR 170.14(c)(2).

• Level 2 (Self / C3PAO): Applies to contractor systems that handle Controlled Unclassified Information (CUI). Level 2 requires all 110 controls from NIST SP 800-171 (Rev. 2). Some contracts will allow self-attestation—hence the (Self) designation—while others will require third-party assessment by a C3PAO. Per DFARS 252.204-7012, CUI handling requirements also include stipulations related to incident reporting and FedRAMP authorization of cloud services.

• Contracts for commercial off-the-shelf (COTS) products are excluded from CMMC requirements.

In Phase 2 (starting November 10, 2026), Level 2 (C3PAO) certifications will become more common. During Phase 3 (November 2027), CMMC Level 3 certifications will beginning appearing for high-criticality programs.

When Will C3PAO Certification Be Required?

While most CMMC requirements will be for self-assessments—Level 1 (Self) and Level 2 (Self) during Phase 1, some contracts may include certification via Level 2 (C3PAO) requirements prior to the start of Phase 2.

Additionally, the government has stated that they have no ability to prevent prime contractors from requiring their subcontractors to achieve certification, even if the prime is only required to complete self-assessment. What this means: prime contractors may end up requiring certification before the government does.

By Phase 2, third-party certification will become the norm for defense contracts handling CUI based on a DoD memo from January which states that Level 2 C3PAO certification “is the minimum assessment requirement when the planned contract will require the contractor (or subcontractors) to process, store, or transmit CUI categorized under the National Archive’s CUI Registry Defense Organizational Index Grouping.” (emphasis & link added)

Crash Course: How to Be Ready by November 10^th

You may be thinking, “All of this is well and good, but how do I actually comply with CMMC requirements once they show up??” In this next section, we’ll be discussing just that! Our guidance below is intended for organizations which may been waiting for the requirement to appear before getting into the weeds. In order to do so, we need to start with just a little more background.

What Is “CMMC Conditional Status” for Level 2?

The CMMC program allows for a “Conditional Status” at Levels 2 and 3. This status allows companies with minor deficiencies to remain eligible for awards while completing their remediation. To qualify for Level 2 Conditional Status, and organization must:

• Implement 88 out of the 110 practices (80% of the total) from NIST SP 800-171 Rev. 2

• Have only lower-impact, 1-point requirements remaining unmet (per the NIST SP 800-171 DoD Assessment Methodology)

• Define a specific, time-bound Plan of Action & Milestones (POA&M) for unmet requirements

• Resolve all POA&M items within 180 days, complete a closeout assessment, and update compliance status in SPRS

Level 1 does not allow conditional status or POA&Ms—all practices must be fully implemented.

CMMC Compliance Checklist

With this knowledge of CMMC Conditional Status, use this practical checklist to ensure your organization remains eligible for defense contracts as CMMC requirements begin to surface:

1. Determine which contracts involve FCI versus CUI—this defines your required CMMC level

2. Complete all 15 Level 1 practices and post your results in SPRS. If you only handle FCI, you can stop here

3. For organizations handling CUI (i.e., needing to achieve Level 2):

   1. Conduct a full NIST SP 800-171 gap assessment

   2. Identify any unmet “non-POA&M-able” controls and implement them immediately (e.g., MFA, encryption, logging). Start with 5-point requirements, then move on to 3-pointers, etc.

   3. Once you’ve implemented all 5-point & 3-point controls and hit a total of 88 of 110 requirements met, document any remaining gaps and prepare closure plans for each in a POA&M

   4. Post your Level 2 self-assessment score in SPRS. At this point, you are at a Conditional Level 2 (Self) status and remain eligible for contract awards

   5. Close out all POA&M items and update your final self-assessment score in SPRS within 180 days of the initial assessment. Do not think of this as a get-out-of-jail-free card. Neglecting to close out your POA&M may result in contract termination, debarment, and/or pursuit of charges under the False Claims Act

Bringing It Home

CMMC’s rollout may sound intimidating, but compliance is achievable! With the knowledge you’ve gained from this article, you have a practical understanding of how to get there. Make us of the free resources below to help you plan and execute.

With the effective date quickly approaching, preparation now prevents panic later. Be ready for the moment a CMMC requirement shows up in your contract!

How Triumvirate Cybersecurity Can Help with the Last Yard

If you could use an extra push or subject matter experts to bounce ideas off of, contact us at Triumvirate Cybersecurity. As a CyberAB Registered Practitioner Organization (RPO), we help defense contractors understand and define their CMMC scope, build right-sized solutions based on customers’ unique needs, develop compliant POA&Ms and close them out efficiently, and transition from conditional to final CMMC status smoothly.

Resources for the 11th Hour