CYBERSECURITY SOLUTIONS
Implementing Cybersecurity Controls for Commercial and Defense Applications
.jpeg "Information Systems/Cybersecurity")
.png "Transportation, Automotive, Rail, etc.")
IS YOUR SPRS SCORE GOING TO COST YOU GOVERNMENT WORK?
WE CAN HELP!
48 CFR DFARS Rule on CMMC (Effective November 10, 2025)
The Department of Defense (DoD) has finalized a new Defense Federal Acquisition Regulation Supplement (DFARS) rule under 48 Code of Federal Regulations (CFR), which formally integrates the Cybersecurity Maturity Model Certification (CMMC) program into defense contracts.
The rule became effective November 10, 2025 and represents a major shift in how cybersecurity requirements are enforced across the Defense Industrial Base (DIB).
What This Means for DoD Contractors
CMMC Is Now a Contractual Requirement:
Starting Nov 10, 2025, DoD contracts will require compliance with CMMC as a condition for awards, options, period extensions, etc.
Eligibility to Compete and Perform:
Contractors (and their subcontractors) must demonstrate they meet the required CMMC level to bid on and win DoD contracts.
Phased Rollout Begins Nov 10, 2025:
For Phase 1, Contractors will need to conduct self-assessments showing compliance with CMMC Level 1 and Level 2 and enter results into the Supplier Performance Risk System (SPRS), with a senior executive affirming compliance. CMMC Level depends on the type of information involved (FCI/CUI).
Phase 2 (begins 12 months later) will expand to require Level 2 third-party certifications for contracts involving Controlled Unclassified Information (CUI).
Accountability Through Affirmations:
A designated affirming official must attest that compliance is ongoing. False statements carry legal, contractual, and financial risks.
Supply Chain Responsibility:
Flow-down requirements: contractors must ensure their subcontractors meet the required CMMC level if they handle Federal Contract Information (FCI) or CUI.
The rule makes cybersecurity a prerequisite for doing business with DoD. Contractors must finalize assessing, remediating gaps, documenting compliance, and preparing for certification now to avoid disruption when the rule takes effect. Failure to comply can lead to loss of eligibility, termination of options/renewals, and other contract remedies.
It’s worth keeping in mind that early compliance positions contractors as more competitive in the defense marketplace.
Our team in tandem with our vetted partners is ready to help you take on your information system to a certified compliance level!
Call us today for a free consultation: (203) 500-8706 or email us at info@RHAndersen.com
