The countdown is over.

CMMC 2.0 will be enforceable starting November 10, 2025, ending years of speculation and signaling a decisive shift for the Defense Industrial Base (DIB).

On September 9, 2025, the Department of Defense’s 48 CFR rule was submitted to the Office of the Federal Register (OFR) and released for public inspection. As of tomorrow, September 10, 2025, it will be officially published in the Federal Register. 

Sixty days later, on November 10, 2025 it will take effect and CMMC 2.0 will start being enforced as a condition of doing business with the DoD.

What happens on November 10?

Once the rule takes effect, Department of Defense (DoD)  contracting officers will begin inserting CMMC requirements into new solicitations and contracts—starting with:

• CMMC Level 1 Self-Assessment for contracts involving Federal Contract Information (FCI)
• CMMC Level 2 Self-Assessment for contracts involving less sensitive Controlled Unclassified Information (CUI) or Security Protection Data (SPD)
• CMMC Level 2 Certification Assessment (C3PAO) for select contracts involving sensitive CUI or SPD

There is no grace period. If your organization is not certified at the required level, you will be ineligible for the contract award.

This isn’t limited to prime contractors—subcontractors, service providers, and other organizations who touch sensitive unclassified government information across the DoD supply chain may be pulled into scope via assessment boundary or flowdown requirements.

In short: CMMC 2.0 is no longer optional if you want to remain in or join the defense supply chain.

Why this milestone matters more than any before

Until now, every CMMC update came with caveats: “when the rule is finalized,” “after publication in the Federal Register,” “once enforcement begins.”

As of today, those caveats are gone: The rule has cleared regulatory review and the enforcement deadline is real.

In just 60 days, the CMMC phased rollout will officially begin and organizations will begin seeing the DFARS 252.204-7021, Cybersecurity Maturity Model Certification Requirements, in their contracts. 

That means CMMC 2.0 can no longer be put off as a future concern. It is an immediate operational requirement to maintain contract eligibility. 

While the first phase will focus mostly on self-assessments, for many contractors, subcontractors, and other members of the DIB, Level 2 (C3PAO) readiness is already expected.

What this means for defense contractors and suppliers

If your organization hasn’t yet scoped its environment, conducted a gap analysis, or implemented required NIST 800-171 Rev 2 controls, there is no more time to wait.

According to DoD estimates, 65% of the DIB will be required to undergo self-assessments, with another 35% of organizations required to undergo Level 2 third-party assessments at some point during the phased rollout.

The latter face a particular urgency—not only because the DoD has the discretion to include a Level 2 (C3PAO) requirement during Phase 1. Even if these requirements don’t appear in your contract during this first phase, you need to get ready as soon as possible.  

The average Level 2 certification timeline—from gap assessment to audit-ready—can take almost a year or up to two years. 

Without immediate action, many contractors risk missing eligibility altogether as CMMC rollout accelerates in 2026 and beyond.

What’s next in the CMMC timeline?

Today, the DoD’s 48 CFR rule cleared regulatory review and is now available for public inspection. Here’s what happens next:

• September 10, 2025: Final rule published in the Federal Register
• November 10, 2025: Rule takes effect and CMMC enforcement begins, starting with self-assessments in Phase 1
• November 10, 2026–2028: Phased rollout continues with increasing certification requirements until full implementation of all CMMC 2.0 level and assessment requirements in relevant DoD contracts and solicitations in Phase 4.

We’ll continue tracking the rollout and publishing detailed breakdowns of what contractors need to know at each phase. 

For now, the most important takeaway is simple: The window to get CMMC ready is closing fast.  If you’re not preparing, you’re falling behind.

How Secureframe & Coalfire can help contractors meet the deadline

If you haven’t finalized your CMMC scope, implemented all CMMC controls, or booked your C3PAO, don’t panic. Secureframe and Coalfire can help. 

Secureframe is already helping organizations across the DIB streamline and accelerate their path to CMMC certification.

Backed by deep federal expertise and a strategic partnership with authorized C3PAO Coalfire Federal, the Secureframe platform enables you to:

• Automatically assess compliance gaps and collect and organize evidence from across your tech stack to support all level requirements and assessment objectives 
• Generate and maintain your SSP, POA&M, and SPRS score with automation so they stay accurate, consistent, and always ready for assessor review
• Continuously monitor CMMC controls for misconfigurations and failures via 300+ integrations
• Get support from former federal auditors with CMMC expertise, including their own first-hand experience navigating a Level 2 (C3PAO) assessment
• Access and customize pre-built policy templates mapped to CMMC 2.0 and NIST 800-171 Rev 2, (Rev 3 also available if needed)
• Collaborate seamlessly with Coalfire Federal or your chosen C3PAO within the platform to streamline the assessment process

Whether you’re starting CMMC 2.0 readiness from scratch or refining your compliance posture, Secureframe can help you save hundreds of hours, reduce risk, and certify with confidence—before you lose any contracts. Contact a product expert to learn more.