MSP Corner

This blog was originally published by Corsica Technologies here

CMMC Final Rule: How to Achieve Compliance

Defense contractors have anticipated the full implementation of CMMC (Cybersecurity Maturity Model Certification) for some time now. On September 10, 2025, the Federal Register published the DFARS Final Rule, giving defense procurement officers the power to require CMMC compliance—both in new contracts and renewals of existing contracts.

In other words, CMMC compliance is now required for any contractor bidding on defense contracts. Requirements associated with DFARS 252.204-7021 and 252.204-7025 should start appearing in contracts on or after November 10, 2025, though the requirements may start showing up as early as October 2025.

Here’s everything you need to know about CMMC compliance.

Key points:
  • CMMC compliance is no longer a one-time initiative. After November 10, 2025, companies must maintain compliance on a continuous, contract-by-contract basis.
  • Non-compliant contractors aren’t grandfathered in with existing contracts. Every contract renewal will require CMMC compliance after November 10, 2025.
  • Your CMMC compliance requirements will depend on the type of government information you handle and how sensitive the project is.
  • Most contractors choose to work with an expert CMMC partner like Corsica Technologies to achieve and maintain compliance.
CMMC 2.0 Compliance - video thumbnail - Corsica Technologies

What is the CMMC Final Rule?

The CMMC Final Rule is a Department of War regulation that officially implements the Cybersecurity Maturity Model Certification (CMMC) program into nearly all Department of War contracts through the Defense Federal Acquisition Regulation Supplement (DFARS).

The CMMC Final Rule is not the same as the DFARS Final Rule. The CMMC Final Rule established the CMMC program upon publication on October 15, 2024. The DFARS Final Rule officially implements the CMMC program in government contracts.

The Federal Register published the DFARS Final Rule on September 10, 2025. The rule will take effect 60 days after that date, or roughly on November 10, 2025.

This means that Department of War procurement officers can include binding CMMC requirements in new contracts on or after November 10, 2025.

How did CMMC change on Sept 10 2025?

How did CMMC compliance requirements change on September 10, 2025?

When the Federal Register published the rule, they set in motion a process that will formalize and gradually roll out CMMC stipulations in Department of War contracts. The process will take four years to complete across all three levels of CMMC compliance.

Publication of the rule implemented two new clauses in DFARS (Defense Federal Acquisition Regulation Supplement), the regulation that governs how defense contractors interact with the Department of War in a procurement scenario. The two new clauses are:

  • DFARS 252.204-7021, also known as the CMMC contract clause, specifies, in part, that “the contractor shall have a current (i.e. not older than 3 years) CMMC certificate at the CMMC level required by this contract and maintain the CMMC certificate at the required level for the duration of the contract.”
  • DFARS 252.204-7025, also known as the solicitation notice.

What do Level 2 contractors need to do during phase 1 of the CMMC rollout?

99% of defense contractors will be pursuing Level 2 compliance. For that level, the phase 1 (11/10/25 through 11/9/26) requirement is that contractors self-assess and post their score to the SPRS Portal, which is essentially the same requirement they’ve had up until now.

Starting with phase 2 (11/10/26), Department of War Level 2 contracts can start requiring that contractors have passed a C3PAO-led (third-party) CMMC audit.

Can I renew an existing defense contract without achieving CMMC compliance?

No. After November 10, 2025, all contract renewals will require the appropriate level of CMMC compliance, even if the original contract went into effect before CMMC compliance was required by law.

In other words, all contractors who do business with the Department of War must achieve and maintain CMMC compliance, regardless of contract age.

CMMC level 2 compliance after final rule

How do I comply with the CMMC?

The answer depends on what type of information your company handles when contracting with the federal government. There are three types of information:

  • Federal contract information (least sensitive)
  • Controlled unclassified information
  • Controlled unclassified information pertaining to highly sensitive projects

There are three levels of CMMC compliance corresponding to these three types of information. Your organization must achieve and maintain the level of compliance associated with the type of information you handle.

Here are the three levels of compliance.

  • Level 1—15 requirements for contractors who work with FCI (federal contract information). Annual self-assessment required.
  • Level 2—110 requirements for contractors who work with CUI (controlled unclassified information, as defined by the federal government). Triennial third-party assessment required from an authorized CMMC auditor.
  • Level 3—roughly 140 requirements for contractors who work with CUI on highly sensitive projects; uses both NIST 800-171 and 172. First-party assessment required, led by Department of War.

Companies can achieve the appropriate level of compliance by working with a CMMC expert like Corsica Technologies. Achieving compliance requires a significant amount of work over a sustained period, which is why most companies work with a partner.

Jeff Barney headshot

“As you take steps and work with a good partner, CMMC is definitely doable. It just takes time and commitment to get it done.”

—Jeff Barney, Ecommerce & IT Manager

How often are CMMC assessments required, and what is the process for each level?

CMMC assessment processes and frequency depend on the level of compliance that the company must achieve. Here’s how it works for each level.

Level Assessment Type Who Conducts Frequency Submission/Reporting
Level 1 Self-assessment Organization Annual SPRS
Level 2 Self or Third-party Org or C3PAO Every 3 yrs SPRS, eMASS (if C3PAO)
Level 3 Government-led DIBCAC Every 3 yrs SPRS, eMASS

CMMC Level 1 assessment process

The contractor conducts its own internal review against the 15 basic cybersecurity requirements of FAR 52.204-21. Then the contractor submits its results and annual affirmation in SPRS (Supplier Performance Risk System). The contractor does not need to engage an assessment by a third party or a government entity.

CMMC Level 2 assessment process

The process for CMMC Level 2 assessment depends on the stipulations of the contract in question.

For contracts that allow self-assessment

The contractor reviews its compliance with 110 NIST SP 800-171 controls, then submits the results and affirmation in SPRS (Supplier Performance Risk System).

For contracts that require third-party assessment

The contractor must engage a C3PAO (Certified Third-Party Assessment Organization) to conduct an assessment every three years. The contractor and/or their C3PAO must record the results in SPRS (Supplier Performance Risk System) and eMASS (Enterprise Mission Assurance Support Service).

CMMC Level 3 assessment process

The Department of War’s DIBAC (Defense Industrial Base Cybersecurity Assessment Center) assesses the contractor every three years for adherence to NIST SP 800-172 controls in addition to NIST SP 800-171. Results are submitted to SPRS (Supplier Performance Risk System) and eMASS (Enterprise Mission Assurance Support Service).

What types of cybersecurity controls do I need to be CMMC compliant?

The exact answer will depend on which level of compliance you need to achieve, and the nature of your IT environment. That said, here are all the cybersecurity controls and initiatives that we recently implemented for a defense contractor to help them achieve CMMC compliance.

  • Locking down CUI (controlled unclassified information) ASAP
  • Access control
  • Awareness and training
  • Auditing and accountability
  • Configuration management
  • Identification and authentication
  • Incident response
  • Maintenance
  • Media protection
  • Personnel security
  • Physical protection
  • Risk assessment
  • Security assessment
  • System and communications protection
  • System and information integrity

What if we’re already CMMC compliant?

If you’ve already achieved CMMC compliance, you’re on your way to meeting requirements before November 10, 2025.

However, there is a sea change in how companies must approach CMMC compliance.

CMMC compliance is no longer a one-time initiative. Companies must maintain compliance on a continuous, contract-by-contract basis.

Consequently, there are a few additional steps you need to take before November 10, 2025. Some steps will need to be executed for every contract, new or existing.

  • Continuous Affirmation: You must provide an annual affirmation of ongoing compliance, signed by your designated “affirming official.”
  • SPRS Updates: Your current CMMC status and unique identifier(s) for each information system handling FCI or CUI must be entered and kept up to date in the Supplier Performance Risk System (SPRS).
  • Contract-Specific Requirements: For each new contract, option period, or extension, you must confirm that your CMMC level matches the contract’s requirements and that your SPRS records are current.
  • Subcontractor Flowdown: If you are a prime contractor, you must ensure all subcontractors handling FCI or CUI are also certified at the required CMMC level before work begins.
  • Conditional Status: For Level 2 and 3, if you have an approved Plan of Action and Milestones (POA&M), you may operate under conditional status for up to 180 days but must close out all POA&Ms within that period.

What ongoing maintenance is needed to maintain CMMC compliance?

CMMC compliance is not a one-time initiative. Rather, it requires continuous effort to maintain compliance on every contract.

Due to the high level of effort and specialized tools required, most contractors choose to work with a partner like Corsica Technologies to maintain CMMC compliance.

Whether you work with a partner or handle it in-house, here’s what it takes to maintain compliance.

1. Annual Affirmation & SPRS Updates

  • Submit an annual affirmation of compliance signed by an “affirming official.”
  • Keep your CMMC status and unique identifiers (UIDs) for all covered systems current in the Supplier Performance Risk System (SPRS).

2. Continuous Monitoring

  • Implement real-time monitoring of systems, networks, and access controls.
  • Use tools like SIEM for log analysis and anomaly detection.
  • Maintain incident response plans, test them regularly, and log all incidents.

3. Regular Security Audits & Assessments

  • Conduct internal audits to verify compliance and identify gaps.
  • Prepare for triennial third-party or DoD-led assessments (Levels 2 and 3).
  • Perform annual self-assessments for Level 1.

4. Patch & Vulnerability Management

  • Apply timely patches and updates to systems.
  • Regularly scan for vulnerabilities and remediate them promptly.

5. Maintenance Domain Controls

  • Schedule and document all hardware/software maintenance.
  • Restrict maintenance to authorized personnel and log all activities.
  • Secure remote maintenance sessions and enforce change control.

6. Policy & Training

  • Keep security policies updated to reflect evolving CMMC requirements.
  • Train employees on cyber hygiene and incident reporting.
  • Monitor third-party vendors for compliance.

7. Stay Current with CMMC Updates

  • Track changes to CMMC standards and adjust practices accordingly.
  • Engage with C3PAOs or RPOs for guidance on evolving requirements.

The takeaway: CMMC requires continuous effort and attention

Wherever you’re at in your CMMC journey, compliance requires significant time, effort, expertise, and technology. Here at Corsica Technologies, our team of CMMC experts has helped numerous contractors achieve and maintain compliance over the long haul. Get in touch today, and let’s take the next step in your CMMC compliance journey.

Ready to take the next step?

Contact us today to take the next step in achieving and maintaining CMMC compliance.

Contact Us Now →

About the Author

Ross Filipek is Corsica Technologies’ CISO. He has more than 20 years’ experience in the managed cyber security services industry as both an engineer and a consultant. In addition to leading Corsica’s efforts to manage cyber risk, he provides vCISO consulting services for many of Corsica’s clients. Ross has achieved recognition as a Cisco Certified Internetwork Expert (CCIE #18994; Security track) and an ISC2 Certified Information Systems Security Professional (CISSP). He has also earned an MBA degree from the University of Notre Dame.

Published by Ross Filipek, Corsica Technologies