{"id":894,"date":"2025-10-08T15:12:11","date_gmt":"2025-10-08T13:12:11","guid":{"rendered":"https:\/\/www.cloudtango.net\/blog\/?p=894"},"modified":"2025-10-08T15:13:58","modified_gmt":"2025-10-08T13:13:58","slug":"cmmc-final-rule-how-to-achieve-compliance","status":"publish","type":"post","link":"https:\/\/www.cloudtango.net\/blog\/2025\/10\/08\/cmmc-final-rule-how-to-achieve-compliance\/","title":{"rendered":"CMMC Final Rule: How to Achieve Compliance"},"content":{"rendered":"<div class=\"elementor-element elementor-element-388d8e39 elementor-widget elementor-widget-heading\" data-id=\"388d8e39\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n<div class=\"elementor-widget-container\"><\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-12a6068d elementor-widget elementor-widget-post-info\" data-id=\"12a6068d\" data-element_type=\"widget\" data-widget_type=\"post-info.default\">\n<div class=\"elementor-widget-container\">\n<p>Defense contractors have anticipated the full implementation of <a href=\"https:\/\/dodcio.defense.gov\/cmmc\/About\/\">CMMC (Cybersecurity Maturity Model Certification)<\/a>\u00a0for some time now. On September 10, 2025, the Federal Register published the DFARS Final Rule, giving defense procurement officers the power to require CMMC compliance\u2014both in new contracts and renewals of existing contracts.<\/p>\n<\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-bf43c63 elementor-widget elementor-widget-text-editor\" data-id=\"bf43c63\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n<div class=\"elementor-widget-container\">\n<p>In other words,\u00a0<a href=\"https:\/\/corsicatech.com\/services\/cmmc-compliance-services-2025\/\">CMMC compliance<\/a>\u00a0is now required for any contractor bidding on defense contracts. Requirements associated with DFARS 252.204-7021 and 252.204-7025 should start appearing in contracts on or after November 10, 2025, though the requirements may start showing up as early as October 2025.<\/p>\n<p>Here\u2019s everything you need to know about CMMC compliance.<\/p>\n<\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-6ecb55c2 elementor-widget elementor-widget-heading\" data-id=\"6ecb55c2\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n<div class=\"elementor-widget-container\">\n<h5 class=\"elementor-heading-title elementor-size-default\">Key points:<\/h5>\n<\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-1b9e2221 elementor-icon-list--layout-traditional elementor-list-item-link-full_width elementor-widget elementor-widget-icon-list\" data-id=\"1b9e2221\" data-element_type=\"widget\" data-widget_type=\"icon-list.default\">\n<div class=\"elementor-widget-container\">\n<ul class=\"elementor-icon-list-items\">\n<li class=\"elementor-icon-list-item\"><span class=\"elementor-icon-list-text\">CMMC compliance is no longer a one-time initiative. After November 10, 2025, companies must maintain compliance on a continuous, contract-by-contract basis.<\/span><\/li>\n<li class=\"elementor-icon-list-item\"><span class=\"elementor-icon-list-text\">Non-compliant contractors aren\u2019t grandfathered in with existing contracts. Every contract renewal will require CMMC compliance after November 10, 2025.<\/span><\/li>\n<li class=\"elementor-icon-list-item\"><span class=\"elementor-icon-list-text\">Your CMMC compliance requirements will depend on the type of government information you handle and how sensitive the project is.<\/span><\/li>\n<li class=\"elementor-icon-list-item\"><span class=\"elementor-icon-list-text\">Most contractors choose to work with an expert CMMC partner like Corsica Technologies to achieve and maintain compliance.<\/span><\/li>\n<\/ul>\n<\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-39ebe20a elementor-widget elementor-widget-html\" data-id=\"39ebe20a\" data-element_type=\"widget\" data-widget_type=\"html.default\">\n<div class=\"elementor-widget-container\"><\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-58da00b7 elementor-widget elementor-widget-image\" data-id=\"58da00b7\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n<div class=\"elementor-widget-container\"><a href=\"https:\/\/corsicatech.com\/videos\/?wchannelid=cm2913oy0v&amp;wmediaid=2xoi2hhblt\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" class=\"attachment-full size-full wp-image-28875\" src=\"https:\/\/corsicatech.com\/wp-content\/uploads\/2025\/01\/cmmc-compliance-video-thumbnail.webp\" alt=\"CMMC 2.0 Compliance - video thumbnail - Corsica Technologies\" width=\"1200\" height=\"674\" \/><\/a><\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-60009269 elementor-widget-divider--view-line_icon elementor-view-default elementor-widget-divider--element-align-center elementor-widget elementor-widget-divider\" data-id=\"60009269\" data-element_type=\"widget\" data-widget_type=\"divider.default\">\n<div class=\"elementor-widget-container\">\n<div class=\"elementor-divider\">\n<div class=\"elementor-icon elementor-divider__element\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-5d60f264 elementor-widget elementor-widget-heading\" data-id=\"5d60f264\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n<div class=\"elementor-widget-container\">\n<h2 class=\"elementor-heading-title elementor-size-default\">What is the CMMC Final Rule?<\/h2>\n<\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-11586542 elementor-widget elementor-widget-text-editor\" data-id=\"11586542\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n<div class=\"elementor-widget-container\">\n<p>The CMMC Final Rule is a Department of War regulation that officially implements the Cybersecurity Maturity Model Certification (CMMC) program into nearly all Department of War contracts through the Defense Federal Acquisition Regulation Supplement (DFARS).<\/p>\n<p>The CMMC Final Rule is not the same as the DFARS Final Rule. The CMMC Final Rule established the CMMC program upon publication on October 15, 2024. The DFARS Final Rule officially implements the CMMC program in government contracts.<\/p>\n<p>The Federal Register published the DFARS Final Rule on September 10, 2025. The rule will take effect 60 days after that date, or roughly on November 10, 2025.<\/p>\n<p>This means that Department of War procurement officers can include binding CMMC requirements in new contracts on or after November 10, 2025.<\/p>\n<\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-774bb31 elementor-widget elementor-widget-html\" data-id=\"774bb31\" data-element_type=\"widget\" data-widget_type=\"html.default\">\n<div class=\"elementor-widget-container\"><a name=\"2\"><\/a><\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-28a3a20d elementor-widget elementor-widget-image\" data-id=\"28a3a20d\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n<div class=\"elementor-widget-container\"><img loading=\"lazy\" decoding=\"async\" class=\"attachment-full size-full wp-image-41395\" src=\"https:\/\/corsicatech.com\/wp-content\/uploads\/2025\/10\/how-did-cmmc-change-on-sept-10-2025.webp\" alt=\"How did CMMC change on Sept 10 2025?\" width=\"1320\" height=\"770\" \/><\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-eb73a65 elementor-widget elementor-widget-heading\" data-id=\"eb73a65\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n<div class=\"elementor-widget-container\">\n<h2 class=\"elementor-heading-title elementor-size-default\">How did CMMC compliance requirements change on September 10, 2025?<\/h2>\n<\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-49777f6b elementor-widget elementor-widget-text-editor\" data-id=\"49777f6b\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n<div class=\"elementor-widget-container\">\n<div class=\"elementor-element elementor-element-2380637e elementor-widget elementor-widget-text-editor\" data-id=\"2380637e\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n<div class=\"elementor-widget-container\">\n<div class=\"elementor-element elementor-element-3383fb17 elementor-widget elementor-widget-text-editor\" data-id=\"3383fb17\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n<div class=\"elementor-widget-container\">\n<div class=\"elementor-element elementor-element-667ccfeb elementor-widget elementor-widget-text-editor\" data-id=\"667ccfeb\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n<div class=\"elementor-widget-container\">\n<p>When the Federal Register published the rule, they set in motion a process that will formalize and gradually roll out CMMC stipulations in Department of War contracts. The process will take four years to complete across all three levels of CMMC compliance.<\/p>\n<p>Publication of the rule implemented two new clauses in DFARS (Defense Federal Acquisition Regulation Supplement), the regulation that governs how defense contractors interact with the Department of War in a procurement scenario. The two new clauses are:<\/p>\n<ul>\n<li><strong><a href=\"https:\/\/www.acquisition.gov\/dfars\/252.204-7021-cybersecurity-maturity-model-certification-requirements.\">DFARS 252.204-7021<\/a><\/strong>, also known as the CMMC contract clause, specifies, in part, that \u201cthe contractor shall have a current (i.e. not older than 3 years) CMMC certificate at the CMMC level required by this contract and maintain the CMMC certificate at the required level for the duration of the contract.\u201d<\/li>\n<li><strong>DFARS 252.204-7025<\/strong>, also known as the solicitation notice.<\/li>\n<\/ul>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-8548476 elementor-widget elementor-widget-html\" data-id=\"8548476\" data-element_type=\"widget\" data-widget_type=\"html.default\"><\/div>\n<div class=\"elementor-element elementor-element-ca10164 elementor-widget elementor-widget-heading\" data-id=\"ca10164\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n<div class=\"elementor-widget-container\">\n<h2 class=\"elementor-heading-title elementor-size-default\">What do Level 2 contractors need to do during phase 1 of the CMMC rollout?<\/h2>\n<\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-536d5b93 elementor-widget elementor-widget-text-editor\" data-id=\"536d5b93\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n<div class=\"elementor-widget-container\">\n<div class=\"elementor-element elementor-element-4290c2fc elementor-widget elementor-widget-text-editor\" data-id=\"4290c2fc\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n<div class=\"elementor-widget-container\">\n<p>99% of defense contractors will be pursuing Level 2 compliance. For that level, the phase 1 (11\/10\/25 through 11\/9\/26) requirement is that contractors self-assess and post their score to the SPRS Portal, which is essentially the same requirement they\u2019ve had up until now.<\/p>\n<p>Starting with phase 2 (11\/10\/26), Department of War Level 2 contracts can start requiring that contractors have passed a C3PAO-led (third-party) CMMC audit.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-e059ea7 elementor-widget elementor-widget-heading\" data-id=\"e059ea7\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n<div class=\"elementor-widget-container\">\n<h2 class=\"elementor-heading-title elementor-size-default\">Can I renew an existing defense contract without achieving CMMC compliance?<\/h2>\n<\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-a85e2d6 elementor-widget elementor-widget-text-editor\" data-id=\"a85e2d6\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n<div class=\"elementor-widget-container\">\n<p>No. After November 10, 2025, all contract renewals will require the appropriate level of CMMC compliance, even if the original contract went into effect before CMMC compliance was required by law.<\/p>\n<p>In other words, all contractors who do business with the Department of War must achieve and maintain CMMC compliance, regardless of contract age.<\/p>\n<\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-d166fdb elementor-widget elementor-widget-html\" data-id=\"d166fdb\" data-element_type=\"widget\" data-widget_type=\"html.default\">\n<div class=\"elementor-widget-container\"><a name=\"5\"><\/a><\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-622b97d elementor-widget elementor-widget-image\" data-id=\"622b97d\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n<div class=\"elementor-widget-container\"><img loading=\"lazy\" decoding=\"async\" class=\"attachment-full size-full wp-image-41357\" src=\"https:\/\/corsicatech.com\/wp-content\/uploads\/2025\/10\/cmmc-level-2-compliance-after-final-rule.webp\" alt=\"CMMC level 2 compliance after final rule\" width=\"1320\" height=\"880\" \/><\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-00745b5 elementor-widget elementor-widget-heading\" data-id=\"00745b5\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n<div class=\"elementor-widget-container\">\n<h2 class=\"elementor-heading-title elementor-size-default\">How do I comply with the CMMC?<\/h2>\n<\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-54fb94a elementor-widget elementor-widget-text-editor\" data-id=\"54fb94a\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n<div class=\"elementor-widget-container\">\n<p>The answer depends on what type of information your company handles when contracting with the federal government. There are three types of information:<\/p>\n<ul>\n<li>Federal contract information (least sensitive)<\/li>\n<li>Controlled unclassified information<\/li>\n<li>Controlled unclassified information pertaining to highly sensitive projects<\/li>\n<\/ul>\n<p>There are three levels of CMMC compliance corresponding to these three types of information. Your organization must achieve and maintain the level of compliance associated with the type of information you handle.<\/p>\n<p>Here are the three levels of compliance.<\/p>\n<ul>\n<li><strong>Level 1<\/strong>\u201415 requirements for contractors who work with FCI (federal contract information). Annual self-assessment required.<\/li>\n<li><strong>Level 2<\/strong>\u2014110 requirements for contractors who work with CUI (controlled unclassified information, as defined by the federal government). Triennial third-party assessment required from an authorized CMMC auditor.<\/li>\n<li><strong>Level 3<\/strong>\u2014roughly 140 requirements for contractors who work with CUI on highly sensitive projects; uses both NIST 800-171 and 172. First-party assessment required, led by Department of War.<\/li>\n<\/ul>\n<p>Companies can achieve the appropriate level of compliance by working with a CMMC expert like Corsica Technologies. Achieving compliance requires a significant amount of work over a sustained period, which is why most companies work with a partner.<\/p>\n<\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-5c9f8df3 elementor-widget-divider--view-line_icon elementor-view-default elementor-widget-divider--element-align-center elementor-widget elementor-widget-divider\" data-id=\"5c9f8df3\" data-element_type=\"widget\" data-widget_type=\"divider.default\">\n<div class=\"elementor-widget-container\">\n<div class=\"elementor-divider\">\n<div class=\"elementor-icon elementor-divider__element\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-568cd7fe e-con-full e-flex e-con e-child\" data-id=\"568cd7fe\" data-element_type=\"container\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n<div class=\"elementor-element elementor-element-5b72bc92 e-con-full e-flex e-con e-child\" data-id=\"5b72bc92\" data-element_type=\"container\">\n<div class=\"elementor-element elementor-element-12221c4a elementor-widget elementor-widget-image\" data-id=\"12221c4a\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n<div class=\"elementor-widget-container\"><img loading=\"lazy\" decoding=\"async\" class=\"attachment-large size-large wp-image-23418\" src=\"https:\/\/corsicatech.com\/wp-content\/uploads\/2024\/12\/Jeff-Barney-2.jpg\" alt=\"Jeff Barney headshot\" width=\"200\" height=\"200\" \/><\/div>\n<\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-542bd879 e-con-full e-flex e-con e-child\" data-id=\"542bd879\" data-element_type=\"container\">\n<div class=\"elementor-element elementor-element-330ed8f1 elementor-widget elementor-widget-heading\" data-id=\"330ed8f1\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n<div class=\"elementor-widget-container\">\n<h4 class=\"elementor-heading-title elementor-size-default\">\u201cAs you take steps and work with a good partner, CMMC is definitely doable. It just takes time and commitment to get it done.\u201d<\/h4>\n<\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-708c4b54 elementor-widget elementor-widget-heading\" data-id=\"708c4b54\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n<div class=\"elementor-widget-container\">\n<h5 class=\"elementor-heading-title elementor-size-default\">\u2014Jeff Barney, Ecommerce &amp; IT Manager<\/h5>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-981eb5c elementor-widget elementor-widget-heading\" data-id=\"981eb5c\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n<div class=\"elementor-widget-container\">\n<h2 class=\"elementor-heading-title elementor-size-default\">How often are CMMC assessments required, and what is the process for each level?<\/h2>\n<\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-4baaa523 elementor-widget elementor-widget-text-editor\" data-id=\"4baaa523\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n<div class=\"elementor-widget-container\">\n<div class=\"elementor-element elementor-element-b0b9e70 elementor-widget elementor-widget-text-editor\" data-id=\"b0b9e70\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n<div class=\"elementor-widget-container\">\n<p>CMMC assessment processes and frequency depend on the level of compliance that the company must achieve. Here\u2019s how it works for each level.<\/p>\n<table>\n<tbody>\n<tr>\n<td width=\"115\"><strong>Level<\/strong><\/td>\n<td width=\"120\"><strong>Assessment Type<\/strong><\/td>\n<td width=\"118\"><strong>Who Conducts<\/strong><\/td>\n<td width=\"119\"><strong>Frequency<\/strong><\/td>\n<td width=\"150\"><strong>Submission\/Reporting<\/strong><\/td>\n<\/tr>\n<tr>\n<td width=\"115\">Level 1<\/td>\n<td width=\"120\">Self-assessment<\/td>\n<td width=\"118\">Organization<\/td>\n<td width=\"119\">Annual<\/td>\n<td width=\"150\">SPRS<\/td>\n<\/tr>\n<tr>\n<td width=\"115\">Level 2<\/td>\n<td width=\"120\">Self or Third-party<\/td>\n<td width=\"118\">Org or C3PAO<\/td>\n<td width=\"119\">Every 3 yrs<\/td>\n<td width=\"150\">SPRS, eMASS (if C3PAO)<\/td>\n<\/tr>\n<tr>\n<td width=\"115\">Level 3<\/td>\n<td width=\"120\">Government-led<\/td>\n<td width=\"118\">DIBCAC<\/td>\n<td width=\"119\">Every 3 yrs<\/td>\n<td width=\"150\">SPRS, eMASS<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>CMMC Level 1 assessment process<\/h3>\n<p>The contractor conducts its own internal review against the 15 basic cybersecurity requirements of\u00a0<a href=\"https:\/\/www.acquisition.gov\/far\/52.204-21\">FAR 52.204-21<\/a>. Then the contractor submits its results and annual affirmation in SPRS (Supplier Performance Risk System). The contractor does not need to engage an assessment by a third party or a government entity.<\/p>\n<h3>CMMC Level 2 assessment process<\/h3>\n<p>The process for CMMC Level 2 assessment depends on the stipulations of the contract in question.<\/p>\n<h4>For contracts that allow self-assessment<\/h4>\n<p>The contractor reviews its compliance with 110 NIST SP 800-171 controls, then submits the results and affirmation in SPRS (Supplier Performance Risk System).<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-28e63779 elementor-widget elementor-widget-text-editor\" data-id=\"28e63779\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n<div class=\"elementor-widget-container\">\n<h4>For contracts that require third-party assessment<\/h4>\n<p>The contractor must engage a C3PAO (Certified Third-Party Assessment Organization) to conduct an assessment every three years. The contractor and\/or their C3PAO must record the results in SPRS (Supplier Performance Risk System) and eMASS (Enterprise Mission Assurance Support Service).<\/p>\n<h3>CMMC Level 3 assessment process<\/h3>\n<p>The Department of War\u2019s DIBAC (Defense Industrial Base Cybersecurity Assessment Center) assesses the contractor every three years for adherence to NIST SP 800-172 controls in addition to NIST SP 800-171. Results are submitted to SPRS (Supplier Performance Risk System) and eMASS (Enterprise Mission Assurance Support Service).<\/p>\n<\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-1d973067 elementor-widget-divider--view-line_icon elementor-view-default elementor-widget-divider--element-align-center elementor-widget elementor-widget-divider\" data-id=\"1d973067\" data-element_type=\"widget\" data-widget_type=\"divider.default\">\n<div class=\"elementor-widget-container\">\n<div class=\"elementor-divider\">\n<div class=\"elementor-icon elementor-divider__element\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-1cee1147 elementor-widget elementor-widget-heading\" data-id=\"1cee1147\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n<div class=\"elementor-widget-container\">\n<h2 class=\"elementor-heading-title elementor-size-default\">What types of cybersecurity controls do I need to be CMMC compliant?<\/h2>\n<\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-22039f71 elementor-widget elementor-widget-text-editor\" data-id=\"22039f71\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n<div class=\"elementor-widget-container\">\n<div class=\"elementor-element elementor-element-29acb561 elementor-widget elementor-widget-text-editor\" data-id=\"29acb561\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n<div class=\"elementor-widget-container\">\n<div class=\"elementor-element elementor-element-5aa517bb elementor-widget elementor-widget-text-editor\" data-id=\"5aa517bb\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n<div class=\"elementor-widget-container\">\n<p>The exact answer will depend on which level of compliance you need to achieve, and the nature of your IT environment. That said, here are all the cybersecurity controls and initiatives that we recently implemented for a defense contractor to help them achieve CMMC compliance.<\/p>\n<ul>\n<li>Locking down CUI (controlled unclassified information) ASAP<\/li>\n<li>Access control<\/li>\n<li>Awareness and training<\/li>\n<li>Auditing and accountability<\/li>\n<li>Configuration management<\/li>\n<li>Identification and authentication<\/li>\n<li>Incident response<\/li>\n<li>Maintenance<\/li>\n<li>Media protection<\/li>\n<li>Personnel security<\/li>\n<li>Physical protection<\/li>\n<li>Risk assessment<\/li>\n<li>Security assessment<\/li>\n<li>System and communications protection<\/li>\n<li>System and information integrity<\/li>\n<\/ul>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-17afb73 elementor-widget elementor-widget-html\" data-id=\"17afb73\" data-element_type=\"widget\" data-widget_type=\"html.default\">\n<div class=\"elementor-widget-container\"><a name=\"8\"><\/a><\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-1497545 elementor-widget elementor-widget-image\" data-id=\"1497545\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n<div class=\"elementor-widget-container\"><img loading=\"lazy\" decoding=\"async\" class=\"attachment-full size-full wp-image-41391\" src=\"https:\/\/corsicatech.com\/wp-content\/uploads\/2025\/10\/what-if-were-already-cmmc-compliant.webp\" alt=\"\" width=\"1320\" height=\"682\" \/><\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-1e9e604 elementor-widget elementor-widget-heading\" data-id=\"1e9e604\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n<div class=\"elementor-widget-container\">\n<h2 class=\"elementor-heading-title elementor-size-default\">What if we\u2019re already CMMC compliant?<\/h2>\n<\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-482c3427 elementor-widget elementor-widget-text-editor\" data-id=\"482c3427\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n<div class=\"elementor-widget-container\">\n<p>If you\u2019ve already achieved CMMC compliance, you\u2019re on your way to meeting requirements before November 10, 2025.<\/p>\n<p>However, there\u00a0<em>is<\/em>\u00a0a sea change in how companies must approach CMMC compliance.<\/p>\n<p>CMMC compliance is no longer a one-time initiative. Companies must maintain compliance on a continuous, contract-by-contract basis.<\/p>\n<p>Consequently, there are a few additional steps you need to take before November 10, 2025. Some steps will need to be executed for every contract, new or existing.<\/p>\n<\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-830a5e2 elementor-widget elementor-widget-text-editor\" data-id=\"830a5e2\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n<div class=\"elementor-widget-container\">\n<ul>\n<li><strong>Continuous Affirmation<\/strong>: You must provide an annual affirmation of ongoing compliance, signed by your designated \u201caffirming official.\u201d<\/li>\n<li><strong>SPRS Updates<\/strong>: Your current CMMC status and unique identifier(s) for each information system handling FCI or CUI must be entered and kept up to date in the Supplier Performance Risk System (SPRS).<\/li>\n<li><strong>Contract-Specific Requirements<\/strong>: For each new contract, option period, or extension, you must confirm that your CMMC level matches the contract\u2019s requirements and that your SPRS records are current.<\/li>\n<li><strong>Subcontractor Flowdown<\/strong>: If you are a prime contractor, you must ensure all subcontractors handling FCI or CUI are also certified at the required CMMC level before work begins.<\/li>\n<li><strong>Conditional Status<\/strong>: For Level 2 and 3, if you have an approved Plan of Action and Milestones (POA&amp;M), you may operate under conditional status for up to 180 days but must close out all POA&amp;Ms within that period.<\/li>\n<\/ul>\n<\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-1cb6ee1 elementor-widget-divider--view-line_icon elementor-view-default elementor-widget-divider--element-align-center elementor-widget elementor-widget-divider\" data-id=\"1cb6ee1\" data-element_type=\"widget\" data-widget_type=\"divider.default\">\n<div class=\"elementor-widget-container\">\n<div class=\"elementor-divider\">\n<div class=\"elementor-icon elementor-divider__element\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-ef5968a elementor-widget elementor-widget-heading\" data-id=\"ef5968a\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n<div class=\"elementor-widget-container\">\n<h2 class=\"elementor-heading-title elementor-size-default\">What ongoing maintenance is needed to maintain CMMC compliance?<\/h2>\n<\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-336494a5 elementor-widget elementor-widget-text-editor\" data-id=\"336494a5\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n<div class=\"elementor-widget-container\">\n<div class=\"elementor-element elementor-element-6ae7761a elementor-widget elementor-widget-text-editor\" data-id=\"6ae7761a\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n<div class=\"elementor-widget-container\">\n<div class=\"elementor-element elementor-element-50295664 list-custom-style elementor-widget elementor-widget-text-editor\" data-id=\"50295664\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n<div class=\"elementor-widget-container\">\n<p>CMMC compliance is not a one-time initiative. Rather, it requires continuous effort to maintain compliance on every contract.<\/p>\n<p>Due to the high level of effort and specialized tools required, most contractors choose to work with a partner like Corsica Technologies to maintain CMMC compliance.<\/p>\n<p>Whether you work with a partner or handle it in-house, here\u2019s what it takes to maintain compliance.<\/p>\n<h3>1. Annual Affirmation &amp; SPRS Updates<\/h3>\n<ul>\n<li>Submit an annual affirmation of compliance signed by an \u201caffirming official.\u201d<\/li>\n<li>Keep your CMMC status and unique identifiers (UIDs) for all covered systems current in the Supplier Performance Risk System (SPRS).<\/li>\n<\/ul>\n<h3>2. Continuous Monitoring<\/h3>\n<ul>\n<li>Implement real-time monitoring of systems, networks, and access controls.<\/li>\n<li>Use tools like SIEM for log analysis and anomaly detection.<\/li>\n<li>Maintain incident response plans, test them regularly, and log all incidents.<\/li>\n<\/ul>\n<h3>3. Regular Security Audits &amp; Assessments<\/h3>\n<ul>\n<li>Conduct internal audits to verify compliance and identify gaps.<\/li>\n<li>Prepare for triennial third-party or DoD-led assessments (Levels 2 and 3).<\/li>\n<li>Perform annual self-assessments for Level 1.<\/li>\n<\/ul>\n<h3>4. Patch &amp; Vulnerability Management<\/h3>\n<ul>\n<li>Apply timely patches and updates to systems.<\/li>\n<li>Regularly scan for vulnerabilities and remediate them promptly.<\/li>\n<\/ul>\n<h3>5. Maintenance Domain Controls<\/h3>\n<ul>\n<li>Schedule and document all hardware\/software maintenance.<\/li>\n<li>Restrict maintenance to authorized personnel and log all activities.<\/li>\n<li>Secure remote maintenance sessions and enforce change control.<\/li>\n<\/ul>\n<h3>6. Policy &amp; Training<\/h3>\n<ul>\n<li>Keep security policies updated to reflect evolving CMMC requirements.<\/li>\n<li>Train employees on cyber hygiene and incident reporting.<\/li>\n<li>Monitor third-party vendors for compliance.<\/li>\n<\/ul>\n<h3>7. Stay Current with CMMC Updates<\/h3>\n<ul>\n<li>Track changes to CMMC standards and adjust practices accordingly.<\/li>\n<li>Engage with C3PAOs or RPOs for guidance on evolving requirements.<\/li>\n<\/ul>\n<h2>The takeaway: CMMC requires continuous effort and attention<\/h2>\n<p>Wherever you\u2019re at in your CMMC journey, compliance requires significant time, effort, expertise, and technology. Here at Corsica Technologies, our team of CMMC experts has helped numerous contractors achieve and maintain compliance over the long haul. Get in touch today, and let\u2019s take the next step in your CMMC compliance journey.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-81b71a9 elementor-widget-divider--view-line_icon elementor-view-default elementor-widget-divider--element-align-center elementor-widget elementor-widget-divider\" data-id=\"81b71a9\" data-element_type=\"widget\" data-widget_type=\"divider.default\">\n<div class=\"elementor-widget-container\">\n<div class=\"elementor-divider\">\n<div class=\"elementor-icon elementor-divider__element\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-5bfcb526 e-grid e-con-boxed e-con e-child\" data-id=\"5bfcb526\" data-element_type=\"container\">\n<div class=\"e-con-inner\">\n<div class=\"elementor-element elementor-element-6abb5c68 elementor-widget elementor-widget-text-editor\" data-id=\"6abb5c68\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n<div class=\"elementor-widget-container\">\n<h2>Ready to take the next step?<\/h2>\n<p>Contact us today to take the next step in achieving and maintaining CMMC compliance.<\/p>\n<h4><a href=\"https:\/\/corsicatech.com\/contact\/\" rel=\"noopener\">Contact Us Now \u2192<\/a><\/h4>\n<h5>About the Author<\/h5>\n<p><strong>Ross Filipek is Corsica Technologies\u2019 CISO<\/strong>. He has more than 20 years\u2019 experience in the managed cyber security services industry as both an engineer and a consultant. In addition to leading Corsica\u2019s efforts to manage cyber risk, he provides vCISO consulting services for many of Corsica\u2019s clients. Ross has achieved recognition as a Cisco Certified Internetwork Expert (CCIE #18994; Security track) and an ISC2 Certified Information Systems Security Professional (CISSP). He has also earned an MBA degree from the University of Notre Dame.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Defense contractors have anticipated the full implementation of CMMC (Cybersecurity Maturity Model Certification)\u00a0for some time now. On September 10, 2025, the Federal Register published the DFARS Final Rule, giving defense procurement officers the power to require CMMC compliance\u2014both in new contracts and renewals of existing contracts. In other words,\u00a0CMMC compliance\u00a0is now required for any contractor[\u2026] <a class=\"read-more\" href=\"https:\/\/www.cloudtango.net\/blog\/2025\/10\/08\/cmmc-final-rule-how-to-achieve-compliance\/\">Read<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" enable-background=\"new 0 0 24 24\" height=\"16px\" viewBox=\"0 0 24 24\" width=\"16px\" fill=\"#091926\"><rect fill=\"none\" height=\"16\" width=\"16\"\/><path d=\"M14.29,5.71L14.29,5.71c-0.39,0.39-0.39,1.02,0,1.41L18.17,11H3c-0.55,0-1,0.45-1,1v0c0,0.55,0.45,1,1,1h15.18l-3.88,3.88 c-0.39,0.39-0.39,1.02,0,1.41l0,0c0.39,0.39,1.02,0.39,1.41,0l5.59-5.59c0.39-0.39,0.39-1.02,0-1.41L15.7,5.71 C15.32,5.32,14.68,5.32,14.29,5.71z\"\/><\/svg><\/a><\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7,11,14,15],"tags":[],"class_list":["post-894","post","type-post","status-publish","format-standard","hentry","category-cybersecurity","category-managed-it","category-modern-workplace","category-mssps"],"_links":{"self":[{"href":"https:\/\/www.cloudtango.net\/blog\/wp-json\/wp\/v2\/posts\/894","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cloudtango.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cloudtango.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cloudtango.net\/blog\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cloudtango.net\/blog\/wp-json\/wp\/v2\/comments?post=894"}],"version-history":[{"count":3,"href":"https:\/\/www.cloudtango.net\/blog\/wp-json\/wp\/v2\/posts\/894\/revisions"}],"predecessor-version":[{"id":898,"href":"https:\/\/www.cloudtango.net\/blog\/wp-json\/wp\/v2\/posts\/894\/revisions\/898"}],"wp:attachment":[{"href":"https:\/\/www.cloudtango.net\/blog\/wp-json\/wp\/v2\/media?parent=894"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cloudtango.net\/blog\/wp-json\/wp\/v2\/categories?post=894"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cloudtango.net\/blog\/wp-json\/wp\/v2\/tags?post=894"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}