< Back // Level Up

CMMC Final Rule: What You Need to Know and Do Next

On November 10, 2025, the Department of War will officially implement the Cybersecurity Maturity Model Certification (CMMC) Final Rule, marking a pivotal shift in how cybersecurity compliance is enforced across the Defense Industrial Base (DIB).

This long-awaited regulation transforms CMMC from a policy framework into a binding contractual obligation for nearly all defense contractors and subcontractors.

Why the CMMC Final Rule Matters for Defense Contractors

What does this mean for your company? Will you need to self-attest or certify? What even is CMMC?

Join Planet Technologies as we host an Office Hours session focusing on what current DIB companies should be doing to comply with the CMMC requirements, relevant timelines, and lessons learned from hundreds of Government Community Cloud High (GCC-H) deployments.

Understanding the CMMC Final Rule

The CMMC Final Rule updates the Defense Federal Acquisition Regulation Supplement (DFARS) to codify cybersecurity standards for contractors handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

It introduces mandatory compliance requirements that will be phased in over the next three years, culminating in full enforcement by November 10, 2028.

CMMC Final Rule Key Dates and Implementation Timeline

Timeline Overview

    • September 10, 2025: Final rule published in the Federal Register.
    • November 10, 2025: Rule takes effect; CMMC clauses begin appearing in new DoD solicitations and contracts.
    • 2025–2028: CMMC phased implementation across four stages.
    • November 10, 2028: Full CMMC compliance required for all applicable contracts (excluding COTS items).

Four Phases of Implementation

    1. Phase 1 (November 2025): CMMC Level 1 and Level 2 self-assessments required for new contracts
    2. Phase 2 (November 2026): Level 2 third-party assessments (C3PAO) begin for applicable contracts
    3. Phase 3 (November 2027): Level 3 DoD-led assessments introduced for high-sensitivity contracts
    4. Phase 4 (November 2028): Full implementation across all contracts involving FCI or CUI

The Risks of Non-Compliance

After the appropriate clauses appear in contracts contractors that are non-compliant will face considerable challenges. Failure to meet CMMC standards can result in:

    • Ineligibility for contract awards
    • Termination of existing contracts
    • Exclusion from supply chains
    • Potential liability under the False Claims Act (FCA)

How to Prepare for CMMC Compliance

If your organization is part of the Defense Industrial Base, preparation should begin immediately. Key actions include:

    • Conducting a gap analysis against NIST SP 800-171.
    • Engaging with a C3PAO if Level 2 or 3 certification is required. Note that only the DIB  Cybersecurity Assessment Center (DIBCAC) can do a Level 3 certification
    • Updating internal policies and systems to meet CMMC requirements.
    • Training staff and designating an affirming official for annual compliance affirmations.
    • If appropriate, engaging with a Registered Provider Organization (RPO)

The Role of an RPO

A Registered Provider Organization (RPO) is officially authorized by the Cyber AB (formerly the CMMC Accreditation Body) to provide consulting and advisory services to organizations seeking CMMC certification known as Organizations Seeking Certification, or OSCs.

RPOs do not conduct official CMMC assessments—that’s the job of Certified Third-Party Assessment Organizations (C3PAOs). Instead, RPOs help companies prepare for those assessments.

How RPOs Help

    • Interpreting CMMC requirements
    • Conducting readiness assessments (gap analyses)
    • Identifying and remediating compliance gaps
    • Developing documentation like System Security Plans (SSPs) and Plans of Action & Milestones (POA&Ms)
    • Implementing cybersecurity practices aligned with NIST SP 800-171 and CMMC requirements
    • Providing ongoing support to maintain compliance

Partner with Planet

Planet Technologies has helped DIB companies set up their secure enclaves, draft the appropriate compliance artifacts/documents, and prepare for their C3PAO audits. To learn more or to schedule a readiness consultation, contact us at [email protected] or visit  https://go-planet.com/planet-technologies-and-gcc-high/

Microsoft Learning and Adoption Service

Thrive amidst change and promote technology adoption with Planet’s 
award-winning Microsoft learning and adoption solution, Evolve 365.

Learn More