Contractors: What Contractors Need to Know About the CMMC Final Rule

What was once an aspirational goal is now mandatory.

Contractors must be ready for assessment, certification, and ongoing maintenance—or risk exclusion from DoD/DoW opportunities.

What Changed With the 48 CFR Final Rule?

• Enforcement: CMMC certification is now written directly into DoD/DoW contracts via the DFARS clause 252.204-7021.​
• Timeline: Starting November 10, 2025, Level 2 requirements may be included in solicitations and awards and phased-in through 2028.​

• Waivers: Rare and strictly limited—do not count on exceptions.​
• Assessment Lead Time: Contractors often have 32 days or less to comply after solicitation release—prepare early.​

Reference: https://dodcio.defense.gov/cmmc/About/

Who Must Achieve CMMC Level 2?

• Prime Contractors:

Direct DoD/DoW contract recipients handling Federal Contract Information (FCI) and any Controlled Unclassified Information (CUI).

• Subcontractors:

If you provide products/services to primes and handle CUI, Level 2 certification flows down to you.​

 

Key CMMC Level 2 Certification Requirements

Evidence Examples – Well-Aligned

The section providing examples of evidence for commonly failed controls (e.g., 3.12.4, 3.6.3, 3.3.3, 3.1.3, 3.4.1) aligns precisely with the guidance in the Level 2 Assessment Guide. These examples are useful and appropriate.

Subcontractor Flow-Down Requirements

“…CMMC certification flows down to you [if handling CUI].”

Accurate. Per DFARS 252.204-7021 and 32 CFR §170, flow-down to subcontractors is mandatory when they handle CUI.

• Implement all 110 controls from NIST SP 800-171, across 14 security domains (Access Control, Incident Response, Risk Assessment, etc.)​
• Third-Party Assessment: Most contractors must be assessed by a C3PAO (Certified Third-Party Assessor Organization); limited self-assessment for non-CUI.​
• POA&Ms: Only minor (low-risk, usually 1-point) deficiencies allowed on a POA&M—a maximum of 22 points short, with 180 days to remediate; all critical (3 or 5-point) controls must be fully met.​  https://cmmccompliance.us/the-48-cfr-cmmc-final-rule-what-contractors-need-to-know-before-november-10-2025/

Urgent Steps for Contractors (Action Guide)

1. Determine Required CMMC Level
2. Use DoD/DoW contract details and review information flow.​
3. Conduct a Comprehensive Assessment
4. Map assets, document all controls, and use official checklists.
5. Register in the Supplier Performance Risk System (SPRS).​
6. Close Compliance Gaps Immediately
7. Address deficiencies—plan for full NIST SP 800-171 implementation as POA&Ms only cover permissible, minor issues.​

List required NIST SP 800-171 controls most often failing CMMC Level 2 assessments.

The NIST SP 800-171 controls most often failing CMMC Level 2 assessments are typically those involving documentation, system management, and core security processes.   

Contractors frequently struggle with:

– System Security Plans (SSP): Control 3.12.4—many organizations either lack a comprehensive SSP or fail to update and maintain it regularly.​

– Incident Response: Control 3.6.3—missing or untested incident response plans are a common gap.​

– Audit and Accountability: Control 3.3.3—failure to consistently update, review, and maintain activity logs and audit trails.​

– Access Control: Controls like 3.1.3—inadequate information flow control policies and weak enforcement of user access restrictions.​

– Asset Management: Control 3.4.1—incomplete or undocumented inventories of hardware, software, policies, and procedures.​

– Documentation Overall: Beyond specific controls, insufficient documentation across all domains is a leading reason for audit failures in Level 2 assessments.​

These issues are compounded by misunderstanding requirements, lack of staff training, and limited resources in smaller organizations. Ensuring comprehensive, tailored documentation and regular control reviews is essential to passing a CMMC Level 2 assessment.

3.2   Here are examples of evidence CMMC assessors routinely accept for the most commonly failed NIST SP 800-171 controls:

System Security Plan (SSP) – 3.12.4

• A formally documented and up to date SSP (Word or PDF document)
• Change history logs showing regular updates and reviews.
• Policies referencing the specific system boundaries and controls​.

Incident Response – 3.6.3

• A written incident response plan clearly defining roles and escalation steps.
• Evidence of tabletop exercises or incident simulations (meeting minutes, attendance records)
• Documentation of recent incident investigations and lessons learned​

Audit and Accountability – 3.3.3

• Archived and current system logs (network, application, security logs)
• A documented log review schedule and records of completed reviews.
• Policy/manual defining who reviews logs and how often​.

Access Control – 3.1.3

• Current user access lists showing roles and permissions.
• Records and screenshots of terminated accounts promptly disabled.
• Policies stating periodic user access reviews and evidence those occurred​.

Asset Management – 3.4.1

• Inventories listing all hardware, software, and cloud assets (Excel sheets or asset management system exports)
• Records of asset updates and retirement, signed by responsible personnel.
• Policy documents defining how assets are tracked and managed​ https://dodcio.defense.gov/Portals/0/Documents/CMMC/AssessmentGuideL2.pdf

Documentation Overall

• Signed policies and procedures covering relevant controls.
• Training records for staff on those policies
• Records proving annual or periodic policy reviews​.

Providing these examples as hard evidence—digital files, screenshots, signed documents—will satisfy assessors and help avoid common audit failures at CMMC Level 2.

• Engage a Certified C3PAO
• Schedule your third-party assessment early; demand for assessors will spike near deadlines.​
• Document and Maintain Your System Security Plan (SSP)
• Ensure all policies and evidence are ready for review.​
• Communicate Supply Chain Requirements
• Flow down CMMC obligations to subcontractors; verify their readiness.
• Monitor and Recertify
• Certification valid for 3 years, but compliance must be maintained, and evidence updated.​

 

FAQs

• What is the minimum passing score for Level 2?

88 out of 110 points, but only eligible 1-point controls may be listed on a POA&M and must be closed in 180 days.​

• Will my contract be terminated if I lose certification?

Yes—failure to maintain certification or evidence can trigger termination or disqualification.​

• Can I wait until contract award to start my compliance journey?

No—the compressed lead time means you must be ready to certify as soon as a solicitation drops.​

__________________________________________________________________________________________________________

The final 48 CFR rule demands immediate, organized action from every DoD/DoW contractor seeking to achieve—and maintain—CMMC Level 2 certification. Start your compliance journey, engage a trusted C3PAO, close gaps now, and stay ahead of evolving requirements. Those who act early secure their future in the defense industrial base.

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AssessmentGuideL2v2.pdf

Need help with a pre-assessment? Contact our CMMC-readiness team: https://scorecard.cmmccompliance.us/cmmc-scorecard

#CMMC #DoWCompliance #Cybersecurity #DefenseContractor #CUI #NIST800171 #48CFR #DFARS #C3PAO #FederalContracts #SupplyChainSecurity #GovTech