CMMC Final Rule: What DoD Subs Need to Know

"This isn't just compliance...it's a national security imperative."

Stacy Bostjanick

Chief DIB Cybersecurity, DCIO(CS), OCIO

The wait is over. On September 10, 2025, the Department of Defense (DoD) dropped the final rule for the Cybersecurity Maturity Model Certification (CMMC). The rule officially goes into effect on November 10, 2025, and if you’re a DoD subcontractor, you need to pay close attention.

Prime contractors will soon be required to verify that their subs are certified before awarding a contract. This post breaks down what the CMMC final rule is, what it means for you, and why you need to start preparing for your assessment. Let's get into it.

A quick CMMC overview

Think of CMMC as the DoD's new standard cybersecurity background check for its supply chain. Keep in mind, the NIST SP 800-171-based requirements aren’t new, and as a DoD subcontractor, you should already be meeting these requirements. But before now, contractors have been self-attesting their security posture.

Now, a verification component is being added to make sure contractors are actually protecting sensitive government information. It’s designed to safeguard the supply chain from cyberattacks and data theft.

The program protects two main types of information:

• Federal Contract Information (FCI): Information not intended for public release that is provided by or generated for the government under a contract.

• Controlled Unclassified Information (CUI): A broad category of information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and government-wide policies. If you handle things like Controlled Technical Information (CTI), you're dealing with CUI.

CMMC is broken down into three levels, each with increasing security requirements. The level you need depends on the type of information you handle.

• CMMC Level 1: This is the foundational level for anyone handling FCI. It requires an annual self-assessment against 15 basic security controls found in FAR 52.204-21.

• CMMC Level 2: This is the big one. If you store, process, or transmit CUI, you'll need a Level 2 certification. It aligns with the 110 requirements in NIST SP 800-171 and requires most contractors to undergo a third-party assessment conducted by a certified organization (C3PAO) every three years.

• CMMC Level 3: This top tier is for contractors handling the most sensitive CUI. It includes all 110 controls from Level 2 plus an additional 24 from NIST SP 800-172. The government will conduct these assessments.

The DoD estimates that over 80,000 contractors will need a Level 2 or Level 3 certification. But that number is a very conservative estimate, considering that no database of DoD subcontractors is kept. The real number is likely much, much higher.

The clock is ticking: Timelines and flow downs

While the rule becomes effective on November 10, 2025, CMMC requirements will be phased into new DoD contracts. For the first three years, the DoD will decide which contracts get the CMMC treatment, and at what level. After November 10, 2028, it'll be standard for contracts involving FCI or CUI.

Don't let the "phased rollout" fool you into complacency. The final DFARS clause language is crystal clear: prime contractors must verify that their subcontractors have the required CMMC certification before awarding a contract. This is a massive change. Primes won't wait for the DoD to mandate it on a specific contract; they'll start requiring it across their supply chain to reduce their own risk.

This "flow down" requirement means subcontractors can no longer hide in the background. If you want to continue working with DoD prime contractors, you must be proactive and get certified at the appropriate level. Think about it this way: take the conservative figure of 80,000 contractors in scope for Level 2. Compare that with 82 C3PAOs certified on the Cyber AB website (as of this writing). 

While a typical assessment can take four to eight weeks from start to finish, let’s assume one week of solid C3PAO time per assessment. Let’s be generous and assume each of the 82 C3PAOs can magically handle 10 assessments concurrently. With no days off, 82 C3PAOs x 52 weeks a year x 10 concurrent assessments = 42,640. 

That means it'll take approximately two years to get through the first 80,000 contractors! If you don't get this done proactively, you’re risking your entire DoD contractor business.

Getting ready for your Level 2 assessment

For the tens of thousands of subcontractors handling CUI, a CMMC Level 2 assessment is in your future. This is a rigorous assessment of your cybersecurity maturity, and passing a C3PAO assessment requires serious preparation.

You need to get these three key areas in order:

• Technology: Do you have the right tools in place? This includes things like endpoint protection, security information and event management (SIEM), vulnerability scanning, and application control. Your tech stack must be able to meet the 110 security requirements.

• Processes: You need well-defined, repeatable processes for everything from employee onboarding to change control approvals to incident response. Auditors will want to see that your security practices are integrated into your daily operations, not just written down somewhere and forgotten.

• Documentation: If it isn't documented, it didn't happen. Auditors live and breathe documentation. You'll need a current System Security Plan (SSP), policies for every control family, detailed procedures, and records to prove you're doing what you say you're doing. This is often the biggest hurdle for most going through the audit process.

Gathering all this evidence, organizing it, and meeting the assessor's expectations is a monumental task. Trying to do it all yourself while running your business can feel like a major distraction. 

Please note, this isn’t like other compliance initiatives. The CMMC Level 2 assessment is scored out of 110 points. To pass, you must achieve a score of 110 out of 110. 

However, if you score at least 88 out of 110 and have no deficiencies in certain critical controls, you won't fail outright. Instead, your C3PAO can issue a Conditional Certification. Essentially, this grants you a temporary certification on the condition that you fix the remaining open items within a hard 180-day deadline. Proper preparation is paramount.

Your next move: Start now, and find the right partners

The CMMC final rule is here, and the implementation clock has started. Subcontractors who wait to prepare will be unable to win contracts that require a CMMC status of Level 2 (C3PAO). The demand for C3PAO assessments is already high and will only intensify, creating a significant bottleneck (there is approximately one C3PAO for every 1,000+ DoD subcontractors needing L2 certification).

Take these steps today:

1. Determine your level: Identify if you handle FCI or CUI to understand which CMMC level you need to meet.

2. Conduct a gap analysis: Assess your current environment against the required CMMC controls. Identify where you fall short.

3. Build your plan: Create a detailed plan of action and milestones (POA&M) to address your gaps.

4. Find trusted partners: Engage with security providers who understand CMMC and can help you implement the necessary technology, processes, and documentation. (You guessed it, if you’ve got Huntress products, we have the documentation you need to support a successful audit.) 

You can find qualified help on the Cyber AB website. It’s time to get started to keep your place in the DoD supply chain. 

Huntress is setting the standard for CMMC vendor documentation. Learn how we can help you on your journey by scheduling a demo today.