New DFARS Rule: CMMC Certification Becomes Mandatory for Defense Contracts Starting November 10
Starting November 10, 2025, a critical new Defense Federal Acquisition Regulation Supplement (DFARS) rule officially makes Cybersecurity Maturity Model Certification (CMMC) mandatory for most Department of Defense (DoD) contracts. This milestone marks a major shift in defense procurement , cybersecurity certification is no longer voluntary but a binding contractual requirement that affects all tiers of the defense industrial base.
What This Means for You
This rule means that if you want to win or keep a defense contract, you must show proof that your company meets cybersecurity standards under CMMC (Cybersecurity Maturity Model Certification).
- It applies to all contractors handling FCI (Federal Contract Information) or CUI (Controlled Unclassified Information).
- The requirement will be written into contracts using new DFARS rules.
- Before giving you a contract (or an extension), the government will check your certification in SPRS (Supplier Performance Risk System).
- No certification = no award, no option extensions.
It means: You can’t compete for or keep defense contracts unless your company proves CMMC compliance.
Three CMMC Levels Explained
- Level 1: Applies to systems handling only FCI. Requires an annual self-assessment with affirmation of compliance recorded in SPRS. No third-party assessment is required.
- Level 2: Applies to systems handling CUI. May require self-assessment or third-party assessment by a Certified Third Party Assessment Organization (C3PAO), depending on contract specifics.
- Level 3: Reserved for the most sensitive CUI involving national security. Requires an assessment by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
Nearly all DoD contracts, except those solely for commercially available off-the-shelf (COTS) items, will require at least Level 1 certification.
Why Act Now?
The Department of Defense is introducing CMMC in phases, but waiting to prepare can put your business at serious risk. Since there are only a limited number of certified assessors available, companies that delay may find themselves stuck at the end of a long waiting list. This could make it difficult or even impossible to get certified in time to win new contracts.
It’s also not just about future opportunities. If you cannot show proof of compliance when asked, you could lose the contracts you already have. At Level 1, companies must update their compliance status every year in SPRS, and at higher levels, outside audits are required on an ongoing basis. Missing these steps could lead to contracts being delayed, denied, or even interrupted.
In addition, prime contractors now have the responsibility to verify that their subcontractors are compliant. That means if your company is not certified, you may be replaced with another subcontractor that already meets the requirements.
It means: Acting now is critical to protect both current and future DoD business.
Practical Steps for Contractors
- Book assessments early to avoid long wait times.
- Designate a compliance lead to manage SPRS submissions.
- Run internal audits and check subcontractor readiness before external assessments.
- Update governance and insurance policies to address cyber liability.
Recommended 60-/90-/180-day action plan
Stay Ahead with Contragenix
Navigating these new cybersecurity compliance requirements can be daunting. Contragenix specializes in guiding federal contractors through CMMC certification and ongoing compliance to protect your eligibility and competitive position. Don’t wait until November 10 reach out to Contragenix today to start your preparation and safeguard your defense contracts.