The Countdown to November 10: Is Your Business Ready for CMMC?

CMMC Final Rule: What Defense Contractors Need to Know Before November 10, 2025

On September 10, 2025, the Department of Defense published the long-awaited Final Rule in the Federal Register that makes CMMC 2.0 mandatory for contractors. This update to the Defense Federal Acquisition Regulation Supplement (DFARS) formally embeds cybersecurity compliance into DoD contracts.

For defense contractors and subcontractors, the message is clear: compliance is no longer optional.

The Effective Date
The rule takes effect November 10, 2025, just 60 days after publication. From that date forward, contracting officers will begin requiring a contractor’s CMMC status to be posted in SPRS (Supplier Performance Risk System) before awarding contracts. Companies without a valid certification, self-assessment, or conditional status on file will be ineligible for new contract awards.

What Contractors Need to Know

No CMMC, No Contract
Beginning November 10, you will not be eligible for award if your required CMMC level is not visible in SPRS. This applies to both new prime contracts and subcontract opportunities where FCI or CUI is involved.

Conditional Status for Level 2 and 3
The DoD has allowed for a temporary conditional CMMC status, valid for up to 180 days, for companies that still have open POA&M items. To qualify, you must already have undergone an assessment, identified the gaps, and documented your remediation plan with clear timelines. Conditional status is not a free pass; it requires proof of progress and accountability.

Flowdown Requirements
CMMC requirements apply not only to primes but also to subcontractors that process, store, or transmit FCI or CUI. Prime contractors are obligated to verify that their subs meet the same requirements. Small and mid-sized businesses cannot wait for a prime to guide them; compliance preparation must start now.

Three-Year Phased Rollout
Over the first three years, the DoD has discretion in where and how CMMC clauses are inserted into contracts. Once that window closes, all contracts that involve FCI or CUI will require compliance. Contractors should treat November 10 as the practical starting line, not the finish line.

Annual Affirmations
Compliance is not a one-time event. An affirming official in your organization must attest annually in SPRS that you are maintaining CMMC compliance. Submitting false or inaccurate affirmations can expose your business to False Claims Act liability.

What You Need to Have in Place Before November 10, 2025

System Security Plan (SSP)
Your SSP is the foundation of compliance. It must document your system boundaries, security controls, data flows, and roles and responsibilities. If your SSP is incomplete or outdated, you will not be prepared for an assessment.

Plan of Action and Milestones (POA&M)
Any gaps must be documented in a POA&M with target completion dates. Contractors without this documentation will not qualify for conditional CMMC status.

SPRS Score
Your current NIST SP 800-171 self-assessment score must be entered into SPRS. Primes are already checking for scores, and contracting officers will be required to confirm them before award.

Evidence of Implementation
Policies, procedures, training records, configuration screenshots, system logs, and other artifacts must be organized and ready for review. Compliance is proven through evidence, not intent.

Remediation Plan
Address high-priority risks now. Implement access controls, encryption, logging, and incident response procedures. These are among the most scrutinized areas in an assessment.

Staff Readiness
Personnel who handle CUI or play a role in security must be prepared to answer questions during an audit. Training and awareness are critical.

Why This Matters Now

False Claims Act Risk
Misrepresenting your compliance status can trigger FCA investigations, penalties, and fines, even years after contract performance.

Competitive Advantage
Primes are already requiring proof of compliance in subcontract agreements. Being ready early makes you a more attractive partner and keeps you competitive.

Time-Consuming Remediation
Closing gaps and collecting evidence is not a quick process. Contractors who wait until November may find themselves shut out of opportunities.

How FirstCall Federal Helps

At FirstCall Federal, we specialize in guiding small and mid-sized defense contractors through the entire compliance journey. As a Service-Disabled Veteran-Owned Small Business (SDVOSB) and a future C3PAO, we combine IT expertise with deep knowledge of CMMC and NIST frameworks.

Our services include:
• Compliance Consulting and vCISO Support – Roadmaps, documentation, and readiness reviews
• Gap Assessments and Remediation – Closing gaps before they cost you contracts
• Audit Preparation – Mock audits, evidence collection, and personnel training
• Managed IT and Security Services – Vulnerability scanning, patching, incident response, and network monitoring

The Bottom Line

CMMC is no longer “on the horizon.” It is here, and beginning November 10, 2025, compliance will determine who can and cannot do business with the Department of Defense.

FirstCall Federal can help ensure your business is not only prepared for the upcoming requirements but also positioned for long-term success in the defense supply chain.

Schedule a consultation with us today and take the first step toward lasting compliance and security.