Big news! The amendment to the CFR 48 rule is out. The Department of Defense (DoD) has officially taken the next step toward fully implementing the Cybersecurity Maturity Model Certification (CMMC) program. With the release of the new CFR 48 rule, contractors across the Defense Industrial Base (DIB) now have a clear timeline for when CMMC requirements will begin appearing in contracts.
What is CFR 48 and why does it matter? CFR 48 refers to Title 48 of the Code of Federal Regulations, which governs federal acquisition rules. The new CFR 48 rule formally integrates CMMC requirements in the contracting process. This means starting November 10, 2025, contractors will be required to have a current, passing CMMC status at the time of award of new DoD contracts or to exercise a contract option or extension.
If you do business with the DoD, this is your signal to get started! This phased rollout approach is designed to give contractors time to prepare and organizations that plan ahead will be in a much stronger position when the requirements become mandatory.
Key Dates for CFR 48
Contractors will need a current CMMC status as specified in the contract at the time of award or when exercising a contract extension or option. The phased roll-out begins November 10, 2025.
At a minimum, all contracts issued after that date will include a self-assessment requirement for Level 1 or Level 2 certification. According to CFR Title 32, Part § 170.3 Applicability, this is how the rollout will proceed:
Phase 1: Begins November 10, 2025
“Phase 1 begins on the effective date of the complementary 48 CFR part 204 CMMC Acquisition final rule DoD intends to include the requirement for CMMC Statuses of Level 1 (Self) or Level 2 (Self) for ALL applicable DoD solicitations and contracts as a condition of contract award.
DoD may, at its discretion:
- Include the requirement for CMMC Status of Level 1 (Self) or Level 2 (Self) for applicable DoD solicitations and contracts as a condition to exercise an option period on a contract awarded prior to the effective date.
- Include the requirement for CMMC Status of Level 2 (C3PAO) in place of the Level 2 (Self) CMMC Status for applicable DoD solicitations and contracts.
Phase 2: Begins November 10, 2026
“Phase 2 begins one calendar year following the start date of Phase 1. In addition to Phase 1 requirements, DoD intends to include the requirement for CMMC Status of Level 2 (C3PAO) for applicable DoD solicitations and contracts as a condition of contract award.
DoD may, at its discretion, delay the inclusion of requirement for CMMC Status of Level 2 (C3PAO) to an option period instead of as a condition of contract award. DoD may also, at its discretion, include the requirement for CMMC Status of Level 3 (DIBCAC) for applicable DoD solicitations and contracts.”
Monarch’s take: any contract with CUI will require a Level 2 C3PAO certification. The DoD may delay this requirement to an option period.
Phase 3: Begins November 10, 2027
“Phase 3 starts one calendar year following the start date of Phase 2. In addition to Phase 1 and 2 requirements, DoD intends to include the requirement for CMMC Status of Level 2 (C3PAO) for all applicable DoD solicitations and contracts as a condition of contract award and as a condition to exercise an option period on a contract awarded after the effective date.
The DoD intends to include the requirement for CMMC Status of Level 3 (DIBCAC) for all applicable DoD solicitations and contracts as a condition of contract award.
The DoD may, at its discretion, delay the inclusion of requirement for CMMC Status of Level 3 (DIBCAC) to an option period instead of as a condition of contract award.”
Phase 4: Full Implementation on November 10, 2028
“Phase 4 begins one calendar year following the start date of Phase 3. DoD will include CMMC Program requirements in all applicable DoD solicitations and contracts including option periods on contracts awarded prior to the beginning of Phase 4.”
Top Takeaways for Defense Contractors
1. The Clock is Ticking
While November 2025 may sound far off, achieving compliance, especially at Level 2, can take significant time. Starting early gives your team room to address gaps without scrambling at the last minute.
2. Your Next Contract May Already Require Compliance
The DoD can choose to include CMMC requirements in certain contracts even before the full rollout date.
3. Preparation is a Business Advantage
Contractors that achieve compliance sooner can compete for new opportunities and demonstrate security maturity as a differentiator.
Where Monarch ISC Fits In
Monarch ISC is here to help. While we are proud of our status as a C3PAO, we are completely committed to being a resource for your organization’s compliance journey. We work to make your cybersecurity a key component in your business’ success.
- Our Operational CMMC Compliance Checklist offers a clear, practical view of the steps required to move from planning to readiness.
- Our CMMC Resource hub collects trusted materials, government links, and educational tools to help you stay informed.
When you are ready for an official CMMC Level 2 assessment, the team at Monarch ISC is here to help. As a C3PAO, we partner with our clients to approach compliance and security strategically, transforming requirements into opportunities that set them up for success.
Partner with Monarch ISC for Your Assessment
Even though the rollout is phased, assessment demand will grow as deadlines approach. Understanding what CFR 48 means for your organization is the first step, and by scheduling early, you can lock in assessment timing that aligns with your contract cycle and prevent business disruption.
Plan ahead and contact us to discuss your expected timeline and reserve your assessment window.
About Monarch ISC
Monarch ISC is a CMMC Third-Party Assessment Organization (C3PAO) supporting organizations across regulated industries with expert guidance for CMMC compliance. Whether you are preparing for assessment or need help identifying gaps, our team delivers practical, audit-ready support tailored to your environment. Reach out today.
