Skip to content
Close
Contact Sales
Contact Sales
VC3 is the bar

We Make IT Easy

With VC3, it’s never license this, per hour that. Instead, it’s good people. Good people who work tirelessly .

Learn More
"VC3 has made it easier than ever before for our local government to serve our citizens by providing us with modern web tools and a team
of talented and courteous professionals.
City of Valdosta, GA
Get out of the IT trenches

Municipalities

VC3 has spent the last 29 years making IT
personal, making IT easy, and getting IT
right for over 1,100 municipalities.

Learn More

Municipal League Partnerships

VC3 is the IT partner that focuses on municipalities. We understand your budgeting cycles and critical
concerns.
Our Partners

Find All the Resources You Need

Our resources & insights includes case studies, client testimonials, guides, checklists, blog articles and more!

 

All Resources
Get Started
6 min read

CMMC Final Rule Signals Compliance Ramp Up

Subscribe
CMMC Final Rule Signals Compliance Ramp Up

After five years and several iterations, the Department of Defense (DoD) last year released its final version of the Cybersecurity Maturity Model Certification (CMMC) regulations—establishing the CMMC program framework inside Title 32 of the Code of Federal Regulations (CFR). Effective as law on December 16, 2024. CMMC requirements were now set in stone.

The next step was for the DoD to submit the Title 48 CFR Acquisition Rule for interagency review.

  • When they did so on July 22, 2025, this formally began the regulatory review that would determine when the rule would be published.
  • On September 10, 2025, the Final Rule was formally published in the Federal Register under the Defense Federal Acquisition Regulation Supplement (DFARS) and takes effect on November 10, 2025, initiating the contractual implementation phase.
  • This means that compliance requirements will move from planning to full enforcement, with the rollout for third-party audits varying by contract.

Hopefully, you’ve already been preparing your organization to ensure everything aligns with the final standards. For those who have yet to fully prepare, there’s absolutely no time to waste. Noncompliance now comes with real risks, from potential contract loss to reputational damage, as the DoD enforces cybersecurity standards across its entire supply chain.

Here’s our perspective on the main takeaways of the CMMC Final Rule.

What Are the Key Insights from the CMMC Final Rule?

 

Requirements Based on NIST SP 800-171 Revision 2

While there are some clarifications and slight adjustments, the requirements for the three levels of compliance continue to be based on NIST SP 800-171 Revision 2. This allows organizations to work within a familiar framework rather than take on the burden of adopting a new standard while working toward compliance.

Phased Approach to Compliance Ramp Up

The timeline detailed in the Final Rule sets into motion a ramp-up process designed to bring all Defense Industrial Base (DIB) suppliers into compliance in four phases.

  • Phase 1 (starting November 10, 2025) – The DoD will begin including CMMC requirements in select contracts. Some suppliers may need a Level 1 or 2 self-assessment, but some contracts may require a Level 2 third-party assessment. This marks the start of the three-year phased rollout.
  • Phase 2 (starting November 10, 2026) – While some suppliers may still only need a Level 1 or 2 self-assessment, the DoD will expand third-party assessments for Level 2 contractors and more contracts will start to phase out the Level 2 self-assessment. Contracts with sensitive data may start to see the requirement of needing a Level 3 third-party assessment.
  • Phase 3 (starting November 10, 2027) – Some suppliers may still only need a Level 1 self-assessment, but any Level 2 supplier must receive a third-party assessment (Level 2 self-assessments will be phased out). Contracts with sensitive data will need a Level 3 third-party assessment, although this may be waived by prime contractors at their discretion.
  • Phase 4 (starting November 10, 2028) – CMMC is fully implemented across all DoD contracts. Organizations will need a Level 1 self-assessment, Level 2 third party assessment, or Level 3 third-party assessment as required from the contracts.

This phased rollout gives organizations that present less risk a more flexible timeline. The DoD determines whether a self-assessment or third-party audit is required, and this is spelled out in each contract. So, while there are set phases for CMMC rollout, it’s the contract that provides the specifics on the steps and timing needed based on the risk level of the data that is handled.

Cloud Services Must Meet FedRAMP Standards

The Final Rule retains the requirement that cloud service providers that process, store, or transmit Controlled Unclassified Information (CUI) need to meet FedRAMP Moderate Authorized or Equivalent standards. Adherence to this standard means that the only cloud services CMMC organizations can use are those that have been vetted by this approved accreditation body.

The implications of this are that organizations seeking compliance should review the cloud services they’re using to determine if they meet FedRAMP standards and replace those that are non-compliant. FedRAMP offers a directory that lists authorized service providers.

What Does the Final Rule Mean for Me?

If you work in the DoD supply chain, CMMC has moved from prepping to proving. Starting November 10, 2025, CMMC requirements will show up in more contracts and steadily shift more suppliers toward mandatory third-party audits.

In short: The grace period has ended, and buyers will want evidence that you’re following the rules.

In practical terms, you can expect:

  • Contracts asking for a current self-assessment (Level 1) or third-party certification (Level 2 and 3).
  • Scrutiny around cloud vendors, requiring you to ensure they are FedRAMP-compliant.
  • Auditors to ask you for key CMMC deliverables such as a System Security Plan (SSP) and Plan of Actions and Milestones (POA&M).
  • Continuous compliance as a new normal for your organization so that you remain CMMC-compliant over time.

What You Should Do Right Now to Become Compliant with the CMMC Final Rule?

The CMMC Final Rule is a signal for those in the DoD supply chain that prep time is over. It’s time to get serious about creating and executing your plan for compliance.

Here’s our recommendation for the next steps in your CMMC compliance journey:

  1. Assign someone to take ownership of the compliance process to make sure that compliance is a priority, not an afterthought.
  2. Review existing contracts that will potentially include CMMC requirements, identify the required level, and determine whether self-assessment or third-party audit is required.
  3. Evaluate your current environment for gaps in compliance.
  4. Assemble a team to plan, implement, and manage the measures you need to attain and maintain compliance.
  5. As you approach the assessment phase, nominate an affirming official to oversee the audit process.

How Can VC3 Help With the CMMC Compliance?

While the goal of CMMC compliance is for DoD suppliers to become uniform in how they protect sensitive information, the path that each organization takes to become compliant is unique.

Working with a managed service provider who can interpret regulations into security controls that integrate with your business operations - and help you keep compliance costs at a minimum - is a smart move for anyone looking to establish or maintain a strong relationship with the DoD.

At VC3, we understand that security and compliance isn’t your core business. You’re focused on delivering quality products and services, and keeping everything running smoothly, all while meeting DoD requirements. That’s where we come in. With our team of Registered Practitioners, we translate CMMC requirements into straightforward, practical controls that fit in with your business operations and help keep compliance costs manageable.

We help you go from “unsure” to “audit-ready” by:

  • Assessing: We start with a Gap Assessment to map where your CUI lives, review your technical and non‑technical controls, and produce three core deliverables—the SSP, the POA&M, and your Supplier Performance Risk System (SPRS) score—so you know exactly what’s missing and how to prioritize fixes.
  • Improving: We help implement the right mix of technical controls (such as MFA, logging, Security Information and Event Management (SIEM), vulnerability management, secure configuration, etc.) and process controls (such as policies, training, incident response, access reviews, etc.). We’ll also review your cloud vendors for FedRAMP alignment and guide vendor changes where needed.
  • Managing: Once you’re compliant, the work doesn’t stop. We monitor control health, track evidence, and keep documents current so you don’t slide back into noncompliance. When it’s time for an assessment, we prepare you for the CMMC Third-Party Assessor Organization (C3PAO) audit—packaging artifacts, answering evidence requests, and supporting you through the process.

We translate CMMC into plain tasks, keep the scope (and costs) in check, and provide ongoing accountability so you can focus on your core business—and keep (or win) DoD work.

Not sure what to do next? We can help! Get in touch to talk to a CMMC expert.

   

 
Oct 6, 2025

VC3

Let's talk about how VC3 can help you AIM higher.