CMMC Final Rule Explained: Deadlines, Requirements, and Next Steps for Defense Contractors

Show Notes

The wait is over: the Department of Defense has finalized the CMMC rule, officially making it part of DFARS. That means compliance isn’t “coming soon”, it’s now in your contracts.

In this episode of the CMMC Compliance Guide Podcast, Austin and Brooke from Justice IT Consulting break down what the final rule means for DoD contractors and subcontractors, the key deadlines you need to know, and the exact steps to prepare for Level 2 certification before requirements hit contracts in November 2026.

What you’ll learn in this episode:

- The new CMMC final rule and when it goes into effect
- How the 4-phase rollout impacts primes and subcontractors
- What’s different about this update (and why it’s not another delay)
- Key requirements: SPRS score, POAM limits, affirming officials, and more
- How to prepare your subcontractors with questionnaires and attestations
- Why you need to start engaging with C3PAOs now before schedules fill up

If you’re a DoD contractor, aerospace manufacturer, or subcontractor, this is the update you can’t afford to ignore.

Transcript

Austin: 0:21

Hey there, welcome to the CMMC Compliance Guide Podcast. I'm Austin

Brooke: 0:25

and I'm Brooke

Austin: 0:26

from Justice IT Consulting, where we help businesses like yours navigate CMMC and NIST 800-171 compliance. We're hired guns getting companies fast-tracked to compliance, but today we're here to give you all the secrets for free, so if you want to tackle it yourself, you're equipped to do so. Let's dive into today's episode and keep your business on track. Today's episode is a big one. The De The Department of Defense has finalized a rule that officially makes CMMC part of the DFARS. That means compliance just went from coming soon to in your contracts. You ready to get into it, Brooke?

Brooke: 1:06

Absolutely.

Austin: 1:07

So, Brooke, big development. We've been waiting on it for a while. Can you tell us what just happened?

Brooke: 1:14

Other than being changed from DOD to DOW, the actual big thing was that that 48 CF far uh final rule finally dropped it finally was published uh that's the the clock is now ticking it's it's it's going so um they did there is a 60 day uh wait for it to be to go to to be effective to go into effect and so that means november 10th uh it should go into effect

Austin: 1:42

okay so now that's official what does this mean for defense contractors defense of war contractors

Brooke: 1:50

department of war the No,

Austin: 1:52

yeah, Department of War. See,

Brooke: 1:53

I can't even get it right. Yeah, it's kind of hard to get used to. So it means the clock is ticking now. I mean, it's actually really ticking. We have a definite timeline. It's coming down as far as definite as can be because there are some caveats. But definite timeline, it's coming down the pike. It's happening. That light you see in the tunnel is actually coming towards you. So, you know, there's going to be four phases to it. And so, you know, the other thing that– that really matters is it doesn't just apply to you. It applies to your subcontractors. It applies to all the primes, their subcontractors. It applies to your subcontractors and et cetera. So the clock is ticking. We're off to the races.

Austin: 2:37

The role is a little more inclusive. It's not just talking about people that are handling CUI and parts and drawings and stuff like that, right? There's more people.

Brooke: 2:48

Well, there's, so if you're, there's, three levels. There's level one, two, and three. Level one is just FCI. It has 15 controls. There's level two if you handle CUI. And then level three has 20, I think 24 controls on top of that. That's more extensive than just the 110 for level two. Really, if you're level one, just FCI, it's business as usual. If you're level two, having a certification They start requiring these certifications now or level two assessments. They start requiring all this on contracts. So really we're talking about level two. Level three, they can too. There's going to be a small subset of companies that are level three. So hopefully if you're going to be level three, you already know that because it is a little bit of a tall order to get to level three from level two. But the level two, I would– I wouldn't plan on that certification assessment. It's possible you might be just self-attestation, but I think that's going to be the exception rather than the norm.

Austin: 4:03

Okay, so I want to kind of bring this into the real world for the contractors out there listening. What are the key requirements that contractors need to know about and need to address right now?

Brooke: 4:16

So there's really four big ones. So like I said, CMMC is here. here it's coming there's a definite timeline now with phase one kicking in it'll kick in on November 10th of 2025 and so by November of 2026 November 10th of 2026 those that level two certification will will start showing up on contracts you'll have to have that so that's when that'll start it could start sooner for subcontractors And there's a whole ton of subcontractors out there. Not everybody does business directly with the federal government. So if you're a sub, your prime contractor very well may say, hey, you know what? We need you to have that certification in hand to keep getting contracts. We need you to have that in hand by X date. So they can require sooner than that or highly motivate you maybe to get it before then, however that motivates may come. Your CMMC unique ID that I believe you get out of SPRS, you need to have that. Make sure you have that squared away. That's what everything is going to be based upon. So make sure you have that unique ID and you're aware of it and documented all that fun stuff. POAMs are limited, of course. That's not really a change, but 180 days to clean things up. However, if you're doing a certification assessment and you have to POAM some stuff, not everything can be POAMed. So you've got to be aware that there's only certain things that can be POAMed. When you go through and score, use the NIST 800-171A, the assessment guide. When you use that, you can go through and use a scoring sheet and score yourself to get your SPRS score. There's five-pointers, three-pointers, and one-pointers. No five-pointers or three-pointers can be POAMed, and only certain one-pointers can be POAMed. So if you have a level three certification, excuse me, a level two certification, and you have a POAM, then or understand that only certain one-pointers can actually be POANed for 180 days. You still have to affirm that you meet whatever certification level you're at. You still meet all the controls and assessment objectives. You still have to affirm that every year, but they change that from a senior official to an affirming official. You can appoint someone affirming official, I guess, and so they can be the ones to go in and affirm that score in SBRS.

Austin: 6:50

So I'll be the voice of the defense contractor here. Um, and, uh, it may not make me popular with a DOD or I guess DOW to say this, but, um, contractors I hear typically are, um, kind of fatigued from the kicking down can down the road, um, experience.

Brooke: 7:07

They we've heard that. Yeah. Yeah.

Austin: 7:11

Yes. Um, and so, uh, just being realistic, um, I feel like a lot of contractors kind of have, um, update, uh, fatigue or, uh, You know, like, how is this different than all the other previous updates that we've had? Because a lot of them seem to say it's just more of the same. But this one seems like it might be different. So how is it different?

Brooke: 7:33

Well, it is different. I mean, we've talked about this at the beginning, but, I mean, there's a timeline now. There's a definite timeline. There's no stepping back from it. It's happening. It's coming. It's happening. It was coming before, but now this final rule has been published and there's a definite timeline that it's holding to get this done. So that's the biggest thing of why this is different. There's a few other little things that are different in the rule or clarified. It clarifies what current means. It does say you don't have to report minor lapses to the contracting officer, but it leaves the 72-hour reporting rule standing. And then leaves the phase-in period– just as we thought it was. But the biggest thing is that if there's still people out there saying, well, I don't think it's going to come, a thousand percent, they're just in denial.

Austin: 8:36

It just...

Brooke: 8:38

Yeah, the Department of War has decided now is the time and they're doing it. So really, I was going to say I was surprised, but I was a little surprised that it came out now rather than waiting just a little bit. I was also kind of surprised that there was a 60-day wait period to go into effect. But they released it, it's published, and it's coming.

Austin: 9:08

the 60-day timeline. One of my questions for you was, when does this all kick in? So I think you kind of alluded to that.

Brooke: 9:15

Yeah, we've already addressed that, but just to say it just straight up again, it was released on September 10th, and there's a 60-day period for it to go into effect, which is November 10th. You have four phases to it. So the first phase is going to last a year or so. It's basically what you're doing now, except there's a definite timeline, and And so November 10th of 2026, that is when certifications will start being actually required on contracts. Again, unless you're a subcontractor and your prime contractor requires it before then for you.

Austin: 9:56

All right, Brooke. So let's say you're a defense contractor at home listening and you've just realized, crap, I really got to do something about this now. For those people or even for the people that are still working on it, what do they need to be doing right now based on the new changes? What should they go like and subscribe and then close out of YouTube and then go do? Like I dropped that in. But right after they do that, they should go do what?

Brooke: 10:28

So really determine what kind of CUI or what level you'll be. Is it truly CUI that you'll have, talk to your contracting officer, say, what level am I going to need to be at for this, for these contracts, and you want to know what type of CUI. That's very important. So what type of CUI. Then you'll want to, assuming you're level two or even level one, but you'll want to assess your state, see where you're at right now. You can use the assessment guide I mentioned a while ago, the NIST 800-171A Alpha. Use that to assess your environment, figure out what needs to be done, and then from there you can start building your SSP, developing a POAM. Hopefully you're already partway down the road on that, but build off that SSP, build off that POAM, make some projects from that, and just start stepping through and getting it done. Register an SPR Make sure you make note of your CMMC ID. Start talking to some C3PAOs. That's a really good thing to do. Talk to a few of them. There may be some that you just don't mesh with. You don't get along or you don't see eye to eye with them or something. Interview them. See what their schedule is like. They may say, yeah, we can get you on the schedule in 2026. Or they may say, say yeah we can get you on the schedule next week but you know talk to them ask them questions they'll answer what they can answer because if you ask them any questions that they think may be consulting then they'll politely decline to answer and let you know that they can't but yeah ask them questions there's at this point there's around 60 that are authorized and can do assessments so That's not a ton of them. So I would suspect that now that this rule is hit that there's going to be a little bit of a rush to get assessments done, certification assessments. So their schedules are likely going to start stacking up. So be aware of that. And then make sure your subcontractors are ready. Develop a questionnaire, much like if you're a subcontractor to a prime, they make you fill out a questionnaire. Do the same thing to them. So if you're not a subcontractor and you directly contract, then develop a questionnaire. It doesn't have to be really hard or anything, but develop a questionnaire to where they're attesting to you that they are– the same level as you. If they're not the same level as you, they can attest to that. Unfortunately, you can't use them for, at least where CUI is concerned, you can't use them.

Austin: 13:41

And if you're struggling on that questionnaire, could you just repurpose some of the similar questions from the SPRS or SPURS questionnaire and send out to them?

Brooke: 13:53

From the calculation, yeah, from the temp Yes, you can do that. Uh, you can use that to repurpose some of those questions. Um, and again, it doesn't really have to be that, that in depth or anything, but, uh, but somehow they've got to attest that they are, uh, if you're level two need to be level two, uh, uh, certified, then they need to attest that they're level two certified or they're working on it or however you, you need to know their state, right? So if you have to be level two certified, then by the time you are, they have to be as well.

Austin: 14:34

So you don't have to develop your own SPRS portal and system and questionnaire. You more or less just need a statement, written statement or attestment that they are sufficient. Right.

Brooke: 14:49

Okay. And you can ask them for their SPRS score. You can ask them for all sorts of stuff, but ask them for their SPRS score and stuff like that. But yes, it doesn't have to be hugely complicated. You don't have to develop a portal or anything, but you do have to verify that they're there at the correct level.

Austin: 15:09

That's it today, guys. If you have any questions about what we covered, please reach out to us. We're here to help fast-track your compliance journey. Text, email, or call in your questions. We'll answer them for free here on the podcast. You can find our contact information at cmmccomplianceguide.com. Stay tuned for our next episode. Until then, stay compliant, stay secure, and make sure to subscribe.