CFR 48 Clears Review, CMMC 2.0 Enforcement Begins November 10th

What this means for the DIB

Ignore those rumors of delays. The publishing of CFR 48 proves that CMMC 2.0 is very much here and the deadline for enforcement fast approaching. Phase 1 enforcement starts November 10, 2025. Contracting officers will be authorized to include CMMC requirements in solicitations and awards. 

This is a major turning point. NIST 800-171 requirements have appeared in contracts for years, but without the teeth of enforcement. CFR 48 changes that.

Early Phase 1 contracts are expected to mix self-assessments with third-party certifications, depending on the type of work. But for most organizations that handle Controlled Unclassified Information (CUI), a CMMC Level 2 certification from a Third Party Assessor Organization (C3PAO) will be mandatory. No certificate, no bid.

Here’s what else:

• Don’t bank on self-assessment. Some Phase 1 solicitations may allow it, but the DoD hasn’t guaranteed how long that option will last. Even when they are allowed, self-reported scores are likely to face heavy scrutiny and pale in comparison to certified scores. Betting your pipeline on self-attestation is a gamble most contractors can’t afford.
• Mind your subs. If you’re a prime, your subcontractors need to be certified too. Flow-down is a contractual requirement, and one weak link can jeopardize the whole award. The smart move is to start vetting suppliers now and give them a plan for getting certified.
• Plan for assessor scarcity. There are fewer than a hundred accredited C3PAOs today, and each assessment takes time. Waiting until the last minute (waiting at all, really) could mean missing a contract window.

How to get CMMC ready

Readiness takes work on a few fronts at once, which is challenging but not impossible. Scoping and gap analysis usually come first, but documentation and supply chain oversight can’t wait until the end. If you’ve already nailed one area, shift your focus to another. The goal is steady progress across all fronts.

1. Scope your CUI carefully. Many teams trip over not knowing what data is actually in play. Start with your contracts. Review ITAR, EAR, and CUI clauses. From there, define your CUI boundaries and look for segmentation strategies that keep the audit scope as narrow as possible. Clear scoping also feeds directly into your SPRS self-assessment reporting, which auditors will check against.
2. Run a gap analysis. Map your existing controls against NIST SP 800-171. This will show you where the holes are before an assessor does. Remember that DFARS 252.204-7012/7019/7020 already requires this work, and CMMC auditors will expect to see evidence of how gaps were identified and tracked toward closure.
3. Plan your roadmap, not just your audit. The prep is where the real work happens. Build a phased plan that aligns with your contract timelines and RFP pursuits. If you’re cloud-heavy, think about FedRAMP-authorized platforms (AWS, Box, etc.) that can ease the path. And remember: assessor capacity is limited. Waiting too long to book an assessment could throw off your schedule and cost you contracts.
4. Don’t neglect documentation. Assessors want to see not just that you’re compliant, but that you can prove it. Policies, procedures, and evidence collection matter. That means maintaining system security plans (SSPs), plans of action and milestones (POA&Ms), and evidence logs. Many organizations underestimate this part and pay for it later.
5. Think ahead to the supply chain. Flow-down is mandatory under DFARS 252.204-7020. Build a supplier assurance plan now to avoid major headaches down the line.

Handled together, these steps make sure you’re secured on all sides—from your own systems to your subcontractors to the evidence an assessor expects to see.

The bottom line

CFR 48’s clearance is a wake-up call for defense contractors who’ve hit the snooze button one too many times. With limited assessor capacity, the advantage goes to those who start early and take preparation seriously.

The good news is, this isn’t uncharted territory. Coalfire’s experts have been working across FedRAMP, NIST, and CMMC since the beginning. We know where contractors stumble, what assessors will scrutinize, and how to build a program that doesn’t just scrape by but scales. If you want guidance, we’re here. If you want to go at it alone, start with the steps above. Either way, don’t wait.