CMMC Rollout Countdown and the Road to 2025

Eric Marquette

Welcome back to CMMC Unlocked. I'm Eric Marquette. If you're a defense contractor or a compliance lead, this is probably the episode you've had circled on your calendar. Today, we're counting down to full CMMC implementation—looking at what the next twelve months mean as we approach that critical November 10, 2025 effective date. With me as usual are Ruby Sturt, Paul Netopski, and Roz the Rulemaker. And folks, it's getting real now.

Ruby Sturt

Too right, Eric! Hi everyone, Ruby here. You know, working in news media, I always thought nothing moved slower than government rulemaking—until you hit those final hours before deadline. It’s all calm, and then, BAM, everything's due yesterday! That’s exactly the vibe for contractors now that Phase 4 is on the horizon. Full CMMC enforcement starts November 10, 2025, and that's when there’s no more hiding or hoping for another extension. DFARS 204.75 locks it in, right?

Paul Netopski

That's exactly right, Ruby. The four-phase CMMC rollout, as described in 32 CFR Part 170, has been methodical by design. Originally, there was a lot of flexibility in Phases 1 to 3—organizations could ease into self-assessment, then certification, depending on contract timing. But with Phase 4, the "options" part pretty much evaporates. After November 10th next year, unless your contract is for pure COTS, the relevant CMMC clause must be in every DoD solicitation, every new award, every extension. No more phased exceptions.

Roz the Rulemaker

And from a rulemaking perspective, this is the regulatory equivalent of a starting gun. Before, contracting officers could stagger implementation or use waivers with justifications, but DFARS 204.7503(b) says that once we hit October 1, 2025, those CMMC clauses go into all solicitations and contracts—again, barring the very limited COTS exception. The whole federal acquisition landscape for defense work changes overnight. As we know, the October 1st date was just an estimate when that clause was written, and is not the true date the rule goes into effect.

Eric Marquette

You know, we talked about the slow, winding parade of policy in Episode 4. But once we flip that switch in November, all that's left for contractors is compliance or noncompliance—no more middle ground. And Ruby, I'm glad you brought up the sense of urgency. If you’ve treated CMMC like background noise till now, well, the clock's run out. Every day matters from this point.

Ruby Sturt

Yeah, and it’s not like a soft launch either. It’s more like your live feed suddenly going to air. You don’t get a second take if you miss the deadline—contracts just won’t get awarded. The time for wishful thinking is definitely over.

Paul Netopski

And from the technical side, we now know there’ll be no more new solicitations slipping through without CMMC requirements after that date. The phaseout of pre-2025 exceptions means everyone has to get serious, right now, about their assessment level and prep.

Eric Marquette

So, if you’re looking for an action item as we get going—pull up your contract renewal dates, figure out your CMMC level requirement, and start backward planning from November 2025. Don’t be caught in the rush with nothing but questions and paperwork.

Paul Netopski

Alright, let’s dig into exactly what those contractor requirements look like. Under DFARS 204.75 and the CMMC Program Rule at 32 CFR Part 170, every organization’s got to have the correct CMMC status at the point of award—and you've got to maintain it throughout the contract, every renewal and every option period. That goes for Level 1, Level 2, and Level 3, depending on what information you’re handling.

Ruby Sturt

And it’s not just a “one-and-done” thing, right? You can’t just pass an assessment and be good for three years, especially if you’re up for a contract extension, or your scope shifts.

Paul Netopski

Exactly, Ruby. For Level 1, you do an annual self-assessment, submit your results—and an affirmation—from a senior rep into the Supplier Performance Risk System, or SPRS. No open POA&Ms allowed at this level—it’s either complete or not. For Level 2, things split. You’ve got either a self-assessment—if your contract specifies—or a third-party C3PAO assessment, which is often required for higher-risk or sensitive CUI. Both these assessments need to be kept current, and results go into SPRS. And Level 3? That’s a government-run assessment—DIBCAC—covering the most critical programs, and again, you have to keep that valid every three years and submit affirmations annually.

Roz the Rulemaker

Key thing: DFARS 204.7501 basically says, no award without a current certification at the right level. If you lose your status—for instance, if you don’t recertify in time, or your assessment scope is off—you’re not eligible for the option period or any contract extension. And, contracting officers have to verify your CMMC status in SPRS, not just take your word for it.

Ruby Sturt

Paul, didn’t you have a client case the other week? Someone really scrambled because their scoping didn’t match their contract requirements?

Paul Netopski

Yeah, absolutely—actually, it happens a lot, especially lately. This one client had their scoping too narrow in the assessment—they only included obvious CUI systems, but ignored a bunch of contractor risk managed assets and some external service provider integrations. When contract renewal came up, the contracting officer ran the scope check against the language in 32 CFR 170.19 and 170.23, and basically told them, “You need to reassess, get the right asset inventories in the SSP, and post accurate results in SPRS.” It delayed things badly. Timely, accurate scoping totally matters; the system can catch up with you, especially now that supply chain requirements are much stricter.

Eric Marquette

So just to recap—for everyone listening—define your assessment scope right, keep all documentation updated, and track your CMMC status in SPRS. If you’re at Level 2 or 3, understand what assessment type applies, and double-check if any of your contract renewals or new work are going to bump your requirements up. Don’t wait until an option year comes around to realize your assessment is outdated or incomplete.

Roz the Rulemaker

That’s so fundamental. And if your contract requires a higher CMMC level, your subs need to be at the right status, too—that’s the supply chain part. DFARS and 32 CFR are very clear: compliance flows down the chain. Prime contractors, make sure your subs get the memo, or everyone’s at risk.

Ruby Sturt

To me, it’s kinda like a game of telephone. If the details get muddled or someone forgets a step, the whole chain can break, and nobody’s getting that contract renewal.

Paul Netopski

Yeah—and SPRS is the single source of truth here. It’s not hidden somewhere; assessors, officers, and even some partners can check. So keep that system updated, get your affirmations submitted, and as I keep telling folks: make sure your assessment scope matches the contract and the reality of your environment. If you miss that, you might miss the contract altogether.

Eric Marquette

Alright, let’s talk about what actually changes after November of next year. Practically, every new, renewed, or extended DoD contract—apart from the few remaining pure COTS agreements—must have CMMC baked in. There’s no longer a cushion for delays or noncompliance. This is the new normal for the entire defense supply chain.

Ruby Sturt

Yeah, and I gotta say, that’s a major shift. Before, you might be able to sneak by on an old exception or hope someone forgot to swap out the contract language. But from November 2025 on, there are no more opt-outs—if your certification lapses, you lose eligibility, end of story.

Paul Netopski

Affirmation submissions become non-negotiable, too. Every assessment, and every year after, your senior rep has to update the affirmation in SPRS. Same goes for POA&Ms: they’re only allowed at Level 2 or 3—and even then, they have pretty tight limits. If you still have open POA&M items after 180 days, your conditional CMMC status expires. That’s contract ineligibility right there. And losing certification mid-contract? That triggers contractual remedies—which in plain English means getting kicked out of active work until your status is fixed and current again.

Roz the Rulemaker

Right, and maybe just to underscore: waivers are now extremely limited, and only with high-level DoD acquisition executive approval, and those are rare birds. Leftover questions from the public comment process—like ambiguous flowdown, or how to handle tricky edge cases—well, the agencies are still sorting those in guidance, but the core compliance expectations are locked in. I remember back in my consulting days, when a new government program went live, the interagency meetings would get pretty tense. You'd see different offices jockeying over what “full compliance” really meant. But once the rule’s in force, nobody can pretend the ambiguity gives cover. Everyone’s accountable, all the way down the chain.

Eric Marquette

And, Roz, building on what you've said, there’s no "wait and see" strategy left for organizations after rollout. The expectation is compliance—period. If a contractor gets behind, they can't just appeal for another waiver or say, sorry, we didn’t know. The rule has been published, the deadlines are set, and now it’s up to each player in the defense supply chain to stay in line, whether they’re a prime or a sub.

Ruby Sturt

It’s kinda wild thinking about how fast this will hit for some organizations—I mean, especially smaller shops. If you’re not already prepping for annual affirmations or tracking POA&Ms, you’re gonna feel it. The best advice now is: Close gaps, document everything, and don’t let your certification lapse even for a day.

Paul Netopski

And don't forget—continuous compliance is the name of the game now. As we covered back in Episode 3, spot fixes or last-minute sprints aren’t enough. It’s all about maintaining status at all times, especially with supply chain accountability front and center in the regs.

Roz the Rulemaker

If you’re hoping for another last-minute regulatory twist, I’d move on! This is it. Get those affirmations in, keep your POA&Ms tight, and remember the lessons from all those case studies we’ve discussed in previous episodes. This is the end of grandfathering and loopholes. The interagency debating is over—implementation is here.

Eric Marquette

Alright, that’s a wrap for today’s rollout countdown. Don’t wait another week—start your backward planning for November 2025 now, and keep your eye on those affirmations and status renewals. Thanks as always to Ruby, Paul, and Roz—couldn’t ask for a better crew.

Ruby Sturt

Cheers, everyone! If you’re in compliance mode, may your deadlines be short and your audits uneventful. Catch you next time.

Paul Netopski

Thanks, Ruby, Eric, and Roz. Stay strategic—stay compliant. And as always, if you need more details, dig back into those earlier episodes or official DoD guidance.

Roz the Rulemaker

Thanks all. If you’re listening, keep your documents in order and your affirmations on time. We’ll see you next episode!