New CFR 48 Rule for DoD Contractors
The Department of Defense (DoD) finalized and published the CMMC (Cybersecurity Maturity Model Certification) rule in the Code of Federal Regulations (CFR 48). The CFR 48 CMMC rule for DoD contractors marks the official start of enforceable CMMC requirements, ending years of uncertainty and delays. For DoD contractors, MSPs, and everyone in the defense supply chain, the clock is now ticking.
Here’s what you need to know:
Why This Matters
Until now, many contractors relied on self-attestations and basic NIST 800-171 score reporting in SPRS. That’s changing. CFR 48 CMMC rule for DoD contractors makes CMMC a legal requirement, meaning primes (large contractors) are now responsible for ensuring their entire supply chain is compliant. If you’re not certified, you risk being cut out of contracts—even if you’re a small, woman-owned, or veteran-owned business. CMMC is now the baseline for eligibility.
November 10, 2025:
- All DoD contractors must self-certify to CMMC Level 1.
- Contractors handling Controlled Unclassified Information (CUI) must either self-certify to Level 2 or be certified by a C3PAO (Certified Third-Party Assessor Organization).
- All self-certifications must be entered into SPRS.
Translation
- Contractors can still self-assess against the required controls, but now a senior executive (such as a CEO or COO) must formally sign off on the results each year.
- This executive affirmation is legally binding, meaning false claims could trigger penalties under the False Claims Act.
- Under the new rule, just entering a “basic NIST 800-171 score” into SPRS is not enough—the annual affirmation adds weight, accountability, and risk because it certifies the results are accurate and complete.
November 10, 2026:
- All Level 2 contractors must be certified by a C3PAO. Self-attestation will no longer be accepted.
Translation
- For Level 2, most contracts will increasingly require a C3PAO audit.
- Companies will need a formal compliance program they can stand behind every year, with an executive taking legal responsibility for accuracy.
- The DoD (and primes) can start requiring third-party CMMC certification through accredited assessors (C3PAOs) as a condition of doing business.
November 10, 2027:
- All Level 3 contractors must be certified by the DIBCAC (Defense Industrial Base Cybersecurity Assessment Center).
Translation
- CMMC Level 3 is the highest tier, based on NIST 800-172, and applies to contractors handling the most sensitive CUI.
- Any contract requiring Level 3 demands certification up front—there’s no grace period.
- Unlike Level 2, which uses third-party assessors, Level 3 audits are conducted directly by the DoD’s DIBCAC, making them rigorous, government-run assessments.
December 2025 (Expected):
- The FAR CUI rule will be published. This will extend NIST 800-171 compliance beyond DoD to all federal agencies’ supply chains. Certifications will likely be required government-wide in the near future.
Translation
- That means NIST 800‑171 compliance will likely be required for any federal contractor that handles CUI.
- Expect federal agencies outside of the DoD to adopt CMMC requirements or something similar, meaning this cybersecurity compliance requirement will spread beyond defense contracting.
By late 2025, all DoD contractors need to be on the books with a self-certification, and by 2026-2027, it escalates to full third-party and government certification for higher levels.
What This Means for Contractors
No more easy surveys
Self-assessment now requires annual executive affirmation, creating legal liability for accuracy.
Primes will push down requirements
Even if your contract doesn’t explicitly require certification, primes will demand it to protect themselves.
Waivers are rare
The only way a waiver applies is if the DoD can’t find enough certified companies during the pre-solicitation process. Waivers are contract-specific, not contractor-wide.
Set-aside status doesn’t override compliance
Woman-owned, veteran-owned, and other small business statuses are still valuable—but CMMC trumps all. Without compliance, you won’t be eligible to compete.
Next Steps for MSPs and Contractors
1
Determine your required level (1, 2, or 3).
Understand whether your contracts involve Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) to identify your CMMC level.
2
Perform your self-assessment and executive affirmation.
This isn’t just a checklist—it’s a legal attestation. SOCSoter’s compliance experts can guide you through the process, ensuring accuracy and completeness.
3
Submit your score in SPRS.
SOCSoter helps MSPs and contractors prepare and validate their NIST 800-171 scoring, making SPRS submission straightforward and defensible.
4
If handling CUI, plan for a C3PAO audit in 2026.
SOCSoter’s pre-audit readiness services simulate C3PAO assessments, helping you identify gaps and remediate before the real audit.
5
If targeting advanced contracts, prepare for DIBCAC by 2027.
For Level 3 ambitions, SOCSoter offers advanced cybersecurity services and documentation support to meet the rigorous DIBCAC standards.
Final Thoughts
CMMC is no longer a future concern—it’s here. The CFR 48 rule locks in timelines and requirements that will reshape the defense contracting landscape. The most important takeaway: eligibility now depends on compliance, and compliance depends on having the right cybersecurity stack.
SOCSoter provides the essential building blocks MSPs and contractors need to meet CMMC requirements with confidence:
Managed Detection & Response (MDR)
Real-time threat monitoring and response to meet continuous monitoring requirements.
SIEM-as-a-Service
Log aggregation, correlation, and alerting to support audit readiness and incident response.
Vulnerability Management
Regular scanning and remediation guidance to maintain a hardened environment.
Endpoint Protection
Advanced antivirus and behavioral analysis to secure devices against evolving threats.
Compliance Reporting & Documentation
Pre-built templates and expert support to streamline your CMMC evidence package.
24/7 SOC Support
A U.S.-based Security Operations Center that backs your team with real-time expertise and escalation.
Whether you’re a prime or a subcontractor, a large enterprise or a small business, cybersecurity maturity is now non-negotiable. SOCSoter helps you build a defensible, auditable, and scalable security stack—so you’re not just eligible, you’re resilient.
MSPs and contractors who act now to prepare will maintain eligibility and build trust with their clients. Those who delay risk being left behind.
Need help navigating the CMMC requirements? SOCSoter provides tailored compliance solutions to help MSPs and contractors stay audit-ready and eligible. Lets Chat!