BLOG

CMMC Final Rule Published:

BY SPIRION
September 18, 2025

What Happened

On September 10, 2025, the U.S. Department of Defense (DoD) published the long-awaited Cybersecurity Maturity Model Certification (CMMC) Final Rule in the Federal Register, officially codifying CMMC into the Defense Federal Acquisition Regulation Supplement (DFARS). The rule takes effect November 10, 2025, and will phase in across all defense contracts over the next three years.  

 Why It Matters

For the Defense Industrial Base (DIB), CMMC is no longer a draft framework. It is a binding requirement. Contractors at every tier, from prime to subcontractor, must be able to demonstrate how they protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). The stakes are high: failure to comply means loss of contract eligibility, potential penalties under the False Claims Act, and reputational harm.  

 Key Elements of the Final Rule  

  • Codified Requirements: DFARS Clause 252.204-7021 is now mandatory in applicable contracts
  • Three Levels of Certification:  
    • Level 1 (Foundational): 15 controls protecting FCI; annual self-assessment and annual affirmation.  
    • Level 2 (Advanced): 110 NIST SP 800-171 controls protecting CUI; annual self-assessment for some programs and triennial third-party certification for critical contracts.  
    • Level 3 (Expert): Continuous monitoring and advanced controls against APTs; government-led assessments.  
  • SPRS Submissions: Contractors must have their CMMC assessment results and annual affirmations submitted to the Supplier Performance Risk System (SPRS) to be eligible for contract awards.  
  • Phased Rollout: Begins November 10, 2025, with full enforcement by 2028, impacting approximately 337,000 businesses, including 230,000 small entities.  

What’s at Stake 

CUI is highly sensitive, covering 125 categories such as defense, export control, and law enforcement data. Mishandling CUI not only risks contract termination but also exposes organizations to multimillion-dollar fines. In 2024 and 2025 alone, the DOJ pursued enforcement actions against multiple universities and defense contractors for NIST SP 800-171 and DFARS violations, with settlements ranging from $1.25 million to $30 million.  

How Spirion Accelerates CMMC Readiness

Spirion has been helping defense contractors identify, classify, and protect sensitive data for more than 20 years. Our solutions directly align with NIST 800-171 and CMMC data protection requirements:  

  • Accurate CUI Discovery and Classification: Spirion’s AnyFind® technology identifies over 400 sensitive data types including CUI categories across structured, unstructured, on-premises, cloud, and endpoint environments. This ensures organizations know exactly where sensitive data lives.  
  • Contextual Labeling and Marking: Spirion applies classification, sensitivity labels, and required CUI markings (headers, footers, designation indicators) consistently, reducing human error and meeting regulatory marking requirements.  
  • Continuous Monitoring and Audit-Readiness: Spirion CADIA® (Context-Aware Data Interrogation Algorithms) provides automated risk scoring, detailed audit logs, and real-time alerts for policy violations. This helps organizations demonstrate ongoing compliance and prepare for third-party or government-led assessments.  
  • Robust Endpoint Coverage: Spirion’s discovery and classification extend beyond servers and cloud repositories to laptops, desktops, and removable media. These areas are frequently overlooked but critical to full compliance.  

 Next Steps for DoD Contractors  

  1. Assess Your Data Landscape: Determine whether your contracts involve FCI, CUI, or both, and identify the corresponding CMMC level.  
  1. Conduct a Gap Analysis: Compare your current controls against NIST SP 800-171 requirements.  
  1. Remediate Risks: Implement missing controls and ensure data is classified, labeled, and encrypted where required.  
  1. Affirm Compliance in SPRS: Stay audit-ready with accurate, documented evidence.  
  1. Establish Continuous Improvement: Use tools like Spirion’s risk scoring to monitor and enhance security posture over time.  

  Final Thoughts  

The countdown to CMMC enforcement has begun. With just 60 days until the rule takes effect, organizations in the Defense Industrial Base must act now to avoid being left behind. Spirion’s proven data discovery, classification, and compliance tools make it possible to meet CMMC requirements with confidence, protecting contracts, reputations, and national security.  

Learn how Spirion can support your CMMC journey.  
Â