The Department of Defense’s CMMC enforcement begins November 10, 2025. Learn what this milestone means, how it affects contractors, and how Cyberleaf’s four-phase approach helps you achieve compliance efficiently and at scale.
On November 10, 2025, the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) program moves from policy to practice. Beginning this date, contracting officers can start including CMMC requirements in new solicitations and awards. For organizations that handle Controlled Unclassified Information (CUI) or Federal Contract Information (FCI), this is no longer preparation—it is performance.
The final rule, published in September, formally amends the Defense Federal Acquisition Regulation Supplement (DFARS) to make CMMC compliance a contractual requirement. In short, cybersecurity maturity is now a condition for doing business with the DoD.
This date marks the start of Phase 1 in the Department of Defense’s phased rollout of CMMC over the next three years.
For many organizations, this means that eligibility to bid or renew DoD contracts now depends on documented cybersecurity practices.
Determine Scope: Identify which systems process, store, or transmit CUI or FCI. Only those systems fall within the CMMC boundary.
Assess Your Readiness: Conduct a gap analysis to determine current maturity against NIST SP 800-171 controls and CMMC Level 1 or 2 standards.
Develop a Plan of Action: Create a roadmap that prioritizes remediation and control implementation within defined timelines.
Implement and Document: Apply the required controls, policies, and procedures—and capture documentation for assessment or audit.
Sustain Compliance: Maintain continuous monitoring, regular evidence collection, and periodic reassessment to ensure compliance over time.
Cyberleaf simplifies the CMMC journey with a structured approach designed for efficiency and scalability:
Assess: Identify current gaps and define your baseline
Plan: Build a detailed roadmap and compliance strategy
Implement: Execute required security controls and documentation
Maintain: Provide continuous monitoring and compliance support
Whether you are preparing for a self-assessment or a certified third-party audit, our team delivers the expertise and orchestration needed to get you there.
The November 10 milestone signals the start of CMMC enforcement, not the end of preparation. Over the next three years, the DoD will expand CMMC requirements across more contracts until full implementation in 2028.
Organizations that act now will not only stay eligible for future contracts but will also strengthen their security posture and trust within the defense supply chain.
If your organization supports the Department of Defense, the time to act is now. Talk with Cyberleaf’s CMMC consultants to start your path to compliance and stay ready for what comes next.