The U.S. Department of Defense’s final 48 CFR rule, which makes Cybersecurity Maturity Model Certification (CMMC) mandatory for nearly all new defense contracts, has been officially cleared by the Office of Information and Regulatory Affairs (OIRA) and is expected to be published in the Federal Register within days. Enforcement could begin as early as October 2025, with phased rollout continuing through 2028.
That’s why Secureframe, the leading compliance automation platform, warns that defense subcontractors face a narrow and closing window to achieve CMMC 2.0 readiness, or risk losing their place in the defense supply chain.
While the rule has only just cleared the regulatory process, major primes are already enforcing compliance. Lockheed Martin, General Dynamics, and the Defense Logistics Agency have each begun conditioning subcontractor eligibility on demonstrated NIST SP 800-171 and CMMC 2.0 alignment. Suppliers who cannot show progress are already being cut from proposals.
5 Ways Subcontractors Can Get Ahead Today
Secureframe advises subcontractors to take immediate steps to prepare for CMMC enforcement:
- Identify Your Level – Level 1 for FCI-only contractors (15 FAR requirements), Level 2 for those handling CUI (full NIST 800-171 implementation).
- Close Compliance Gaps – Complete gap analyses now; POA&Ms are not permitted at Level 1 and will slow down Level 2 assessments.
- Keep Supplier Scores Current – Update your SPRS or prime-specific portals (e.g., Lockheed CCRA) so primes see your true posture before contracts are awarded.
- Engage Assessors Early – Third-party assessment capacity is limited. Get on the schedule with a C3PAO now.
- Automate Readiness – Use compliance automation to streamline evidence collection, policies, and continuous monitoring—reducing both cost and time to certification.
Secureframe recently launched Secureframe Federal, purpose-built tooling that enables subcontractors to accelerate readiness with automated evidence collection, policy templates, continuous monitoring, and partnerships with accredited third-party assessors. This ensures not only compliance but also long-term eligibility as primes restructure their supply chains around trusted, cyber-secure partners.
Manufacturing Consulting Concepts (MCC), a defense subcontractor, recently completed a CMMC Level 2 assessment using Secureframe.
“Using Secureframe to get NIST 800-171 and CMMC compliant has saved us at least 500 hours over the past two years,” said David Hoenisch, Lead Cybersecurity Engineer at MCC. “With Secureframe, I genuinely felt like we had a partner in the process. They were in it with us and they cared about our success.”
To learn more, go to cmmc.com and secureframe.com.
