The landscape for DoD contractors has fundamentally shifted. The long-awaited CMMC Final Rule 48 CFR is no longer a proposal; it goes into effect on November 10, 2025. Therefore, understanding its specific CMMC requirements is a necessity for continued eligibility in the defense industrial base (DIB). This post distills pressing questions and answers from KLC Consulting’s September 2025 “Ask the Experts” webinar, so DoD prime contractors and subcontractors can effectively prepare and take action now.
1. How does the Final Rule 48 CFR affect prime contractors and subcontractors?
The 48 CFR Final Rule defines a clear chain of responsibility. Prime contractors are now responsible for ensuring their subcontractors meet all CMMC requirements. This means primes must:
- Verify CMMC Status: Before awarding a subcontract, primes must verify that a sub’s CMMC status is current and meets the contract’s minimum requirements in the Supplier Performance Risk System (SPRS).
- Flow Down Requirements: Primes must ensure all CMMC requirements are properly flowed down to their subcontractors who handle Controlled Unclassified Information (CUI) or Federal Contract Information (FCI).
- Report Changes: Primes must report any changes to the CMMC scope or system unique identifiers (CMMC UIDs) to the contracting officer. Subcontractors do not report directly to the contracting officer.
Think of it like a relay race: the prime contractor is the last runner, responsible for ensuring all team members (subcontractors) are compliant and that the entire team’s information is correctly reported to the DoD.
2. Do self-assessments get a CMMC Unique ID (UID)?
Yes, every CMMC assessment, whether a self-assessment or a C3PAO-certified assessment, results in a unique identifier. When a company enters its self-assessment record into the SPRS, the system automatically generates a 10-character alphanumeric CMMC UID. This ID links the assessment to the contractor’s information system and is a crucial part of the compliance record.
3. What kind of changes trigger a new C3PAO assessment?
A CMMC Level 2 certification is valid for three years, but certain changes can trigger the need for a new assessment sooner. While the full guidance is still being clarified by the DoD, major changes to the system’s CMMC scope will likely require a new assessment.
Examples include:
- Moving from one cloud provider to another (e.g., from Microsoft Azure to AWS).
- Relocating a data center to a new geographical location.
- Major changes to the technology stack or network architecture.
However, smaller changes, like adding new users or new laptops within the same environment, don’t typically require a new assessment. If you are adding a new company through a merger or acquisition, but using the same IT environment, the need for a new certification is still being discussed by the DoD and Cyber AB.
4. Will the DoD grant waivers for CMMC certification?
Waivers are addressed in the 32 CFR Part 170, but the 48 CFR Final Rule advises contractors not to count on them. While some agencies or program offices may have internal policies for issuing waivers, this is not a normalized process. The intent of the new rule is to make CMMC a mandatory requirement for all applicable contracts, so waivers will be rare and issued only at the discretion of the contracting office for specific circumstances.
5. Is a penetration test required for CMMC Level 2?
No, a penetration test is not a requirement for CMMC Level 2 certification. This is a common point of confusion. The CMMC Level 2 framework requires vulnerability management practices, but penetration testing is specifically a requirement for CMMC Level 3.
6. What is the COTS exemption, and how do you get one?
The Commercial Off-The-Shelf (COTS) exemption is a critical distinction. If a company sells 100% COTS products, it can be exempt from CMMC requirements. However, this is a strict exemption.
To qualify
- Your product must be sold in the commercial market.
- It must be sold in large quantities.
- It cannot be modified for a specific government contract.
If you sell a mix of COTS and non-COTS products, the exemption does not apply. To obtain an exemption, you must go through a commercial item determination process with the DoD’s commercial item office or your prime contractor, proving that your product meets all these criteria.
7. If we don’t handle CUI, is CMMC still required?
It depends on the type of federal information you handle. If you only handle Federal Contract Information (FCI), or data not publicly available and also not considered CUI, you must comply with the requirements for CMMC Level 1. If you do not handle any FCI or CUI, CMMC is not a requirement. CMMC Level 2 is specifically for companies that handle CUI.
8. Can a remote C3PAO assessment be done?
Yes, a remote C3PAO assessment is possible, particularly for companies that use a virtual desktop infrastructure (VDI). If a company’s CUI is stored and processed in a secure, cloud-based VDI enclave and no CUI is physically present on-site or on local devices, a remote assessment can be conducted. In this scenario, the C3PAO assesses the CUI enclave in the cloud, and the local devices are considered out of scope.
Prepare for Your CMMC Level 2 Certification Assessment!
The new CMMC Final Rule is the real deal. With the 48 CFR in effect, a bottleneck for C3PAO assessments is anticipated. The smartest move for any contractor in the Defense Industrial Base (DIB) is to prepare now. Proper CMMC Level 2 Certification preparation is a critical undertaking for any organization that handles CUI and wishes to do business with the DoD.
Download our free CMMC Level 2 Readiness Checklist to get the process started. To get your specific questions answered and secure your place on our C3PAO calendar, book a consultation using our Hubspot Link. A nominal deposit is all it takes to secure your spot for a C3PAO assessment and take a confident step toward CMMC compliance and winning those contracts.
About KLC Consulting
KLC Consulting is an Authorized C3PAO specializing in CMMC assessments and NIST 800-171 compliance for the Defense Industrial Base (DIB). Our team of Cyber AB-authorized Lead Certified CMMC Assessors has a combined 75 years of experience in the cybersecurity field, allowing us to deliver objective, high-quality CMMC Level 2 assessments and readiness services for organizations from Fortune 500s to small subcontractors. Read more about us here.
