Skip to content

Watch the November MAD Security Town Hall Webinar replay πŸ‘‡

 

Blue and White Modern Securing Digital Infrastructure Presentation (4)A major shift has arrived for defense contractors. On November 10, 2025, the Department of Defense finalized the 48 CFR update, officially integrating CMMC 2.0 into DFARS. For contractors handling Controlled Unclassified Information (CUI), the rule introduces new enforceable cybersecurity requirements that include verified compliance through CMMC assessments. 

During this month’s MAD Security Cybersecurity Town Hall, hosts Adam Starnes and Jaclyn Jones explained how the new rule affects organizations across the Defense Industrial Base. They discussed what the changes mean for contract eligibility, NIST 800-171 requirements, and the path to achieving CMMC assessment readiness. 

Key Takeaways from the November Town Hall

MAD red 1 one

48 CFR Final Rule Makes CMMC 2.0 Official

The 48 CFR update now formally requires CMMC Level 2 certification for contractors that handle CUI. This marks the end of the voluntary preparation phase and the beginning of mandatory compliance. 

  • Effective immediately as of November 10, 2025
  • Full certification required by November 2026
  • Some contracts may require certification earlier than federal deadlines 
MAD red 2 two

SPRS Scoring and Affirmation Requirements

The Supplier Performance Risk System (SPRS) now requires detailed scoring for all 110 NIST 800 171 controls. Organizations must provide documentation that supports their scores. Unsubstantiated or inaccurate submissions may result in False Claims Act liability or contract loss. 

  • Minimum score of 88 required to submit an affirmation
  • Organizations must retain documentation supporting each control
  • SPRS scores now influence CMMC assessment readiness and contract awards 
MAD red 3 three

Prime Contractors Are Enforcing Compliance Early

Prime contractors have begun requiring subcontractors to show proof of CMMC progress. This includes SPRS scores, System Security Plans, POAMs, and remediation timelines. 

  • Primes remain responsible for CUI flow down
  • Many primes are using internal deadlines earlier than 2026
  • Subcontractors who cannot show progress may lose opportunities 
MAD red 4 four

Start with a CMMC Gap Assessment

A CMMC Level 2 Gap Assessment is the most effective starting point. It evaluates current controls, identifies deficiencies, and creates a roadmap for remediation and assessment preparation. 

  • MAD’s assessments include seven key deliverables including SSP and POAM
  • Control evidence is prepared in alignment with CMMC assessment expectations
  • Gap assessments help organizations demonstrate progress to primes and internal leadership 
MAD SEC - Website Images (4)

Partner with a Certified MSSP 

Interpreting control requirements can be challenging. MAD Security provides guidance through its Virtual Compliance Manager (VCM) program, which supports organizations through remediation, documentation, and CMMC assessment preparation. Our experts participate with clients during their C3PAO assessment sessions to help ensure clarity and accuracy. 

  • Support is provided by the same professionals who passed MAD’s own CMMC assessment
  • Assistance includes control interpretation, evidence development and planning
  • The combination of technical and compliance leadership increases assessment success rates 

Q&A Highlights from Live Attendees

When will contractors need to be certified?

Certification will be required for contract awards beginning November 2026. Some contracts may require certification earlier, depending on the prime or contracting officer.

How can I determine if Level 2 applies to my organization?

If your environment processes, stores, or transmits CUI, you must meet CMMC Level 2 and complete an assessment.


What risks come with delayed compliance efforts?

Risks include lost bids, contract renewals, or removal from a prime contractor’s supply chain. Incomplete SPRS documentation can also lead to legal exposure.

How does MAD Security assist with preparation?

MAD provides CMMC Gap Assessments, Virtual Compliance Management, SOC services, evidence development, SPRS validation, and full support through the assessment process.

 

MAD Security: A Proven Partner for CMMC and DFARS Compliance

MAD Security is a CMMC Level 2 Certified MSSP with a perfect SPRS score of 110. Our mission is to support the Defense Industrial Base by delivering unmatched cybersecurity and compliance expertise. 

Top 250 MSSP for four consecutive years 
85 percent of clients are defense contractors 
Cyber AB Registered Practitioner Organization 
The same experts who passed MAD’s CMMC assessment support our clients 
U.S. based 24/7 SOC staffed by cleared cybersecurity professionals
Seamless alignment with Microsoft, Fortinet, and other major platforms 
Services covering GRC, SOCaaS, MDR, VCM, Risk Assessments, and Pen Testing 
Veteran Owned Small Business leadership 

Our experience ensures that clients are preparing assessments using the same high standards that helped us earn our own certification. 

Why You Must Act Now

With the 48 CFR rule now in effect, organizations cannot afford to wait. Delaying CMMC preparation increases the risk of: 

Loss of new contract opportunities 
Failed assessments due to incomplete documentation 
Pressure from primes to demonstrate immediate progress 
High unexpected remediation costs 
Competitive disadvantage in DIB contracting 

Taking early action supports: 

Stronger cybersecurity maturity 
Predictable remediation budgeting 
Better relationships with prime contractors 
Reduced stress during assessment preparation 

Assessment readiness requires time.

Beginning now protects both revenue and viability in the defense supply chain. 

 

Free Resources and Next Steps

MAD Security offers several free resources to support your compliance journey: 

CMMC Master Bundle with key templates and tools
CMMC Assessment Guide outlining the full CMMC process
Free Pre-Assessment with 30 readiness questions
Free Consultation with MAD’s compliance experts

These tools offer practical support to help organizations strengthen compliance and improve readiness at any stage of their cybersecurity journey. 

Schedule your session now. 

 

Final Thoughts: CMMC Readiness Is a Continuous Journey

CMMC is now a permanent requirement for defense contractors, and preparation is an ongoing responsibility. The most successful organizations begin early, build solid cybersecurity habits, and maintain readiness beyond their certification date. You are not alone in this process. MAD Security is ready to guide you every step of the way with proven expertise and mission aligned support. 

SCHEDULE A CONSULTATION

 

Original Published Date: December 2025

By: MAD Security

Related Posts

What are the CMMC Requirements?
What are the CMMC Requirements? If your business supports the Department of Defense in any way β€” as a contractor, subcontractor, or vendor β€” then meeting CMMC requirements isn’t just a nice-to-have....