New

Our AI-first training platform is live – safe AI skills, tracked, certified, and audit-ready.

All Articles
CMMC
5 min read

CMMC Is in Contracts Now: What 10 November Actually Changed

The 48 CFR acquisition rule took effect yesterday. CMMC clauses now flow into new DoD solicitations – and through primes to everyone beneath them, including Australian suppliers riding the AUKUS wave.

Christina Arcane

Yesterday, 10 November, the second half of the CMMC machine switched on. The 48 CFR acquisition rule took effect, which means the Cybersecurity Maturity Model Certification stops being a program that exists on paper and starts being a clause that appears in contracts.

We've had a steady stream of "what does this actually change?" questions from clients in the defence supply chain – several of them Australian firms who picked up US work through AUKUS channels and are now discovering American acquisition regulation the way one discovers a rip current. So here's the plain-English version.

Two rules, one program – a recapLink to this section

CMMC arrived in two instalments, and conflating them causes most of the confusion:

  • The program rule (32 CFR Part 170) – effective December 2024 – defined the machinery: the levels, assessment types, scoring, the affirmation requirement. It answered what CMMC is.
  • The acquisition rule (48 CFR / DFARS) – effective yesterday – answers when it applies to you: the DFARS clause now flows into new DoD solicitations and contracts, phased in over roughly three years.

We're now in Phase 1. In practice, for new solicitations that handle Federal Contract Information or Controlled Unclassified Information:

  • Contracts involving FCI require a Level 1 self-assessment – done annually, entered in SPRS, affirmed by a senior official.
  • Most contracts involving CUI require a Level 2 self-assessment against all 110 requirements of NIST SP 800-171 Rev 2, with the same SPRS-and-affirmation drill. Third-party certification requirements arrive with Phase 2, expected a year from now, and some early solicitations may ask for it sooner at the program's discretion.

The unglamorous headline: you cannot be awarded new covered work without a current assessment and affirmation in SPRS. Not "should have" – cannot. Contracting officers check a database, and the database either has your affirmation or it doesn't.

The affirmation is the sleeper clauseLink to this section

Everyone focuses on the 110 controls. Spare a thought for the signature.

A senior official of your company must annually affirm, in a US government system, that your organisation is compliant. That converts cybersecurity posture from an IT department's problem into an executive's personal representation – with False Claims Act exposure sitting behind inaccurate ones. US enforcement has already shown it will pursue contractors over misrepresented security compliance.

If you're the executive being asked to sign: the correct response is not to refuse, and it's certainly not to sign blind. It's to demand the evidence trail that makes the signature safe – current assessment, honest score, documented gaps with funded remediation plans, and records behind every control that claims to be "met". Which brings us to ours.

What "met" looks like for the training controlsLink to this section

Our corner of the 110 is the Awareness and Training family, and it's one of the easiest places to either bank points or leak them:

  • 3.2.1 – awareness. Every user aware of security risks and the policies that apply to them. Evidence: per-person completion records of content that actually reflects current risk – which in 2025 means AI data leakage and AI-assisted phishing alongside the classics.
  • 3.2.2 – role-based training. People trained for the security duties of their role: admins, engineers touching CUI, program staff. Evidence: assignment logic plus completions, not one generic course for everyone.
  • 3.2.3 – insider threat. Recognising and reporting indicators. Evidence again: content plus completion, per seat.

Assessors ask the same four questions every time – who, what content, which version, when – and a spreadsheet maintained by memory answers none of them convincingly. If nothing else comes from this week, put your training records somewhere they generate themselves.

A word for the AustraliansLink to this section

If you supply a US prime – directly or three tiers down – these requirements reach you through flow-down clauses, not through any Australian regulator. The prime's contract obliges them to push requirements to subcontractors handling FCI/CUI, and "we're not a US company" is not an exemption; it's a reason your prime's compliance team is emailing you.

With AUKUS opening licence-free defence trade, a wave of Australian SMEs is entering exactly this supply chain. Our advice: treat CMMC readiness as a market-access investment, not a compliance tax. The firms that can show an SPRS score and a clean evidence trail will win work from the ones that can't – the certification queue in Phase 2 will make prepared suppliers scarce, and scarcity is pricing power.

This quarter, in orderLink to this section

  1. Scope honestly. Where does FCI/CUI enter, live, and leave your environment? Small scope, small problem.
  2. Self-assess against Rev 2 and post the real score. An honest 88 with a remediation plan beats a fictional 110 attached to an executive's name.
  3. Mind the POA&M rules. Only some requirements can sit on a plan of action, minimums apply, and the clock to close them is 180 days.
  4. Make the evidence continuous. Training records, access reviews, the lot – produced by the system as it runs, not assembled the week the assessor calls.

Phase 1 is the merciful phase: self-assessment, no third-party certificate, time to fix what you find. It is also, therefore, the cheapest this will ever be. Use it like the grace period it is.