The Significance of November 10, 2025, for Cybersecurity Maturity Model Certification (CMMC)
After what may have felt like a long wait, CMMC is finally becoming a reality. The Cybersecurity Maturity Model Certification program, which aims to improve cybersecurity and minimize risks in the Defense Industrial Base (DIB), began its evolution back in 2010. During this time, there have been several changes in the structure of the program. Consequently, many organizations that are set to be impacted have adopted a cautious wait-and-see approach. However, on Monday, November 10, it will finally start to become a requirement in certain Department of War (formerly named Department of Defense) contracts. This is when 48 CFR, the CMMC Final Rule, takes effect.
Organizations have taken a number of different approaches in their preparation for CMMC. A small number got ahead of the game and have achieved certification. Some started early and are still working hard to be ready for this date - and some organizations have chosen to wait and see. Achieving CMMC certification is a significant endeavor, and insufficient preparation could result in delays in obtaining certification and potentially lost business opportunities.
It is important for organizations to be aware of the three levels of the CMMC model and which applies to them:
CMMC Level 1
Focuses on basic cybersecurity hygiene practices and is required when Federal Contract Information (FCI) is being handled.
CMMC Level 2
Designed for organizations that handle Controlled Unclassified Information (CUI).
CMMC Level 3
Designed for organizations that also handle CUI and are involved with critical Department of War programs.
Each Level requires more time, likely more cost, and a deeper understanding of the organization’s cybersecurity posture.
No matter where organizations are in their preparation for CMMC, NSF can help. Here’s what organizations need to consider:
- 1Don’t underestimate the effort required for CMMC compliance. Ensure you have the necessary resources and that leadership is engaged and prepared to provide ongoing support.
- 2Conduct a mock CMMC assessment beforehand to proactively identify gaps and areas requiring attention. Although this may seem like an additional step, completing this can lead to significant time and cost savings down the line. NSF can provide this service.
- 3Contact an authorized third-party assessment organization (C3PAO). NSF became the first C3PAO to be authorized in Michigan for CMMC and is listed on the Cyber AB Marketplace, the official accreditation body for the CMMC program.
Our team is ready to work with organizations to address any of the points above. Achieving CMMC compliance can be a challenge, especially for small to medium-sized businesses with limited resources, but you don’t have to navigate it alone.
Get started with CMMC
What’s New with NSF
iNADO Partners with NSF to Support Members and Athletes
May 27, 2026iNADO is pleased to welcome NSF’s expertise and experience in support of its members and the athletes they serve
NSF Ends UK’s Three-Year Testing Gap with REG 31 Testing Designation
May 20, 2026NSF’s Oakdale laboratory becomes the UK’s sole facility offering comprehensive BS 6920 and REG 31 testing, closing a critical drinking water safety gap.
Tangent® Materials Announces Industry First: Tangent PolySheet™ CB Earns Certification to NSF 537, Becoming the First PFAS-Free NSF Standard 51 Food Equipment Material
May 20, 2026New food-grade synthetic cutting-board sheet, engineered from the ground up without per- and polyfluoroalkyl substances (PFAS), establishes a new materialsafety benchmark for food-contact and food-equipment applications.
NSF Annual Review and Impact Report 2025 Now Live
April 20, 2026NSF has published its Annual Review and Impact Report 2025, detailing the organization’s progress over the past year and outlining strategic priorities for 2026.