The Significance of November 10, 2025, for Cybersecurity Maturity Model Certification (CMMC)
After what may have felt like a long wait, CMMC is finally becoming a reality. The Cybersecurity Maturity Model Certification programme, which aims to improve cybersecurity and minimise risks in the Defense Industrial Base (DIB), began its evolution back in 2010. During this time, there have been several changes in the structure of the programme. Consequently, many organisations that are set to be impacted have adopted a cautious wait-and-see approach. However, on Monday, November 10, it will finally start to become a requirement in certain Department of War (formerly named Department of Defense) contracts. This is when 48 CFR, the CMMC Final Rule, takes effect.
Organisations have taken a number of different approaches in their preparation for CMMC. A small number got ahead of the game and have achieved certification. Some started early and are still working hard to be ready for this date - and some organisations have chosen to wait and see. Achieving CMMC certification is a significant endeavour, and insufficient preparation could result in delays in obtaining certification and potentially lost business opportunities.
It is important for organisations to be aware of the three levels of the CMMC model and which applies to them:
CMMC Level 1
Focuses on basic cybersecurity hygiene practises and is required when Federal Contract Information (FCI) is being handled.
CMMC Level 2
Designed for organisations that handle Controlled Unclassified Information (CUI).
CMMC Level 3
Designed for organisations that also handle CUI and are involved with critical Department of War programmes.
Each Level requires more time, likely more cost, and a deeper understanding of the organisation’s cybersecurity posture.
No matter where organisations are in their preparation for CMMC, NSF can help. Here’s what organisations need to consider:
- 1Don’t underestimate the effort required for CMMC compliance. Ensure you have the necessary resources and that leadership is engaged and prepared to provide ongoing support.
- 2Conduct a mock CMMC assessment beforehand to proactively identify gaps and areas requiring attention. Although this may seem like an additional step, completing this can lead to significant time and cost savings down the line. NSF can provide this service.
- 3Contact an authorised third-party assessment organisation (C3PAO). NSF became the first C3PAO to be authorised in Michigan for CMMC and is listed on the Cyber AB Marketplace, the official accreditation body for the CMMC programme.
Our team is ready to work with organisations to address any of the points above. Achieving CMMC compliance can be a challenge, especially for small to medium-sized businesses with limited resources, but you don’t have to navigate it alone.
Get started with CMMC
What’s New with NSF
iNADO Partners with NSF to Support Members and Athletes
May 27, 2026iNADO is pleased to welcome NSF’s expertise and experience in support of its members and the athletes they serve
NSF’s EU Green Week Partner Event: Organic Production and a Nature-Positive Economy
May 27, 2026NSF is hosting an EU Green Week partner event exploring how organic production, science-based risk evaluation, and credible certification can support the delivery of the Common Agricultural Policy (CAP) objectives and the EU’s vision for food and agriculture.
NSF Ends UK’s Three-Year Testing Gap with REG 31 Testing Designation
May 20, 2026NSF’s Oakdale laboratory becomes the UK’s sole facility offering comprehensive BS 6920 and REG 31 testing, closing a critical drinking water safety gap.
NSF Annual Review and Impact Report 2025 Now Live
April 20, 2026NSF has published its Annual Review and Impact Report 2025, detailing the organization’s progress over the past year and outlining strategic priorities for 2026.