If you’re a Connecticut manufacturer in the DoD supply chain, the wait is over. On September 9, 2025, the Department of Defense released the CMMC 2.0 Title 48 acquisition rule for public inspection. On September 10, 2025, it was officially published in the Federal Register. And on November 10, 2025, the rule goes into effect.
From that date forward, all new DoD solicitations and contracts will include some level of CMMC requirement as a condition of award. Translation: CMMC has officially moved from “talk” to terms and conditions in your contracts.
The 48 CFR acquisition rule is the enforcement mechanism that allows contracting officers and primes to insert CMMC requirements into solicitations and awards. While the 32 CFR program rule has been in place since late 2024, this acquisition rule is what makes CMMC show up directly in your paperwork.
And enforcement is happening quickly:
Effective November 10, 2025 – Phase 1 begins, requiring CMMC for new DoD contracts.
Level 1 and Level 2 self-attestations become conditions of award.
Third-party C3PAO audits will be phased in within the following 12 months, and primes can demand them earlier.
Phase-in is fast: Level 1 and Level 2 (self-assessments) start immediately as conditions of award.
C3PAO audits aren’t far behind: Many contractors will need to complete a successful third-party audit within the year to remain eligible.
Flowdown is real: Even before the official deadlines, prime contractors can flow down requirements to suppliers earlier. If you’re in their critical path, you’ll be held to their compliance bar sooner.
Level 1 (Foundational): For FCI. CMMC Level 1 requires annual self-assessment, reported in SPRS. Baseline cyber hygiene.
Level 2 (Advanced): For CUI. Requires implementing all 110 NIST SP 800-171 requirements, with a C3PAO assessment every three years plus annual affirmations. Most CT manufacturers fall here.
Level 3 (Expert): Reserved for the most sensitive programs. Requires government-led assessments against NIST SP 800-172.
Getting certified isn’t fast. Most companies need 8–10 months to prepare for and complete a successful C3PAO audit. With enforcement starting in November, waiting even a few months could leave you unable to bid on or win new DoD contracts.
Early movers in Connecticut will have a competitive edge. CMMC isn’t just a checkbox—it’s a business advantage. Being cert-ready positions you as the “safe pair of hands” that primes and the DoD want in their supply chain.
At Charles IT, we help Connecticut manufacturers and defense contractors navigate CMMC 2.0 requirements with confidence. Our people-first approach takes the complexity out of compliance and gives you:
A complimentary CMMC compliance timeline review
A 15-minute consultation with our experts
Guidance on self-attestation vs. C3PAO audit
An SPRS score check + gap analysis
Don’t leave your DoD pipeline to chance. With deadlines measured in weeks, not years, now is the time to act.
👉Book your complementary CMMC Readiness Review today.