TL;DR: The CMMC 48 CFR final rule went live on November 10, 2025, launching the Department of Defense's phased rollout of cybersecurity certification across the Defense Industrial Base. Phase 1 (live now) requires CMMC Level 1 (Self) or Level 2 (Self) on applicable contracts. Phase 2, which begins November 2026, adds the requirement for CMMC Level 2 certified by a Third-Party Assessment Organization (C3PAO). With approximately 229,818 small business defense contractors affected, North Carolina manufacturers and subcontractors have roughly six months to move from self-assessment to assessor-ready.
Per Nelson Mullins, "the CMMC contract clauses are finally live," meaning DoD contracting officers can now write CMMC requirements directly into solicitations and contract awards. Self-attestations under DFARS 252.204-7012 alone are no longer sufficient on contracts that include the new CMMC clauses.
Key takeaway: The CMMC final rule transforms cybersecurity from a recommended practice into a contractual prerequisite for DoD work. North Carolina manufacturers and subcontractors that handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) need to know which level applies to them and start an assessor-readiness program now.
Need a CMMC readiness assessment? Preferred Data Corporation provides CMMC compliance support and managed cybersecurity for North Carolina manufacturers and defense contractors. BBB A+ rated since 1987. Call (336) 886-3282 or request a CMMC readiness review.
What is the CMMC 48 CFR final rule?
The CMMC 48 CFR final rule is the Federal Acquisition Regulation Supplement update that operationalizes the Cybersecurity Maturity Model Certification (CMMC) program. The 32 CFR rule, finalized in late 2024, established the framework. The 48 CFR rule, published in the Federal Register on September 10, 2025 and effective November 10, 2025, gives DoD contracting officers the authority to add CMMC requirements to contracts as a condition of award.
In practice, the 48 CFR final rule answers a question that has hung over defense contractors for five years: when does CMMC become enforceable? The answer is now, with a phased rollout that increases the rigor of required certification through 2028.
What is the CMMC phased rollout?
According to E-N Computers and RSI Security, the DoD has structured CMMC implementation in four phases over three years:
| Phase | Start | What is required |
|---|---|---|
| Phase 1 | November 10, 2025 | CMMC Level 1 (Self) or Level 2 (Self) for applicable contracts |
| Phase 2 | November 2026 (one year after Phase 1) | Adds CMMC Level 2 (C3PAO) for applicable contracts |
| Phase 3 | November 2027 (two years after Phase 1) | Adds CMMC Level 3 (DIBCAC) for applicable contracts |
| Phase 4 | November 2028 (three years after Phase 1) | Full implementation across all DoD contracts |
October 31, 2026 is widely cited as the practical transition point because Phase 2 begins shortly after. From November 2026 forward, contracts that traffic in CUI generally require an active C3PAO certification rather than a self-attestation. Workstreet and My ISO Consultants both confirm the same phased structure.
Who is affected?
Integris IT summarizes DoD's own estimate: "the CMMC compliance regime will impact approximately 337,968 Defense Industrial Base ('DIB') contractors, of which approximately 229,818, or 68%, are expected to be small businesses."
For North Carolina, that translates to thousands of Piedmont Triad and Triangle area manufacturers, machine shops, electronics suppliers, software developers, and professional services firms. The Compass MSP guide for small manufacturers emphasizes that CMMC is not just a prime contractor problem. Subcontractors at every tier inherit CMMC flow-down obligations through the prime's contract clauses.
What level applies to your business?
The three CMMC levels map to the type of information your contracts touch:
| Level | Information type | Assessment | Common NC business profile |
|---|---|---|---|
| Level 1 | Federal Contract Information (FCI) | Annual self-assessment + C-suite affirmation | Small subcontractors, professional services |
| Level 2 | Controlled Unclassified Information (CUI) | Triennial self-assessment OR C3PAO assessment | Manufacturers, ERP integrators, machine shops |
| Level 3 | High-priority CUI / APT-targeted programs | DIBCAC assessment after Level 2 C3PAO | Specialized prime contractors, sensitive programs |
The single most consequential question for an NC business is whether your contracts include Controlled Unclassified Information. CUI markings appear on drawings, technical data packages, statements of work, and inspection results. If you are unsure, PDC's CMMC team can review your contract portfolio to determine the applicable level.
What is the difference between Self and C3PAO?
| Element | CMMC Level 2 (Self) | CMMC Level 2 (C3PAO) |
|---|---|---|
| Who assesses | Your company | Accredited third-party assessor |
| Frequency | Triennial self-assessment | Triennial assessment |
| C-suite affirmation | Required annually | Required annually |
| Cost (typical SMB) | Internal time + tooling | $40K-$120K assessment cost |
| Required for | Limited Phase 1 contracts | Most CUI contracts in Phase 2+ |
| Recovery from a failed audit | Internal POA&M | Documented remediation + re-assessment |
In Phase 1, a CMMC Level 2 self-assessment combined with an executive affirmation is acceptable on many CUI contracts. In Phase 2 (November 2026 forward), DoD will increasingly require Level 2 (C3PAO) for new contract awards. M2 Technology emphasizes that businesses should target C3PAO readiness even when a self-assessment is technically permitted, because contracting officers can elevate requirements at their discretion.
How long does CMMC Level 2 certification take?
According to Radicl, "achieving CMMC Level 2 readiness typically takes 12 to 18 months from initial gap assessment to successful C3PAO evaluation."
A realistic timeline for a North Carolina small manufacturer in May 2026:
- Months 1-2: Gap assessment against NIST SP 800-171 controls, scoping decision (full enterprise vs. enclave)
- Months 3-6: Remediation (technical controls, policies, training)
- Months 7-9: Evidence collection, internal pre-assessment
- Months 10-12: C3PAO scheduling and assessment
- Months 13-15: Remediate any findings, re-assess if required
For a business that has not yet started, the practical reality is that hitting Phase 2 requirements (November 2026) without compromise on contract eligibility is extremely tight. Beginning the gap assessment now is the only way to keep options open.
What are the most common CMMC gaps?
Across hundreds of NIST SP 800-171 self-assessments, four control families consistently produce the most findings for small manufacturers:
1. Access control (AC family)
Multi-factor authentication on remote access and privileged accounts is mandatory. Many NC manufacturers still rely on legacy VPN and shared admin accounts. PDC's zero trust implementations align directly with CMMC AC controls.
2. Audit and accountability (AU family)
CMMC requires the ability to detect, log, and review security-relevant events. Most SMBs lack a SIEM or log retention policy that satisfies the controls. PDC's SOC and SIEM services close this gap.
3. System and information integrity (SI family)
This family covers EDR, vulnerability management, and patching SLAs. Outdated antivirus and unpatched perimeter devices (see our SonicWall advisory analysis) are the most frequent SI findings.
4. Configuration management (CM family)
Asset inventories, hardening baselines, and change control are routinely missing. PDC's managed IT services ship with CMMC-aligned baseline configurations and change records.
CISA's Software Bill of Materials guidance and the related supply chain risk management requirements increasingly map to multiple CMMC families and are emerging as common audit findings.
Should you build an enclave or harden the whole enterprise?
The biggest scoping decision for NC manufacturers is whether to keep all CUI processing inside a smaller, hardened enclave (think GCC High or a segmented network zone) or apply CMMC controls to the entire IT environment.
| Approach | Pros | Cons |
|---|---|---|
| Full enterprise | Single security baseline, no parallel systems | Higher cost, broader scope |
| CMMC enclave | Smaller scope, faster certification, lower ongoing cost | Operational discipline required to keep CUI in scope |
PDC's enclave strategy guide for manufacturers walks through the tradeoffs in detail. For most small manufacturers, the enclave approach (often built on Microsoft 365 GCC High or AWS GovCloud) is the most cost-effective path to a successful C3PAO assessment.
What does CMMC compliance cost?
A realistic 2026 cost range for a North Carolina small manufacturer (50-150 employees) targeting CMMC Level 2 (C3PAO):
| Category | Typical 2026 cost |
|---|---|
| Gap assessment | $5,000-$15,000 |
| Remediation (tools + services) | $30,000-$120,000 |
| GCC High / GovCloud enclave (annual) | $25,000-$80,000 |
| C3PAO assessment | $40,000-$120,000 |
| Annual managed CMMC program | $36,000-$96,000 |
PDC's CMMC compliance cost guide breaks these numbers down by company size and industry. The cost of compliance is significant, but the cost of contract loss is greater. NC manufacturers without CMMC by Phase 2 will increasingly find themselves removed from competitive solicitations.
What is the SPRS score and why does it matter?
Before CMMC certification is awarded, contractors are required to enter a NIST SP 800-171 self-assessment score in the Supplier Performance Risk System (SPRS). The score, ranging from -203 to +110, is checked against the contracting officer's eligibility threshold during source selection.
PDC's SPRS scoring guide explains the calculation in detail. Even before Phase 2, low SPRS scores cost NC contractors awards. Small manufacturers should treat the SPRS as a continuous improvement metric, not a one-time number.
Key takeaway: CMMC certification is not a single event. It is a continuous program of cybersecurity improvement that maps directly to your ability to win and retain DoD work in 2026 and beyond.
How Preferred Data Corporation supports CMMC compliance
PDC has been protecting North Carolina manufacturers since 1987. Our CMMC support program includes:
- Gap assessments against NIST SP 800-171 and CMMC Level 2 controls
- Remediation engineering for access control, audit logging, EDR, MFA, and incident response
- GCC High and CMMC enclave design and implementation for manufacturers and subcontractors
- Policy and procedure development aligned with CMMC requirements
- C3PAO readiness coaching including evidence collection and mock audits
- Continuous compliance monitoring that keeps your SPRS score and assessment status current
- Local NC presence for on-site assessment and remediation work
Begin your CMMC readiness program today:
- Call (336) 886-3282
- Visit preferreddata.com/contact
- Email [email protected]
Frequently Asked Questions
When did the CMMC 48 CFR final rule take effect?
The CMMC 48 CFR final rule was published in the Federal Register on September 10, 2025 and became effective November 10, 2025. From that date, DoD contracting officers can include CMMC requirements as a condition of contract award.
What is the difference between Phase 1 and Phase 2?
Phase 1 (which began November 10, 2025) requires CMMC Level 1 (Self) or Level 2 (Self) on applicable contracts. Phase 2 (beginning approximately November 2026) adds the requirement for Level 2 assessed by a Certified Third-Party Assessment Organization (C3PAO). Most contracts that traffic in CUI will require C3PAO certification in Phase 2.
How many small businesses are affected?
According to DoD analysis cited by Integris IT, approximately 229,818 of the 337,968 affected DIB contractors are small businesses, or roughly 68% of the affected population.
Are there extensions for small businesses?
No. There are no formal extensions to CMMC requirements based on company size. Small business contractors must meet the same CMMC level as larger contractors handling the same information types.
How long does CMMC Level 2 certification take?
According to Radicl, achieving CMMC Level 2 readiness typically takes 12 to 18 months from initial gap assessment to successful C3PAO evaluation. Businesses that have not started in May 2026 should accelerate planning to meet Phase 2 contract requirements.
What happens if we miss CMMC certification on a target contract?
A non-compliant bidder is generally ineligible for award on contracts that include CMMC clauses. In some cases, conditional certifications may permit a defined remediation period, but this is at the discretion of the contracting officer.
Does PDC help with both Level 1 and Level 2?
Yes. PDC supports CMMC Level 1 self-assessments for FCI-only contractors, Level 2 (Self) for CUI contractors who can self-assess in Phase 1, and Level 2 (C3PAO) readiness for businesses preparing for Phase 2 and beyond.
Related Resources
- Cybersecurity Services for NC Businesses
- Managed IT Services in North Carolina
- CMMC 2.0 Compliance Guide for NC Defense Contractors
- CMMC Compliance Cost & Pricing Guide
- CMMC Enclave Strategy for NC Manufacturers
- CMMC Level 1 Self-Assessment Guide
- CMMC Requirements for Subcontractors
- CMMC AI Threats & Defense Contractor Compliance
- SPRS Score Guide for NC Defense Contractors
- FedRAMP, GCC High, and CMMC Cloud Compliance
- IT Services in High Point
- IT Services in Greensboro