CMMC 2.0 now in solicitations

The DoD’s final DFARS rule was published September 2025 and the acquisitions amendment allowing CMMC language in solicitations took effect November 10, 2025. (arnoldporter.com) Solicitations now use the NOTICE provision 252.204‑7025 to specify required CMMC status and tie award eligibility to entries in the Supplier Performance Risk System (SPRS). (login.acquisition.gov) DoD set a four‑phase rollout: Phase 1 (Nov. 10, 2025) focuses on Level 1/Level 2 self‑assessments, Phase 2 (Nov. 10, 2026) adds Level 2 C3PAO certification at DoD discretion, Phase 3 (Nov. 10, 2027) expands assessments and may introduce Level 3, and Phase 4 reaches full implementation on Nov. 10, 2028. (arnoldporter.com) Early solicitation examples and contract notices have already been cataloged by industry trackers, and commercial vendors are advertising automated evidence‑collection and continuous posture dashboards to replace manual binders and spreadsheet POA&Ms. (preveil.com) Amazon notes an AWS CMMC customer package and Landing Zone Accelerator for GovCloud that maps many NIST SP 800‑171 controls and offers prebuilt guardrails for DoD/CUI workloads. (aws.amazon.com) AWS GovCloud documentation shows Amazon EKS is available in GovCloud (US) but with service differences (for example, EKS Fargate and some managed observability services are not available in GovCloud regions). (docs.aws.amazon.com) Federal SBOM guidance has matured into minimum expectations from CISA and DoD SBOM management recommendations that list recommended SBOM elements, provenance tracking, and tool functionality for supply‑chain transparency. (cisa.gov) The final DFARS rule also formalizes annual affirmations, third‑party assessments, and prime responsibility for subcontractor compliance, increasing demand for SPRS checks and subcontractor monitoring workflows in proposals and source selection. (skadden.com)