A final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) is on track to go into effect on November 10, 2025. At that point, DoD solicitations and contracts will need to include Cybersecurity Maturity Model Certification (CMMC) provisions as a condition of contract award.
On September 10, 2025, the U.S. Department of Defense (DoD)1 published a final rule in the Federal Register amending Section 48 of the Code of Federal Regulations (48 CFR), known as DFARS. The rule incorporates contractual requirements related to the Cybersecurity Maturity Model Certification program (CMMC).
DoD is adhering to a three-year phased-in implementation period for CMMC contractual provisions. This means during the first three years of the phased rollout, CMMC provisions will only be required for certain contracts, decided by the CMMC Program Office.
Following the three year phase-in period, CMMC requirements will apply to all contracts for which a defense contractor will be responsible for processing, storing, or transmitting Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) on contractor information systems during the performance of a contract, with the exception of contracts solely related to the acquisition of Commercial-Off-the-Shelf (COTS) items.
With the 48 CFR CMMC rule finalized, the time is now for defense contractors and subcontractors to familiarize themselves with CMMC’s security standards and compliance requirements.
How We Got Here
The Defense Department established the CMMC program to ensure contractors and subcontractors in the Defense Industrial Base (DIB) were properly safeguarding DoD data stored on their systems. Specifically, under the CMMC program, defense contractors and subcontractors responsible for FCI and/or CUI must meet one of three levels of compliance based on the sensitivity of the information being handled.
CMMC makes clear that defense contractors will not be eligible for contract awards, task orders or delivery orders if they do not meet the required CMMC standards.
For context, the tri-tier CMMC framework establishes three organizational maturity levels:
- CMMC Level 1 – Applies to contractors that are only responsible for handling FCI.
- CMMC Level 2 – Applies to contractors responsible for handling CUI.
- CMMC Level 3 – Applies to contractors supporting DoD’s most critical programs and technologies.
CMMC Level 1 requires contractors to conduct an annual self-assessment and affirm they have implemented the basic safeguarding requirements to protect federal contract information, as set forth in 32 CFR 170.14(c)(2). The results of the CMMC Level 1 self-assessment must be posted to the Supplier Performance Risk System (SPRS) before an award, option exercise, or contract extension.
For contractors handling CUI, CMMC Levels 2 and 3 will require a third-party assessment conducted by a CMMC Third Party Assessor Organization (C3PAO). The C3PAO will assess the contractor’s information systems and submit results through the CMMC Enterprise Missions Assurance Support Service.
In addition, contractors at CMMC Level 2 are required to implement the 110 security measures set forth in NIST SP 800-171, along with all Level 1 obligations. Contractors at CMMC Level 3 will need to satisfy all Level 1 and Level 2 requirements, along with 24 additional security measures set forth in NIST SP 800-172.
The 48 CFR CMMC final rule follows the Defense Department’s publication of the 32 CFR CMMC final rule in the Federal Register on October 15, 2024. That rule formally established the cybersecurity program into federal law. The 48 CFR CMMC final rule will now require DoD contracting officers to include cybersecurity requirements based on the CMMC’s tiers within program solicitations and contracts.
Notable Aspects of the 48 CFR CMMC Final Rule
The impact of the 48 CFR CMMC final rule on defense contracts is likely to be significant. As discussed in a prior firm article, some of the most notable aspects of the final rule are summarized below.
CMMC Compliance Requirements Flow Down to All Tiers of Subcontractors
If a subcontractor is responsible for processing, storing, and/or transmitting FCI or CUI, then the compliance requirements under CMMC flow down to the subcontractor. The objective of the flow down requirement is to ensure a level of consistency in cybersecurity standards across the entire supply chain.
Continual Compliance Obligations
Defense contractors and subcontractors are expected to maintain the required CMMC level throughout the duration of the contract. To achieve continuous compliance, defense contractors must submit unique identifiers (UIDs) that will store, process, or transmit CUI throughout contract performance and provide continuous affirmation of compliance. For context, UIDs are alpha-numeric identifiers that will be assigned to each contractor information system that will be certified or self-assessed.
Senior Official Affirmations
The required affirmation of compliance must be completed by a senior company official. This official will attest that the organization’s self-assessment or certification remains current and that their systems continue to comply with the CMMC’s security requirements.
Proactive Measures to Prepare for CMMC Compliance
For defense contractors and subcontractors, the time to strengthen your CMMC compliance posture is now. The cybersecurity program is no longer conceptual; it is a reality. This means organizations in the DIB should immediately begin reviewing their cybersecurity procedures and policies and assessing them pursuant to CMMC Level 1 and Level 2 guidelines.
DoD program managers will be responsible for designating the applicable CMMC level for a particular procurement or contract. Based on available guidance, designation of the applicable CMMC level will be based primarily on factors such as the type of acquisition program or technology, the risk of potential damage associated with FCI / CUI exposure or loss, and Milestone Decision Authority (MDA) guidance.
Contractors handling FCI should proactively complete a Level 1 self-assessment. Contractors handling CUI should ensure all necessary documentation for a third-party assessment is ready for review. Other proactive measures that can be taken for CMMC compliance include the following:
- Take steps to identify where FCI or CUI data is currently stored, processed and transmitted within your system.
- Conduct a gap assessment based upon the applicable security requirements at the appropriate CMMC level to assess the current state of your compliance with the relevant CMMC level.
- Document any gaps that must be remediated prior to a formal CMMC assessment and develop an action plan for addressing the identified gaps.
- Formalize protocols for the development and management of CMMC program documentation, which should include a detailed system security plan, incident response plan, shared responsibility matrix, and other cybersecurity policies, procedures, and standards.
- Complete a CMMC self-assessment. This is necessary since contractors are generally obligated to complete a self-assessment before undergoing a C3PAO certification assessment.
1 The Trump Administration recently issued an Executive Order “rebranding” the Department of Defense as the Department of War. However, the actual name of the department remains unchanged as of the date of this article. As a result, references to the department will remain within the confines of “DoD”, “Defense Department”, etc.
