Department of Defense Finalizes Long-Awaited Cybersecurity Rule

On September 10, 2025, the U.S. Department of Defense (DoD) published its long-awaited final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to incorporate contractual requirements related to the Cybersecurity Maturity Model Certification (CMMC) program. The final rule creates the mechanism for the CMMC program to be formally included in solicitations and contracts, beginning on its effective date of November 10, 2025. The CMMC program is DoD’s tool to implement a consistent, comprehensive framework to improve the cybersecurity of the U.S. defense industrial base.

The final rule begins a phased-in approach under which, within the next three years, nearly all DoD solicitations and contracts will require contractor conformance to one of three levels of cybersecurity requirements. When the DFARS CMMC clause is included in a solicitation, prospective offerors will not be eligible for award of a contract, task order, or delivery order unless they have reported to DoD a current CMMC compliance status for all applicable contractor IT systems. The same requirements will apply to existing contractors before exercise of an option or inclusion in the contract of new work subject to CMMC. Subcontractors may also be obligated to assess and affirm CMMC compliance, depending on the nature of their work.

Background

The CMMC program was first conceptualized by DoD in 2019 as a means to protect the defense industrial base from evolving security threats. Regulations implementing the program have been underway since a 2020 interim rule, with major revisions to the CMMC program announced in November 2021. A proposed rule implementing the current CMMC 2.0 structure eventually was introduced in December 2023 and finalized effective December 16, 2024. It has now been incorporated into regulation at 32 C.F.R. Part 170.

CMMC 2.0 does not impose entirely new cybersecurity obligations on contractors, but it does formalize the assessment and attestation processes for contractors to confirm compliance with requirements that currently exist under FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems, and DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting. Under the FAR Basic Safeguarding clause, contractors that process, store, or transmit Federal Contract Information (FCI) on their IT systems must meet 15 specified security requirements. Under the DFARS 252.204-7012 clause, contractors that process, store, or transmit Controlled Unclassified Information (CUI) on their IT systems must meet the specifications of National Institute of Standards and Technology (NIST) special publication (SP) 800-171 or must use a FedRAMP Moderate or higher authorized cloud service solution.[1]

CMMC Level 1 correlates with the FAR clause requirements, and CMMC Level 2 with the NIST SP 800-171 obligations under the DFARS clause. Level 3, which is reserved for contracts with the most sensitive CUI, imposes the heightened security requirements of NIST SP 800-172.

Key Provisions of the CMMC Implementation Final Rule

The rule applies to all contracts under which the contractor will process, store, or transmit FCI or CUI on contractor information systems. The CMMC clause will not be included in contracts that are solely for the acquisition of commercially available off-the-shelf products or to awards that do not involve the handling or transmission of FCI or CUI. That said, it is anticipated that the majority of DoD contracts, particularly any contract involving provision of services to DoD, will be covered by the rule.

As noted, the final rule imposes both assessment and affirmation obligations on contractors. At Level 1 and for some Level 2 contracts, the contractor can self-attest to meeting the relevant underlying security standards. Most Level 2 contracts will require a third-party assessment of compliance, and Level 3 contracts will require a government assessment. Under all three levels, contractors must affirm their continued conformance to the required standard prior to initial contracting and then annually thereafter.

The assessment and attestation schedule is summarized as follows:

The final rule amends the DFARS to include the following solicitation (through DFARS 252.204-7025) and contractual (through DFARS 252.204-7021) requirements:

• Offerors and contractors must post the results of a CMMC Level 1 or Level 2 self-assessment to SPRS prior to award, exercise of an option, or extension of a period of performance, if not already posted.
• Contractors must maintain the required CMMC status for the life of the contract.
• Offerors and contractors must identify the contractor information systems that will be used to process, store, or transmit FCI or CUI in performance of the contract prior to award, exercise of an option, or extension of any period of performance, by providing in SPRS identifiers for each such system.
• The contractor’s “affirming official”[2] must complete an affirmation on an annual basis of continuous compliance with the specified security requirements in SPRS for each identified contractor information system that will process, store, or transmit FCI or CUI in performance of the contract.

CMMC assessment and affirmation requirements will be phased in as follows:

• Phase 1 – begins on the effective date of the final rule (November 10, 2025)
  • For solicitations that require Level 1 or 2 self-assessment that are selected by DoD for inclusion of the clauses
  • In limited circumstances, DoD may also require Level 2 C3PAO in place of the Level 2 self-assessment
• Phase 2 – begins 12 months after Phase 1 start (November 10, 2026)
  • For solicitations that require Level 2 C3PAO certification that are selected by DoD for inclusion of the clauses
  • DoD may also delay the requirement for Level 2 C3PAO certification to an option period (instead of as a condition on award) or, in select circumstances may require Level 3
• Phase 3 – begins 24 months after Phase 1 start (November 10, 2027)
  • For solicitations that require Level 3 certification that are selected by DoD for inclusion of the clauses
  • DoD may also delay the requirement for Level 3 to an option period (instead of as a condition on award)
• Phase 4 – within 36 months after Phase 1 start (November 10, 2028)
  • As of this date all DoD solicitations and contracts must include applicable CMMC level requirements

As noted, CMMC requirements may also extend to subcontractors. Prior to awarding any subcontract that will involve a subcontractor’s processing, storage, or transmission of FCI or CUI, the prime contractor must flow down the relevant CMMC clause and ensure that the subcontractor has a current CMMC status listed in SPRS at the required level. Subcontractors must further flow down the clause to their applicable subcontractors. All subcontractors subject to the DFARS CMMC clause must submit affirmations of continuous compliance.

Next Steps for DoD Contractors and Subcontractors

• To the extent the company has not yet done so, assess compliance with FAR 52.204-21 and NIST SP 800-171, as applicable, for all contractor systems may contain, store, or transmit FCI or CUI.
• Complete and post the required self-assessment and affirmation in SPRS for each contractor information system to be used in performance of a CMMC-covered contract.
• Establish internal procedures to ensure continuous compliance and timely updates of CMMC levels and assertions.
• Coordinate with subcontractors to understand their compliance with CMMC requirements and ensure proper flowdown of CMMC obligations.

[1] FCI is non-public information, not intended for public release, that is provided by or generated for the government under a contract to develop or deliver a product or service to the government, such as correspondence with the government customer, contract deliverables, data, and reports. CUI is information that requires special handling or dissemination controls under applicable laws and regulations, such as export controlled information or controlled technical data.

[2] The “affirming official” is the senior level representative from within each Organization Seeking Assessment (OSA) who is responsible for ensuring the OSA’s compliance with the CMMC Program requirements and has the authority to affirm the OSA’s continuing compliance with the specified security requirements for their respective organizations. 32 C.F.R. § 170.4.