The Department of Defense (DoD) has issued its long-awaited final rule implementing the Cybersecurity Maturity Model Certification (CMMC) program into the Defense Federal Acquisition Regulation Supplement (DFARS). The rule establishes a three-year phased rollout that will ultimately apply to nearly every contractor and subcontractor handling federal contract information (FCI) and controlled unclassified information (CUI) (the new requirements do not apply to awards that do not involve the handling or transmission of FCI or CUI).
For businesses across the defense industrial base, this marks a turning point in how cybersecurity compliance will be measured, enforced, and tied directly to contract eligibility.
In the final rule, DoD emphasized that implementing the contractual requirements of the CMMC program is “critical to national security.” The final rule reflects that priority, with two core objectives. First, it gives DoD greater confidence that contractors can safeguard sensitive unclassified information at a level appropriate to the risks involved. Second, it implements Congress’ mandate under Section 1648 of the Fiscal Year 2020 National Defense Authorization Act, specifically paragraph (c)(2), which required the Secretary of Defense to establish a unified, risk-based cybersecurity framework for the defense industrial base, built on standards, metrics, tiered requirements, and third-party certifications such as CMMC.
The rule was published in the Federal Register on September 10, making it effective in 60 days on November 10, 2025.
Background
The CMMC program, codified in October 2024 at 32 C.F.R. Part 170, was designed to standardize cybersecurity requirements across the defense supply chain. The final DFARS rule implements this policy. Under this framework, contractors must complete self-assessments (for CMMC Levels 1 and some Level 2) or undergo third-party or DoD certifications for higher levels, depending on the type of information their systems will process, store, or transmit. It requires contractors to post their assessment results in the Supplier Performance Risk System (SPRS), maintain the required CMMC level for the life of the contract, and submit annual affirmations of continuous compliance. Importantly, these requirements apply not only to prime contractors but also to subcontractors throughout multi-tier supply chains.
Key Features of the Final Rule
The final rule makes CMMC compliance a prerequisite for contract eligibility. Contractors cannot win new awards or, on contracts including the CMMC requirements, be awarded options or have their contract performance extended without proof of their current CMMC status in SPRS. Contracting officers will specify the required level, but contractors may exceed the minimum if they are already certified at a higher level.
To maintain eligibility, contractors must keep their certification active for the entire life of the contract. This includes posting the results of a Level 1 or Level 2 self-assessment, or a third-party assessment for higher levels, in SPRS for each system used in performance. Contractors must also identify those systems by providing the government with their CMMC unique identifiers (UIDs), updating the information as needed.
Compliance is not a one-time requirement. An affirming official must submit an annual statement in SPRS certifying continuous compliance with the security standards in 32 C.F.R. Part 170 or file an updated affirmation whenever a system’s compliance status changes. These obligations apply to solicitations and contracts involving FCI or CUI, but do not extend to awards that exclude such information.
These requirements apply to all businesses, large or small, bidding on solicitations that include a CMMC level. The self-assessment posting requirement applies only to entities needing Level 1 or Level 2 certification, but the UID reporting and annual affirmation obligations apply to all businesses awarded contracts that include a CMMC requirement.
Phased Rollout
In the first three years of the phased rollout, CMMC requirements will appear only in select contracts, as directed by the CMMC Program Office. After that point, all DoD component offices must include CMMC requirements in solicitations and contracts where contractors will handle FCI or CUI on their systems. By the fourth year, every offeror bidding on a DoD contract or order involving FCI or CUI will need at least a CMMC Level 1 self-assessment, or a higher level specified in the solicitation.
Impact on Small Businesses
The rule’s reach is significant. DoD estimates that nearly 338,000 unique entities will ultimately be covered, with about 68% of them qualifying as small businesses. During the first three years, the number of small entities impacted will grow from about 1,100 in year one to more than 18,000 in year three. By year four, nearly 230,000 small businesses will be subject to the requirements.
While the rule exempts contracts exclusively for commercially available off-the-shelf (COTS) items, small contractors will still face new reporting and recordkeeping demands. These include posting self-assessments in SPRS, providing system identifiers (CMMC UIDs), and ensuring an affirming official submits annual compliance confirmation. For many small entities, the costs of compliance, ranging from upgrading IT systems to hiring cybersecurity consultants, could be a real challenge. However, phased implementation gives smaller firms a window to plan, budget, and adapt.
Looking Ahead
The final CMMC rule underscores DoD’s determination to protect sensitive information and strengthen the resilience of the defense industrial base. By tying contract eligibility to verified cybersecurity standards, the rule makes cybersecurity compliance a condition of doing business with DoD. These mandatory cybersecurity requirements, which obligate contractors to provide annual certifications of cybersecurity standards, among other requirements, create additional potential liability for contractors.
While small businesses will bear a substantial portion of the compliance burden, contractors who prepare now by understanding their required CMMC level, documenting compliance, and engaging their subcontractors will be best positioned to compete in a defense market that increasingly values security.
