Key point: Beginning November 10, 2025, DoD contracting officers will begin adding Cybersecurity Maturity Model Certification (CMMC) requirements to solicitations, and contracting officers “shall not award a contract, task order, or delivery order to a [contractor] that does not have a current CMMC status at the CMMC level required by the solicitation.”
Last week we discussed OIRA’s completion of its review of the DoD’s proposed rule revising the DFARS to formally incorporate the CMMC requirements into future solicitations. As expected, on September 10, 2025, the National Archives and Records Administration published the final rule, Assessing Contractor Implementation of Cybersecurity Requirements, 90 Fed. Reg. 43560 (Sept. 10. 2025).
What does this mean for defense contractors?
Businesses that want to do business with the DoD must review their cybersecurity policies and procedures to ensure they already meet the CMMC level specified in the solicitation. As stated in the new 48 C.F.R. § 204.7502(a)(2), “Contracting officers shall not award a contract, task order, or delivery order to an offeror that does not have a current CMMC status at the CMMC level required by the solicitation” (emphasis added). Be forewarned, the current backlog to schedule a third-party certification for CMMC Level 2 is approximately eight weeks. But reviewing internal policies and procedures is not enough.
Cybersecurity requirements for subcontractors
Contractors must also review their subcontractor agreements to ensure proper flow down of CMMC requirements is occurring to subcontractors that will handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). Prime contractors and higher-tier subcontractors must ensure that lower-tier subcontractors handling FCI or CUI, and external service providers (e.g., IT vendors) must also meet the appropriate CMMC level. The revised DFARS contract clause that will be included in future solicitations and awards includes in relevant parts the following flow down language:
The Contractor shall include the substance of this clause, including this paragraph … in subcontracts and other contractual instruments, including those for the acquisition of commercial products and commercial services, excluding commercially available off-the-shelf items, if the subcontract or other contractual instrument will contain a requirement to process, store, or transmit FCI or CUI.
48 C.F.R. § 252-204-7021(f) (2025). Before a contractor awards a subcontract or other contractual instrument, the contractor must ensure the subcontractor has a current CMMC certificate or current CMMC status at the CMMC level that is appropriate for the information that is being flowed down to the subcontractor. Id.
Risks and rewards of flowing down CMMC requirements
The revised flow down clause is a double-edged sword. It gives primes and higher-tier subcontractors the flexibility to partner with companies that are not CMMC compliant, so long as those companies do not receive, store, or transmit FCI or CUI. However, this flexibility increases the oversight obligations to accurately manage information flows within a supply chain, to ensure information is not shared with unauthorized business partners.
[View source.]
