After years of drafts and interim measures, the Department of Defense (“DOD”) has issued the final Defense Federal Acquisition Regulation Supplement (“DFARS”) rule implementing the Cybersecurity Maturity Model Certification (“CMMC”) program. This long-awaited development cements CMMC as a contractual requirement and clarifies key aspects of the rule’s certification, compliance, and oversight requirements.
How Will CMMC Work?
Under the final rule, every solicitation where a contractor may store, process, or transmit Federal Contract Information (“FCI”) or controlled unclassified information (“CUI”) will be assigned a CMMC level. Solicitations involving just FCI will have a CMMC Level 1 requirement. Solicitations involving non-Defense CUI will have a CUI Level 2 Self-Attestation requirement. Solicitations involving Defense CUI will have a CUI Level 2 third-party certification (i.e., C3PAO) requirement. Solicitations involving particularly sensitive DOD programs will have a Level 3 requirement. Level 3 requires an assessment by the Defense Industrial Base Cybersecurity Assessment Center (“DIBCAC”).
Each CMMC assessment/certification will be tied to a “CMMC unique identifier” (i.e., a “UID”). Offerors must list applicable UIDs in their proposals, enabling DOD to cross-check compliance through the Supplier Performance Risk System (“SPRS”). Before awarding a contract, contracting officers must verify the contractor’s CMMC status in SPRS. If a contractor’s SPRS profile does not list a current CMMC status at the procurement’s CMMC level (or higher), the contractor is generally ineligible for award.
Is a Contractor Eligible for a Contract If It Does Not Have the Required CMMC Status?
It depends. The final rule makes clear that contractors must hold a “current” CMMC certification at the time of award. But the final rule also introduces the concept of “conditional status,” which may be used in limited circumstances while contractors finalize their certifications. Under this status, a contractor is eligible for contracts at the CMMC level for which it is conditionally approved as long as the contractor implements the missing CMMC controls within 180 days of receiving conditional status.
What About Subcontractors?
As expected, CMMC requirements flow down to subcontractors. Subcontractors are required to have their CMMC status registered in SPRS, and prime contractors must confirm that subcontractors meet applicable CMMC requirements before awarding the subcontract. The final rule does not prescribe how primes should confirm subcontractor compliance, but suggests that subcontractors can share a print-out of their CMMC SPRS assessment score or certificates.
What Is the Implementation Timeline for CMMC?
The final rule becomes effective on November 10, 2025. Importantly, DOD has emphasized a phased implementation. For the next three years—until November 9, 2028—the program office or requiring activity will determine whether a specific solicitation will include a CMMC requirement. If DOD sticks to the implementation approach outlined in the companion 32 C.F.R. Part 170 rule, we can expect to see the following:
- Year 1 (Nov. 10, 2025–Nov. 9, 2026): DOD will start including CMMC Level 1 and CMMC Level 2 (Self-Assessment) requirements in applicable DOD solicitations (i.e., solicitations that will involve FCI and non-Defense CUI).
- Year 2 (Nov. 10, 2026–Nov. 9, 2027): DOD will start including CMMC Level 2 (C3PAO) requirements in applicable DOD solicitations (i.e., solicitations that will involve Defense CUI).
- Year 3 (Nov. 10, 2027–Nov. 9, 2028): DoD will start including CMMC Level 3 (DIBCAC) requirements in applicable DOD solicitations (i.e., solicitations for particularly sensitive DOD programs).
What Are Some Practical Takeaways for Contractors?
For federal contractors, the final rule offers long-awaited clarity but also imposes significant compliance burdens:
- Have a plan. Contractors should identify what CMMC level they need and then develop a plan to meet those requirements. For many DOD contractors, a CMMC Level 2 C3PAO certification is critical. Those contractors must start preparing for that certification today if they have not already started.
- Update proposal strategies. Contractors should be prepared to include CMMC UIDs in future submissions. If contractors have multiple UIDs, they should make sure they identify the correct UID in each proposal. Failure to do so could lead to their disqualification.
- Strengthen subcontractor oversight. Develop policies to confirm and document subcontractor compliance. Prime contractors should, at a minimum, require subcontractors to provide their CMMC SPRS assessment scores or certificates.
- Monitor CMMC compliance. CMMC is an ongoing compliance requirement. Contractors should regularly monitor their compliance with applicable CMMC requirements to ensure their compliance does not lapse, potentially rendering them ineligible for contracts.
The release of the final CMMC DFARS rule marks a watershed moment in defense contracting. While phased implementation will allow some adjustment time, contractors who delay preparation risk exclusion from lucrative opportunities. Now is the time to assess compliance, engage with assessors, and establish internal systems that can withstand scrutiny.
[View source.]
