Department of Defense Releases Long-Anticipated Final Rule Implementing the Cybersecurity Maturity Model Certification Program

On September 9, 2025, the Department of Defense (DoD) published a final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to incorporate contractual requirements to implement the Cybersecurity Maturity Model Certification (CMMC) program.

CMMC was designed to ensure government contractor compliance with cybersecurity standards and best practices, including pertaining to access controls, software updates, authentication, physical security, and reporting of security incidents. As we explained in our last Legal Update on the topic, a prior rulemaking established the substantive cybersecurity standards of the CMMC program. This rule finalizes the integration of CMMC into the DoD acquisition process by establishing the procedural framework for assessing and verifying contractor cybersecurity practices, including implementation of requirements to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within the defense supply chain.

Background

The updated rule amends the DFARS to fully integrate CMMC 2.0, the DoD’s improved effort to streamline cyber supply chain security, into the acquisition process by allowing DoD to include CMMC requirements in solicitations. The rule will take effect November 10, 2025. The final rule addresses numerous public comments, resulting in clarification of definitions and compliance procedures, and specification of flow-down obligations for subcontractors with the goal of ensuring that contractors and subcontractors can adequately protect FCI and CUI throughout the lifecycle of DoD contracts.  

Notably, the final rule also removed the requirement to report to the contracting office lapses in information security or changes in compliance with 32 CFR 170 (i.e., changes in the status of CMMC certification or self-assessment levels) during the performance of the contract. The DoD determined that existing DFARS reporting requirements provide “sufficient notification of information security incidents” and “[t]herefore, an additional reporting requirement in this rule is not necessary to protect DoD information.”

Process

The new rule requires contractors to upload their CMMC self-assessments, as well as current CMMC status for each CMMC unique identifier (CMMC UID), to the Supplier Performance Risk System (SPRS). CMMC UIDs are unique alphanumeric identifiers assigned to each contractor information system that undergoes a CMMC evaluation. Contractors must take these steps prior to securing an award, and must maintain their status throughout the duration of the contract. Contracting officers will be required to verify a contractor’s CMMC status in SPRS before awarding contracts, exercising options, or extending periods of performance. Contracting officers must specify the required CMMC level in solicitations and contracts, and offerors must have current CMMC status and affirmations in SPRS for all relevant information systems to be eligible for award. Contractors must achieve and maintain compliance with the required CMMC status at the level specified in the solicitation for all information systems processing, storing, or transmitting FCI or CUI. For CMMC Levels 2 and 3, a conditional status is permitted for up to 180 days, with final status contingent on closure of any outstanding Plans of Action and Milestones.

Subcontractors are subject to similar requirements when processing FCI or CUI. Subcontractors that handle FCI or CUI must also submit affirmations of compliance and self-assessment results in SPRS. However, subcontractors will not be required to submit CMMC UIDs directly to the contracting officer The prime contractor is ultimately responsible for certifying the subcontractor’s current CMMC status and compliance prior to awarding a subcontract if the subcontractor will handle FCI or CUI.

Additionally, DoD clarified in its response that the government cannot indemnify prime contractors in the event that the government deems a subcontractor does not have a timely or sufficient certification status in SPRS such that the prime might be rendered ineligible for an award. Accordingly, where subcontractors may be handling FCI or CUI, the prime will ultimately be responsible for ensuring subcontractor CMMC compliance.

Implementation

The rule clarifies a phased implementation approach. Unless CMMC Program requirements are waived pursuant to 32 CFR 170.5(d), for three years following the effective date, CMMC requirements apply only when program managers determine their necessity, excluding contracts solely for commercially available off-the-shelf (COTS) items (as defined in FAR 2.101). After three years, CMMC requirements apply to all contracts involving FCI or CUI, except those exclusively for COTS items.

The final rule also clarifies that any modifications of existing contracts to incorporate CMMC requirements after the effective date of this rule will be at the discretion of the contracting officer subject to existing contractual obligations as specified in FAR 1.108(d).

Timeline for CMMC Phases

CMMC compliance dates for each of the four phases specified in 32 CFR 170.3(e) are tied to the final rule’s effective date of November 10, 2025.

• Phase One—November 10, 2025: The DoD program managers or requiring activities will determine the applicable DoD solicitations and contracts that require Level 1 or Level 2 self-assessments as a condition of award. DoD may also, at its discretion, include the requirement for CMMC Status of Level 2 C3PAO (requiring a C3PAO certification) for certain DoD solicitations and contracts.
• Phase Two—November 10, 2026: The DoD program managers or requiring activities will determine the applicable DoD solicitations and contracts that will require the CMMC Status of Level 2 C3PAO (requiring a C3PAO certification). DoD may also, at its discretion, include the requirement for CMMC Status of Level 3 (requiring a DIBCAC certification) for applicable DoD solicitations and contracts.
• Phase Three—November 10, 2027: The DoD Program Managers or requiring activities will determine the applicable DoD solicitations and contracts that will require the CMMC Status of Level 3 (requiring a DIBCAC certification)
• Phase Four—November 10, 2028: DoD will include CMMC Program requirements in all applicable DoD solicitations and contracts.

Conclusion

The final DFARS rule completes a lengthy rulemaking process to establish and fully implement comprehensive contractual requirements for CMMC, supporting DoD’s efforts to secure the defense supply chain against cyber threats. The requirements take effect on November 10, 2025, with full implementation phased in over three years. Contractors and subcontractors should carefully review their cybersecurity programs and contract terms, in consultation with counsel, to ensure compliance with existing requirements and continued eligibility to participate in the DoD acquisition process.