DoD Finalizes Cybersecurity Maturity Model Certification Rule: What Defense Contractors Need to Know

Quick Hits

• Beginning November 2025, the DoD will issue contracts requiring contractors to comply with CMMC cybersecurity standards and conduct third-party or self-assessments, depending on the sensitivity of the information they handle.
• In addition to achieving and maintaining the CMMC level specified in each solicitation or contract, the final rule will require contractors to flow down the appropriate requirements to subcontractors, and to document and publish the results of assessments.
• While the rule will be phased in over three years, employers doing business with the DoD may want to review their government information, cybersecurity practices, and data flows early to ensure compliance in advance.

What Is the CMMC?

The CMMC is a cybersecurity framework designed to ensure DoD contractors implement adequate measures to protect federal contract information (FCI) or controlled unclassified information (CUI) processed on contractor-owned information systems. Previously, the CMMC was an accreditation program through the DoD chief information officer. But beginning November 10, 2025, contractors will need to achieve and maintain a specified CMMC level as a condition of contract award, option exercise, or extension.

The sensitivity of the information the contractor handles will determine whether contractors must comply with Level 1, 2, or 3 requirements, with 1 being the least strict and 3 being the most stringent.

• Level 1: This level focuses on basic safeguarding of FCI—information not intended for public release, provided by or generated for the government under a contract, excluding publicly available or simple transactional information. Level 1 requires contractors to align with fifteen practices in Federal Acquisition Regulation (FAR) 52.204-21. All contractors that handle FCI must comply with Level 1 and perform annual self-assessments.
• Level 2: Contractors that handle CUI must comply with the practices in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. CUI is a subset of FCI that the government or its contractors create or possess that is unclassified but subject to safeguarding or dissemination controls limiting its distribution to those with a lawful government purpose. Contractors subject to Level 2 must generally undergo triennial third-party assessments by a CMMC third-party assessment organization (C3PAO), though a small subset of contractors may self-assess.
• Level 3: Finally, Level 3 compliance is reserved for contractors that support critical DoD programs with highly sensitive CUI, requiring additional controls from NIST SP 800-172. Level 3 assessments are conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

Each contractor information system that processes, stores, or transmits FCI or CUI must be identified by a unique CMMC identifier (UID), and the appropriate CMMC status must be maintained for the life of the contract. Although CMMC provides assessment, attestation, and verification mechanisms, it does not change the security or incident reporting obligations under DFARS 252.204-7012 or NIST SP 800-171.

Key Compliance Obligations

The final rule establishes a three-year phased implementation period, during which time CMMC requirements will be included in select contracts as determined by DoD program offices. By November 2028, CMMC compliance will become mandatory for all contracts that require the handling of FCI or CUI, unless an exception applies. In other words, “contracting officers shall not award a contract, task order, or delivery order to an offeror that does not meet the CMMC requirements identified in the solicitation.”

Critically, certification of “current” CMMC status at the level required by each solicitation will be a condition of award. This includes:

• completing the appropriate third-party or self-assessment for each information system;
• posting the results of assessments and annual affirmations of continuous compliance by an affirming official to the Supplier Performance Risk System (SPRS);
• maintaining CMMC status for the duration of the contract, including option periods and extensions;
• flowing down CMMC compliance requirements to subcontractors and external service providers that will process, store, or transmit the FCI or CUI, and ensuring the subcontractor has a current CMMC status at the appropriate level for the information to be shared; and
• providing UIDs for all relevant information systems to the contracting officer and updating them as changes occur.

The rule defines “current” by status type and timing. Level 1 assessments are current if not older than one year, while Level 2 and Level 3 assessments must be no more than three years old, with appropriate annual affirmations by an affirming official.

What Contracts Are Not Covered?

The CMMC rule applies broadly. There are no blanket exceptions for contracts at or below the Simplified Acquisition Threshold (SAT), micro-purchases (though micro-purchases may not carry DFARS clauses), or small businesses. Although the rule generally applies to commercial products and services using FAR Part 12 procedures, contracts and subcontracts that are solely for the acquisition of commercially available off-the-shelf (COTS) items are excluded. The FAR defines COTS items as any item of supply (other than bulk cargo such as agricultural products and petroleum products) that is (i) a commercial product, (ii) sold in substantial quantities in the commercial marketplace, and (iii) offered to the government without modification in the same form in which it is sold in the commercial marketplace. Additionally, waivers may be available in limited circumstances and at the discretion of the program office.

Practical Steps

The CMMC rule represents a major evolution in federal cybersecurity compliance, with significant operational, contractual, and legal implications for any company doing business with DoD or its contractors. Organizations may want to review their cybersecurity posture and update internal policies by:

• identifying and inventorying all information systems that process, store, or transmit FCI or CUI;
• mapping associated data flows to determine which subcontractors and vendors may be in scope;
• reviewing contract requirements and consulting with program offices to confirm the appropriate CMMC level for each engagement;
• obtaining, ensuring, and/or updating SPRS access to facilitate publishing annual affirmation of continuous compliance for each UID;
• if third-party assessments are expected, lining up assessments early as lead times are expected to be long; and
• keeping a thorough record of assessments, affirmations, and other documentation.

Conclusion

CMMC is here, and it is now embedded in DFARS. Starting November 2025 solicitations may include the new provision, which could present an obstacle for contractors without current CMMC status at or above the specified level for their systems. Inclusion is set to scale up, and by November 2028, it will be standard wherever contractors’ systems process FCI or CUI (except for COTS-only buys). Early readiness for the new requirements will be critical to maintain eligibility for DoD contracts, avoid liability associated with false or incomplete attestations, and protect sensitive information in an increasingly complex threat environment.

Ogletree Deakins’ Cybersecurity and Privacy Practice Group and Government Contracting and Reporting Practice Group will continue to monitor developments and will provide updates on the Cybersecurity and Privacy and Government Contracting and Reporting blogs as additional information becomes available.

Follow and Subscribe
LinkedIn | Instagram | Webinars | Podcasts