Cybersecurity Enforcement Intensifies: DoD Issues Final CMMC Rule and Updates DFARS

Key Takeaways

• The U.S. Department of Defense recently issued a final rule to implement the Cybersecurity Maturity Model Certification Program, and defense contractors will be subject to a variety of cybersecurity obligations when the rule becomes effective, starting November 10, 2025.
• Many contractors will need third-party certifications to work with the federal government, a shift from past practices in which self-attestation alone was sufficient.
• As the new requirements take effect in a few short weeks and continue to roll out in the next few years, contractors working with sensitive but unclassified government information should consider where they fall within the new tiered certification structure.

As cybersecurity enforcement ramps up under the False Claims Act (FCA), the latest Cybersecurity Maturity Model Certification (CMMC) update raises the stakes for defense contractors and subcontractors. On September 9, 2025, the U.S. Department of Defense (the Department or DoD) issued its long-awaited final rule implementing the CMMC Program, marking a significant milestone in the federal government’s efforts to strengthen cybersecurity across the defense industrial base. DoD established the CMMC Program to ensure contractors and subcontractors implement proper cybersecurity measures to safeguard sensitive but unclassified information, known as Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

The Department has amended the Defense Federal Acquisition Regulation Supplement (DFARS) to incorporate contractual requirements related to the CMMC Program. These new requirements are intended to strengthen and enforce the requirements already in place at 32 C.F.R. Part 170. The Department issued a proposed rule on August 15, 2024, which resulted in 97 public comments. This month, the Department issued the long-awaited final rule, which is discussed in detail below.

Effective November 10, 2025, the rule outlines how defense contracts will incorporate cybersecurity requirements over a phased three-year period. Between November 10, 2025, and November 9, 2028, program offices and requiring activities will have discretion to determine whether to impose on a contractor the requirement to meet a specific CMMC level. On or after November 10, 2028, program offices and requiring activities must assign a required CMMC level for all contracts, task orders, or delivery orders, except for those solely for the acquisition of commercially available off-the-shelf items, for which the contractor is required to use contractor information systems in the performance of the contract, task order, or delivery order to process, store, or transmit FCI or CUI.

The final rule also introduces key changes to contractor and subcontractor obligations, including: 

• Mandatory certification at the time of award
• Continuous compliance throughout contract performance
• Enhanced oversight through the Supplier Performance Risk System (SPRS)

The rule updates the DFARS solicitation provision/contract clause at DFARS 252.204-7021 to reflect these requirements, which also include a flow-down to subcontractors handling sensitive information.

Contractors and subcontractors processing FCI or CUI must now prepare to meet tiered certification levels based on the sensitivity and risk of the work performed. This rule underscores DoD’s commitment to securing its supply chain and signals a shift toward more rigorous, enforceable cybersecurity standards in federal procurement. Contractors and subcontractors should take care to implement this rule as required; contractors or subcontractors that misrepresent their CMMC compliance status, either in SPRS or during contract performance, may face enforcement actions, including potential liability under the FCA.

CMMC at a Glance

The CMMC Program’s biggest impact is that it now requires many defense contractors and subcontractors to demonstrate their cybersecurity practices through outside certification, rather than simply promising they meet the standards.

A primary feature of the CMMC Program, which was first announced in 2019, is a shift from allowing contractors to “self-attest” that they met cybersecurity requirements to a tiered model in which many contractors will now need to obtain third-party certification that they meet applicable security requirements. The specific requirements depend on the tier that a program office or requiring activity applies. The CMMC Program provides a means for the Department to confirm contractors’ implementation of security requirements to protect FCI or CUI, including, as applicable, requirements set forth in 48 CFR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems; National Institute of Standards and Technology (NIST) SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations; and NIST SP 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information.

Through a series of interim rules, the Department began implementing the CMMC Program in September 2020 (CMMC 1.0) and November 2021 (CMMC 2.0). The Department issued a final rule establishing the program on October 15, 2024. This rule was implemented at 32 C.F.R. Part 170 and became effective December 16, 2024. The final rule carried over requirements established by the interim final rules and established new requirements for both the government and contractors.

The CMMC Program centers around four tiers of requirements for validating contractors’ compliance with applicable cybersecurity standards, as summarized below: 

• Level 1 (Self-Assessment for FCI). The contractor must submit a self-assessment that affirms that it will secure FCI processed, stored, or transmitted in the course of fulfilling the contract in compliance with the 15 basic safeguarding requirements under 48 CFR 52.204-21(b)(1)(i) through (xv).
• Level 2 (Self-Assessment for CUI). The contractor must submit a self-assessment that affirms that it will secure CUI processed, stored, or transmitted in the course of fulfilling the contract in compliance with the 110 security control requirements under NIST SP 800-171.
• Level 2 (Third-Party Assessment—C3PAO). The contractor must hire a Certified Third-Party Assessor Organization (C3PAO), which is an independent organization authorized by the CMMC accreditation body, to advise and assess the contractor’s compliance with the 110 security control requirements under NIST SP 800-171.
• Level 3 (Government Assessment—DIBCAC). The Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), a government entity under the Defense Contract Management Agency, assesses 24 additional requirements derived from NIST SP 800-172, which covers enhanced protection for CUI. Contractors must have achieved Level 2 (C3PAO) before requesting Level 3 certification by DIBCAC. 

Program offices and requiring activities must determine the appropriate level for each contract action based on factors related to the sensitivity and risk of the program or activity. These factors include but are not limited to: (1) criticality of the associated mission capability, (2) type of acquisition program or technology, (3) threat of loss of the FCI or CUI to be shared or generated in relation to the effort, (4) impacts from exploitation of information security deficiencies, and (5) other relevant policies and factors. In general, where the sensitivity or risk associated with a particular program or activity is higher, contractors will be subject to a heightened level of scrutiny to ensure their compliance with cybersecurity standards.

Subject to certain conditions, contractors may achieve a “conditional” Level 2 or 3 status before satisfying all requirements of the respective level. Conditionally certified parties must satisfy remaining requirements in accordance with a Plan of Action and Milestones (POA&M) within 180 days to achieve final Level 2 or 3 status. Contracts may be awarded to contractors that have achieved final Level 1 status, conditional or final Level 2 status, or conditional or final Level 3 status, as applicable.

CMMC DFARS Final Rule: Effects on Contractors

As discussed above, DoD’s amendment of the DFARS to include the CMMC Program as a contractual requirement strengthens and enforces the complementary requirements at 32 CFR Part 170 through a three-year phase-in period starting on November 10, 2025. Starting on November 10, 2028, however, contracting officers must include CMMC requirements in all contracts.

Once mandatory assignment of CMMC levels begins in year four, DoD estimates that approximately 62% of contractors will be subject to Level 1 requirements, 2% will be subject to Level 2 (Self) requirements, 35% will be subject to Level 2 (C3PAO) requirements, and 1% will be subject to Level 3 requirements. 

Note, too, that DFARS 217.207 has been modified to require that, when exercising contract options, the contracting officer must verify that the contractor’s CMMC certification remains valid and at the required level, ensuring continued compliance for the duration of the contract, including any option periods.

The rule also includes a modified DFARS 252.204-7021, Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirements, to be included as a solicitation provision or contract clause. Compared to the prior version, the updated DFARS 252.204-7021 shifts the certification requirement from proposal submission to contract award and performance, provides more detailed definitions of scope and certification validity, strengthens requirements for maintaining SPRS data, and clarifies the process for exercising contract options. Specifically, the new regulation:

• Defines “current” on a level-by-level basis. Contractors must ensure their certification is valid and up to date for the level required by the contract (e.g., not older than 180 days for Conditional Level 2), with periodic reassessment or renewal as specified for each level, maintaining the appropriate cybersecurity posture for the sensitivity of the information handled.
• “At the time of award.” CMMC compliance is now required at the time of contract award, rather than at proposal submission, and must be maintained throughout the entire period of contract performance, including any exercised options or extensions.
• Limited to systems with FCI or CUI. The rule specifies that CMMC requirements apply only to “contractor information systems used in the performance of the contract, task order, or delivery order to process, store, or transmit FCI or CUI.” Systems not involved in these activities are excluded from the scope of CMMC requirements for the contract.
• Updated SPRS. Contractors are required to maintain accurate and up-to-date information in the SPRS, including timely updates to cybersecurity assessment scores and other relevant data. Continuous monitoring of this score will be critical for contractors moving forward, as contracting officers are directed to rely on SPRS when awarding contracts.
• Flow-down to subcontractors. Prime contractors are required to flow down applicable CMMC requirements to subcontractors whose information systems process, store, or transmit FCI or CUI in performance of the contract, ensuring that subcontractors achieve and maintain the required CMMC level and that compliance is maintained throughout the supply chain.

Related Regulations and Proposed Rules

In addition to the new DFARS regulations regarding CMMC, contractors should also keep in mind the following related guidance when handling sensitive government information: 

• FAR 52.204-21. For federal contracts involving transfer of FCI to nongovernment organizations, contractors must implement 15 minimum security requirements as specified in FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems.
• DFARS 252.204-7012. For federal contracts involving the transfer of Covered Defense Information, which includes CUI and Controlled Technical Information, to nongovernment organizations, contractors must implement the 110 controls outlined in NIST SP 800-171 under DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, and must report assessment scores in the SPRS under DFARS 252.204-7019, Notice of NIST SP 800-171 DoD Assessment Requirements, and DFARS 252.204-7020, NIST SP 800-171 DoD Assessment Requirements.Relatedly, contractors must also maintain a System Security Plan and POA&M, flow down these requirements to subcontractors, and rapidly report cyber incidents that affect covered defense information and related systems.
• Proposed FAR rule regarding CUI. While current regulations define both FCI and CUI, it remains unclear whether CUI is a subset of FCI or when contracting officers should apply one standard over another. A proposed rule issued in January 2025 may shed some light. The FAR Council proposed amending the FAR to include the National Archives and Records Administration CUI Registry and requirements. See 90 Fed. Reg. 4,278 (January 15, 2025). If adopted, the term FCI will be replaced with the term “covered Federal information,” which means “information provided by or created for the Government when that information is other than . . . Controlled unclassified information . . .” (emphasis added). The new proposed definition expressly excludes CUI from the definition of covered Federal information. Interestingly, the proposed rule expands upon the distinction between CUI and covered Federal information by (1) stating that when information is not identified as CUI, it may be covered Federal information requiring information system security controls in accordance with FAR 52.204-21, and (2) updating the related prescription clauses to help contracting officers identify covered Federal information (which is more ubiquitous than CUI) and CUI.

Final Thoughts and Next Steps

The above requirements implement various levels of cybersecurity compliance with representations and certifications that contractors maintain such compliance throughout contract performance. By formalizing tiered certification requirements and integrating continuous oversight mechanisms, the rule not only strengthens the security of the defense supply chain but also raises the bar for accountability and transparency in federal procurement. As the phased implementation period begins, defense contractors should proactively assess their cybersecurity posture, update compliance documentation, and engage with qualified assessors to ensure readiness. As a reminder, lapses in compliance or the failure to notify the government of noncompliance may result in contract termination, poor performance scores, or False Claims Act liability, as seen in many settlements by the U.S. Department of Justice’s Civil Cyber Fraud Initiative. Early and diligent compliance will be essential to maintaining eligibility for DoD contracts and mitigating the risk of enforcement actions, positioning organizations to succeed in an increasingly security-conscious procurement environment.