New CMMC Rule: Crucial Cybersecurity Changes for Defense Contractors

Key Details: On September 10, 2025, the Department of Defense (DoD) finalized a rule to incorporate the Cybersecurity Maturity Model Certification (CMMC) program into its acquisition regulations. This final rule, published in the Defense Acquisition Regulations System (DFARS), is effective November 10, 2025, and amends the DFARS to require cybersecurity certification for defense contractors. After years of planning and pilot programs, CMMC will soon be written into DoD contracts as a condition of award.

This final rule will take effect through a phased implementation system and mostly follows the original proposed DFARS rule published in August 2024. However, several important new provisions are included in the final rule. As such, defense contractors are encouraged to thoroughly review the final rule and speak with their trusted advisors to determine the next steps to remain compliant and competitive.

Background on CMMC

The CMMC program is a DoD initiative developed to secure the Defense Industrial Base (DIB) from cyber threats. The DoD first announced CMMC in 2019 and released CMMC 1.0 in early 2020 with a five-level maturity model. However, this initial framework was never fully implemented, and the DoD announced an overhaul to CMMC 2.0 towards the end of 2021. CMMC 2.0 was streamlined to three certification levels to reduce costs and administrative burden on defense contractors. The goal remained the same: to ensure that defense contractors have an adequate cybersecurity infrastructure in place before handling sensitive government information.

Before CMMC was developed, defense contractors were required to implement baseline security controls. For example, contractors handling Controlled Unclassified Information (CUI) have been required to follow NIST SP 800-171 standards and controls through self-attestation. CMMC builds upon existing requirements by introducing third-party or government-led assessments and formal certifications.

CMMC 2.0: Tiered Structure Refresher

CMMC 2.0 introduced a three-tier certification model that was aligned with the sensitivity of the information handled.

Level 1

This lowest foundational tier generally applies to defense contractors that handle (store, process, or transmit) only Federal Contract Information (FCI) and requires basic cyber hygiene practices. Annual self-assessments are required at this level to determine compliance with the 15 controls under FAR 52.204-21.

Level 2

This advanced tier applies to contractors that handle CUI and aligns with the full suite of NIST SP 800-171 controls (110 security requirements). Lower risk CMMC Level 2 contracts would require defense contractors to self-assess their compliance with the 110 NIST controls, while higher level contracts would require defense contractors to obtain annual certifications from a Certified Third-Party Assessment Organization (C3PAO). Defense contractors should note that the DoD will specify which level of certification is required for a Level 2 contract.

Level 3

This expert tier is reserved for defense contractors handling the most sensitive CUI, adding in more stringent controls based on NIST SP 800-172. At this level, defense contractors must obtain certification from the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) every three years.

Overview of the Final Rule and Implementation Phases

The new DFARS final rule is the mechanism that links CMMC 2.0 to contract awards. It updates the DFARS to require that defense contractors have a current CMMC certification (or self-assessment if applicable) at the appropriate level as a condition for contract award. The final rule also includes two DFARS provisions: DFARS 252.204-7021 (a contract clause detailing obligations) and DFARS 252.204-7025 (a notice provision for inclusion in solicitations).

The rule takes effect on November 10, 2025, when the DoD can officially begin requiring CMMC compliance in new contracts. Defense contractors should note that the final rule specifies that agencies may include the CMMC requirement in solicitations issued before this date if the contract will be awarded after November 10, 2025. Defense contractors may begin seeing CMMC clauses in some late-2025 solicitations. The DoD has adopted a phased rollout approach over the next three years to allow defense contractors time to comply with the requirements.

Phase 1: November 10, 2025

Phase 1 begins on the final rule’s effective date. The DoD will start including CMMC Level 1 or Level 2 self-assessment requirements (or a C3PAO certification in some cases) in all new contract awards that use a defense contractor’s information systems to handle FCI or CUI. This does not apply to contracts for Commercially Available Off-the-Shelf (COTS) items. Defense contractors may also see CMMC requirements when exercising an option year for a contract that was awarded before the final rule’s effective date.

Phase 2: November 10, 2026

Phase 2 adds Level 2 (C3PAO certification) requirements to applicable solicitations as a condition of award. Note that Level 2 requirements may also be added.

Phase 3: November 10, 2027

The DoD intends to include Level 2 C3PAO requirements in all relevant contracts as both a condition for initial award and for the exercise of any contract options.

Phase 4: November 10, 2028

The full implementation phase begins, and all applicable contracts and option periods will include CMMC program requirements as a condition of award.

During the phase-in period, the DoD will retain discretion on a case-by-case basis to decide whether to include CMMC requirements in each solicitation. This flexibility is intended to give defense contractors time to comply.

Notable Provisions in the Final Rule

The final rule largely aligns with the framework that was set out in the 2024 proposed rule, but includes some updates that defense contractors should be aware of:

• Each CMMC assessment a defense contractor undergoes will be assigned a unique ID (UID) in the Supplier Performance Risk System (SPRS). Under the final rule, businesses must provide the CMMC UID for each system that will handle FCI or CUI as part of their proposal. The goal is to allow the DoD to verify in SPRS that those systems have the required assessment on record.
• The final rule makes it clear that a defense contractor will not be eligible for award of a contract requiring CMMC unless the contractor has a current CMMC status posted in the SPRS at the required level and a current annual affirmation of compliance.
• The proposed rule included a 72-hour reporting requirement for any security breaches or lapses in compliance. The final rule drops this additional reporting burden, deferring to the existing incident reporting requirements under DFARS 252.204-7012.
• The final rule includes mandatory flow-down requirements of the DFARS 252.204-7021 clause to all subcontracts where the subcontractor will handle FCI or CUI. The final rule also clarifies that subcontractors are required to post their self-assessments or certifications in SPRS. Additionally, prime contractors are responsible for ensuring their applicable subcontractors meet the required CMMC level, but prime contractors will not get direct access to the subcontractor’s SPRS data for privacy reasons.

Conclusion and Action Plan

With the final rule taking effect in November, defense contractors – both prime and sub – should take proactive steps to ensure they stay ahead of the compliance curve.

• Evaluate the type of information your organization handles (or is likely to handle on future contracts).
  • If you deal only with FCI and no CUI, you will need to meet Level 1 certification requirements. If you handle CUI, plan for at least Level 2 certification.
• Understand the required level your information system must comply with and the associated security controls to maintain compliance.
• Conduct a thorough gap analysis of your existing security controls against the CMMC requirements for your target level.
• Document any gaps in your cybersecurity infrastructure to remediate or include a plan of action and milestones.
• Launch a remediation program to address any cybersecurity gaps identified.
• Update policies and procedures where needed and review internal controls.
• Meet with an advisor to help determine certification levels and engage with third-party assessors in advance.
• Ensure assessment results are entered into SPRS once obtained.
• Establish processes for continuous monitoring of your systems to detect any new vulnerabilities or security incidents.
• Provide employees with training to adapt to new threats.
• For prime contractors, flow down CMMC requirements to applicable subcontractors and ensure those companies are keeping up with compliance. Identify which suppliers will handle FCI / CUI on your contract and communicate with them about the CMMC requirements they have to meet.
• Stay informed on evolving cybersecurity requirements and be prepared to adapt when needed.

The newly published final rule emphasizes the importance of protecting sensitive data. While the compliance timeline is phased in over the next three years, contractors should aim to start reviewing their systems now to remain compliant and competitive.

Today’s Thought Leader

About Rosie Cheng
Senior Finance Consultant

Rosie Cheng is a Senior Finance Consultant at Ryan & Wetmore. She focuses on government contracting services and produces many of the firm’s government contracting newsletters. Rosie earned her Master of Science in Management from Georgetown University and a BBA from William and Mary.