Insights and Events
Filter your search:
Filter your search:
最新
September 18, 2025

Department of Defense Publishes Final Rule to Implement and Enforce Cybersecurity Standards for Contractors

Final Rule Amends Defense Federal Acquisition Regulation Supplement to Implement CMMC Program

Download
Authors: Jessica C. Abrahams , Dana B. Pashkoff , John G. (Jack) Horan , Michelle Y. Francois , Asher Friedman Young

At a Glance

  • On September 10, 2025, the Department of Defense published a final rule to implement the Cybersecurity Maturity Model Certification (CMMC) program by introducing new Defense Federal Acquisition Regulation Supplement (DFARS) requirements for contractors handling sensitive unclassified information. Government contractors and subcontractors who do not meet the required CMMC standards will not be eligible for contract awards, task orders, or delivery orders following the full implementation of the final rule.
  • CMMC requirements will roll out over three years, beginning November 9, 2025. Full compliance will become mandatory by November 10, 2028, for all contracts involving FCI or CUI, excluding COTS-only contracts.
  • Contractors must maintain a current CMMC status throughout the life of their contract, in accordance with the CMMC level identified by the agency’s program office in the solicitation provision and contract clause. Subcontractors handling FCI or CUI also must comply and enter their own assessments and affirmations into the Supplier Performance Risk System (SPRS).
  • Contractors should closely review all active and pending DoD contracts to assess their required CMMC standards, manage subcontractor compliance and prepare for self-assessments and/or third-party readiness assessments to meet relevant requirements.

On September 10, 2025, the Department of Defense (DoD) published its final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to implement the Cybersecurity Maturity Model Certification (CMMC) program. The rule represents the culmination of a multiyear effort to strengthen cybersecurity systems across defense contractors and subcontractors that maintain contracts involving systems that process, store or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). The final rule comes after several rounds of proposed rulemaking and public comment, including the issuance of an October 2024 final rule to establish the CMMC program itself.

Originally announced in 2019, the CMMC program was developed to move contractors away from a “self-attestation” model of security and toward a standardized, tiered model of practices and processes to protect FCI and CUI. The initial iteration of the CMMC — published as an interim final rule in September 2020 — established a five-year phase-in period for contractors to assess and enhance their cybersecurity frameworks in accordance with the program’s guidelines. During this time, DoD assessed the level of “maturity” required for each contract across five tiers depending on the type and sensitivity of government information required of the contract.

In August 2024, DoD issued a proposed rule to formally integrate the CMMC program into the DFARS, along with a separate final rule in October 2024 to codify the CMMC program framework at 32 CFR Part 170. The September 2025 final rule aligns contractual requirements in DFARS with the CMMC program framework and provides initial guidance for implementation across defense contracts. DoD anticipates the final rule to widely affect federal contracting, estimating an impact on more than 337,000 contractors and subcontractors, including nearly 230,000 small entities.

We review the final rule and several key pieces of guidance below.

Overview of the CMMC Program

As reflected in the October 2024 rule, the final rule builds on existing regulatory requirements for DoD contractors handling CUI at DFARS 252.204-7012, 252.204-7019, 252.204-7020, and FAR 52.204-21 (applying to all government contractors handling FCI). The CMMC program framework includes three progressive tiers (or “Levels”) for contractors to meet cybersecurity standards, depending on the sensitivity of information involved in the contract.

  • Level 1: Contractors who store, process or transmit FCI must complete an annual self-assessment and annual affirmation of compliance with 15 of the NIST SP 800-171 security requirements, included in FAR 52.204-21. Self-assessments must be submitted to the DoD’s Supplier Performance Risk System (SPRS).
  • Level 2: Contractors who store, process or transmit CUI must comply with all 110 cybersecurity requirements set out in NIST SP 800-171A. Depending on the type of information involved in the contract, DoD solicitations will specify whether compliance may be achieved through a self-assessment or through a Certified Third-Party Assessment Organization (C3PAO).
    • Self-Assessment — Level 2 self-assessments must be conducted every three years and affirmed annually to verify compliance with the NIST SP 800-171A requirements. Self-assessments for Level 2 also must be submitted to the DoD’s SPRS.
    • C3PAO Assessment — Level 2 C3PAO assessments must be conducted every three years and entered into the CMMC Enterprise Mission Assurance Support Service (eMASS). Third-party assessments must also be affirmed annually.
  • Level 3: Contractors who store, process or transmit “high value assets,” as identified by the DoD, must achieve final CMMC Level 2 Status and comply with 24 additional requirements from NIST SP 800-172. Level 3 Status also requires a government assessment and certification every three years by the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

Key Provisions of the Final Rule

New and Expanded Definitions

Among other changes, the final rule introduces new and enhanced definitions at DFARS 204.7501, including for the following terms:

  • “Current”: Specifies that there have been no changes in compliance since the last assessment or affirmation, with differentiated timeframes for conditional and final CMMC status.
  • “CMMC Unique Identifier (UID)”: Changed to match the naming convention in the Supplier Performance Risk System (SPRS), clarifying that it means 10 alpha-numeric characters assigned to each contractor CMMC assessment and reflected in SPRS for each contractor information system.
  • “Federal contract information”: Added to align with the definition at FAR 52.204-21, meaning “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.”
  • “Plan of action and milestones”: Added to the final rule, based on the definition codified at 32 CFR Part 170.4(b) (a document that identifies tasks needing to be accomplished and that details resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones, as defined in NIST SP 800-115).

Conditional CMMC Status

The final rule permits contractors to hold a conditional CMMC status at Levels 2 and 3 for up to 180 days to remediate deficiencies identified during assessment through the development of a “plan of action and milestones” (POA&M). Accordingly, the language at DFARS 204.7502 has also been updated to include a statement that a final CMMC level is achieved upon successful closeout of a valid POA&M.

Streamlined Reporting and Affirmation Requirements

Importantly, the final rule removes the proposed requirement for contractors to notify contracting officers of changes or lapses in security compliance. Instead, contractors must continue to report cyber incidents according to DFARS 252.204-7012 (i.e., within 72 hours of a cyber incident), while “affirming officials” must complete annual affirmations of continuous compliance in SPRS for each CMMC unique identifier. Offerors will not be eligible for the award of a contract, task order, or delivery order if they lack the required CMMC status in SPRS at the time of award, and loss of CMMC status during contract performance may result in breach or termination, with adverse consequences for future contracting opportunities.

Subcontractor Flow-Down Clarifications

The subcontract flow-down language in the final rule has been updated to specify that subcontractors also must submit affirmations of continuous compliance and the results of self-assessments in SPRS for any system processing FCI or CUI. Although prime contractors cannot directly access subcontractor SPRS records, prime and higher-tier subcontractors must verify compliance prior to subcontract award or information sharing.

Exemption for COTS Contracts

Notably, contracts solely for commercially available off-the-shelf (COTS) items are exempt from CMMC program requirements, potentially reducing the burden for businesses that primarily supply commercial products to defense agencies.

Implementation Timeline

Under the final rule, contracts involving sensitive FCI or CUI shared with defense contractors and subcontractors during contract performance will be subject to CMMC over the course of a three-year implementation period, after which the requirements will apply to all defense contracts that require contractors to store or transmit FCI or CUI. The final rule introduces a phased rollout over three years, beginning on November 9, 2025 (60 days after publication).

  • Years 1-3 (Nov. 2025 - Nov. 2028): CMMC requirements apply only when program offices determine they are necessary, using a phased approach.
  • Year 4 and Beyond (Starting November 10, 2028): CMMC compliance will be mandatory for all contracts involving contractor systems that process, store or transmit FCI or CUI, excluding COTS-only contracts.

Considerations for Government Contractors

Contract Review and Preparation

Contractors should review all active and anticipated DoD contracts to determine required CMMC levels, as well as all internal systems handling FCI and/or CUI to identify any necessary changes. To prepare for full implementation, contractors should conduct a gap analysis and remediate any deficiencies before working on a self-assessment (for Levels 1 or 2) or a third-party assessment (for Levels 2 or 3). Contractors requiring a third-party assessment should establish their contacts as soon as possible, as C3PAO services will be in higher demand as contracting officers begin incorporating CMMC requirements into contracts going forward.

Subcontractor Management

Prime contractors should ensure all subcontractors handling FCI or CUI are CMMC compliant before sharing any FCI or CUI, and before awarding further subcontracts or task orders. It is also important that prime contractors develop internal procedures for verifying subcontractor compliance, including collecting necessary affirmations from subcontractor officials.

Maintain Compliance Systems

In addition to remediating any substantive deficiencies across cybersecurity systems, contractors should closely review their internal policies and procedures to ensure they reflect the latest requirements set forth in the final rule. Contractors should also ensure all CMMC unique identifiers are tracked and updated in SPRS as soon as possible.

Assess Legal and Regulatory Risks

Contractors lacking a solicitation’s required CMMC status at the time of award will be ineligible for the contract, making it vital that contractors shore up their internal systems prior to submitting new bids. Failure to maintain continuous compliance during the life of a contract may result in liability under the False Claims Act (FCA), particularly where a contractor has not monitored its CMMC compliance after a formal certification to the government. We have already seen significant FCA prosecutions relating to cybersecurity and DFARS compliance, and we expect a significant uptick in FCA enforcement as it relates to CMMC. This is especially important given the recent focus on and designation of such issues as national security concerns.

Solicitation Review Procedures

As we have previously noted, contractors should incorporate a careful review of the solicitation’s required CMMC level t in their solicitation review procedures. Contractors should ensure they comply with the designated level or, if the level appears in error, attempt to seek redress from DoD as soon as possible in the solicitation process.

For More Information

For further information, please contact the authors.

作者

Photo of Jessica C. Abrahams
Jessica C. Abrahams

Partner

+1 202 230 5361
Washington, D.C.
Photo of Dana Barrie Pashkoff
Dana B. Pashkoff

Partner

+1 202 230 5364
Washington, D.C.
Photo of John G. Horan
John G. (Jack) Horan

Senior Counsel

+1 202 230 5362
Washington, D.C.
Photo of Michelle Yvonne Francois
Michelle Y. Francois

Associate

+1 202 230 5394
Washington, D.C.
Photo of Asher Young
Asher Friedman Young

Associate

+1 202 230 5309
Washington, D.C.

Related Legal Services

Government & Regulatory Government Contracts Privacy, Cybersecurity, Data Ethics & Strategy

Suggested Reading

最新 October 2024

Department of Defense Establishes New Cybersecurity Maturity Model Certification (CMMC) Program

Requirements for Defense Suppliers, Contractors and Subcontractors
11 min read