ARTICLE
11 September 2025

CMMC Goes Live: New Cybersecurity Requirements For Defense Contractors

HK
Holland & Knight

Contributor

Holland & Knight logo
Holland & Knight is a global law firm with nearly 2,000 lawyers in offices throughout the world. Our attorneys provide representation in litigation, business, real estate, healthcare and governmental law. Interdisciplinary practice groups and industry-based teams provide clients with access to attorneys throughout the firm, regardless of location.
Explore Firm Details
The U.S. Department of Defense (DOD) has issued the long-awaited final rule amending the Defense Federal Acquisition Regulation Supplement...
United States Government, Public Sector
Christian B. Nagel,David Black,Holly A. Roth
+2 Authors
 Your Author LinkedIn Connections

Highlights

  • The U.S. Department of Defense (DOD) has issued the long-awaited final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to implement the Cybersecurity Maturity Model Certification (CMMC) program.
  • The rule, effective Nov. 10, 2025, fundamentally changes how cybersecurity requirements are incorporated into DOD contracts and subcontracts.
  • This Holland & Knight alert breaks down the most critical aspects for contractors and the government contracts industry.

The U.S. Department of Defense (DOD)1 has issued the long-awaited final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to implement the Cybersecurity Maturity Model Certification (CMMC) program. This rule, effective Nov. 10, 2025, fundamentally changes how cybersecurity requirements are incorporated into DOD contracts and subcontracts. This Holland & Knight alert breaks down the most critical aspects for contractors and the government contracts industry.

CMMC Will Now Be a Contractual Requirement

The final rule makes CMMC compliance a mandatory, enforceable element of DOD contracts. Each solicitation and contract will specify the required CMMC level for contractor information systems that process, store or transmit sensitive information – designated as either Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).

Every DOD solicitation and contract that requires the processing, storage or transmission of FCI or CUI will now specify the exact CMMC level required for the contractor's information systems. The CMMC level is determined by the program office or requiring activity based on the sensitivity of the information and risk profile of the contract. This requirement is codified in the contract clause at DFARS 252.204-7021 and the solicitation provision at DFARS 252.204-7025. These clauses must be included in all applicable solicitations and contracts, except those solely for the acquisition of commercially available off-the-shelf (COTS) items.

The rule establishes three distinct CMMC levels, each with its own assessment and compliance requirements:

  • Level 1 (Self). This level applies to information systems that handle only FCI. Contractors must perform an annual self-assessment against the Level 1 requirements and post the results in the Supplier Performance Risk System (SPRS). No third-party or government assessment is required at this level, but the contractor's affirming official must annually affirm continuous compliance for each relevant information system.
  • Level 2 (Self or C3PAO). Level 2 is required for systems that process, store or transmit CUI. Depending on the contract, the assessment may be either a self-assessment (for certain categories of CUI) or a third-party assessment conducted by a Certified Third-Party Assessment Organization (C3PAO) (for higher-risk CUI or as specified by the program office). The required assessment type will be specified in the solicitation and contract. Contractors must ensure the results are posted in SPRS and maintain annual affirmations of compliance.
  • Level 3 (DIBCAC). This is the highest level of CMMC and applies to the most sensitive environments, typically involving critical national security information. Assessments at this level must be conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). Contractors must achieve and maintain this status for all relevant systems, with results and affirmations posted in SPRS.

Eligibility for contract award, option exercise or period of performance extension is contingent on having a current CMMC status at or above the required level as posted in the SPRS. Contractors must annually affirm continuous compliance for each CMMC unique identifier (UID) associated with their respective information systems. The rule also notably clarifies definitions such as "current," "CMMC status" and "affirming official," ensuring all parties understand the compliance expectations and reporting mechanisms.

Phased Implementation Timeline

To minimize disruption, the rule introduces a three-year phase-in period:

  • Years 1-3. CMMC requirements will be included in select contracts as determined by program offices. This allows contractors time to adapt and prepare for compliance.
  • Year 4 and Beyond. CMMC will be required in all applicable DOD contracts involving FCI or CUI, except those solely COTS items.
  • COTS Exclusion. Contracts exclusively for COTS items, as defined by Federal Acquisition Regulation (FAR) 2.101, are exempt from CMMC requirements. This exclusion is intended to reduce unnecessary compliance burdens for low-risk procurements.

Conditional and Final CMMC Status

The rule introduces flexibility for contractors working toward full CMMC compliance. Recognizing that immediate, full certification may not always be feasible – particularly for higher CMMC levels – the rule establishes a framework that allows contractors to participate in DOD contracts under certain conditions while they actively remediate outstanding cybersecurity gaps. By delineating these pathways, the rule balances the need for robust cybersecurity with practical considerations for contractor readiness, ensuring that critical DOD programs are not unduly delayed while maintaining a high standard of information protection throughout the supply chain

  • Conditional Status. For CMMC Levels 2 and 3, contractors may be awarded contracts with a "conditional" status for up to 180 days, provided they are actively closing out a Plan of Action and Milestones (POA&M). Notably, for Level 1, only final status is permitted at award – no conditional status is allowed.
  • Final Status. Upon successful POA&M completion, contractors must achieve "final" CMMC status. For Final CMMC Status, the following metrics apply:
    • Level 1 (Self). Not older than one year, with no changes in compliance since the status date, and a corresponding affirmation of continuous compliance (not older than one year) by an affirming official.
    • Level 2 (Self or C3PAO). Not older than three years, with no changes in compliance since the status date, and a corresponding affirmation of continuous compliance (not older than one year) by an affirming official.
    • Level 3 (DIBCAC). Not older than three years, with no changes in compliance since the status date, and a corresponding affirmation of continuous compliance (not older than one year) by an affirming official.

Subcontractor Flowdown and Potential Supply Chain Implications

The final rule implementing CMMC requirements also makes clear that cybersecurity obligations are not limited to prime contractors – they extend throughout the entire supply chain. This approach is designed to ensure that all entities handling sensitive DOD information, whether FCI or CUI, maintain an appropriate level of cyber hygiene and accountability.

  • Flowdown Requirements. Prime contractors are required to flow down CMMC requirements to all subcontractors and suppliers that will process, store or transmit FCI or CUI in performance of the subcontract or other contractual instrument. This means that any lower-tier entity with access to such information must comply with the CMMC level specified for the work the subcontractor is performing. The rule clarifies that flowdown is only required when the subcontractor will actually handle FCI or CUI. Subcontractors who do not process, store or transmit FCI or CUI are not subject to CMMC requirements under the contract.
  • Prime Contractor Responsibilities. Prime contractors bear significant responsibility for ensuring supply chain compliance. Before awarding a subcontract or sharing FCI or CUI, primes must verify that the subcontractor has a current CMMC status at the appropriate level for the type of information the subcontractor will access. This verification must occur prior to subcontract award, and primes must not disseminate FCI or CUI to any subcontractor who does not meet the required CMMC level.
  • No Automated SPRS Access. A notable operational challenge is that prime contractors do not have automated access to view subcontractor CMMC status in SPRS. The system is designed to protect the privacy and proprietary information of each entity, so only the entity itself can access its own SPRS records. As a result, subcontractors may voluntarily share screenshots or copies of their SPRS status, assessment results or certificates with prime contractors to demonstrate compliance. This process is not automated and requires direct communication and coordination between primes and their subcontractors.

Procedural and Reporting Changes

The final DFARS rule significantly streamlines and clarifies the compliance procedures that contractors must follow to demonstrate and maintain CMMC status. These procedural updates are designed to ensure accurate, timely and ongoing verification of cybersecurity compliance while also reducing duplicative or unnecessary reporting burdens.

  • CMMC UIDs – System-Specific Tracking and Notification. A central procedural requirement is the use of CMMC UIDs for each contractor information system that will process, store or transmit FCI or CUI in performance of a DOD contract. Each UID is a 10-character alphanumeric code generated by the SPRS when a CMMC assessment is submitted.
  • Annual Affirmation. The rule requires that an "affirming official" – a designated senior official within the contractor's organization – must complete an annual affirmation of continuous compliance for each CMMC UID in SPRS. This process is designed to ensure that CMMC compliance is not a one-time event but a sustained, actively managed obligation throughout the life of the contract. This affirmation process is not a mere formality; it is a recurring, formal attestation that 1) the information system associated with each UID remains in full compliance with the applicable CMMC requirements and 2) there have been no changes in compliance status since the last assessment or affirmation or, if there have been changes, that they have been addressed and the system is still compliant. The affirmation must be completed at least once every 12 months for each UID and must be updated promptly if there are any material changes in compliance status.

No Additional Incident Reporting

In response to public comments and to reduce administrative burden, the final rule removes the requirement for contractors to notify contracting officers of lapses in information security or changes in CMMC certification status. Instead, contractors are only required to report cyber incidents in accordance with the existing DFARS 252.204-7012 clause, which mandates notification of information security incidents within 72 hours.

Scope and Definitions Clarified

The rule provides critical clarity on applicability and terminology and the definitions of key terms, directly addressing concerns raised during the rulemaking process and ensuring consistent interpretation and implementation across the defense industrial base.

  • Applicability – Targeted to Relevant Information Systems. A major clarification in the rule is its precise limitation of CMMC requirements to contractor information systems that process, store or transmit FCI or CUI in performance of the contract. This targeted approach is designed to avoid regulatory overreach and unnecessary compliance burdens on systems that are not involved in handling sensitive DOD information.
  • Definitions Updated. To ensure uniform understanding and application, the rule updates and codifies several key definitions at DFARS 204.7501, aligning them with the CMMC program rule at 32 C.F.R. Part 170. These definitions are now contained in the contract clause at DFARS 252.204-7021 and the solicitation provision at DFARS 252.204-7025.
    • This term now has a specific meaning tied to the validity period of CMMC assessments and affirmations. For example, a "current" conditional CMMC status is not older than 180 days, and a "current" final CMMC status is not older than one year (Level 1) or three years (Levels 2 and 3), with no changes in compliance since the status date and a corresponding affirmation of continuous compliance by an affirming official.
    • CMMC Status. The rule defines the possible statuses (e.g., Final Level 1 (Self), Conditional Level 2 (Self), Final Level 2 (C3PAO), etc.), clarifying what contracting officers and contractors will see in SPRS and what is required for contract eligibility and performance.
    • CMMC UID. The CMMC UID is a 10-character alphanumeric code assigned to each CMMC assessment and reflected in SPRS for each contractor information system. This enables precise tracking and verification of compliance for each system in scope.
    • Affirming Official. This is the designated senior official within the contractor's organization responsible for completing and maintaining annual affirmations of continuous compliance in SPRS for each CMMC UID. The rule replaces the previously used term "senior company official" to align with the CMMC program rule and clarify the role and responsibilities.
    • POA&M. The rule adopts the definition from 32 C.F.R. Part 170, specifying that a POA&M is a document identifying tasks, resources, milestones and scheduled completion dates for remediating deficiencies identified during a CMMC assessment. The rule clarifies that conditional CMMC status is permitted for up to 180 days while a POA&M is being closed out for Levels 2 and 3.

Impact on Small Businesses and the Defense Industrial Base

The final DFARS rule expressly recognizes the significant impact that CMMC requirements could have on small businesses and takes several steps to mitigate potential burdens.

  • Phased Rollout to Minimize Immediate Burden. A central feature of the rule is its three-year phased implementation period. During this initial phase, CMMC requirements will only be included in select contracts as determined by the CMMC Program Office and DOD component program offices. This approach is intended to give small businesses additional time to understand, prepare for and implement the necessary cybersecurity controls before the requirements become universal across all applicable DOD contracts. By year four, CMMC requirements will apply to all contracts involving FCI or CUI, except those solely for COTS items. This gradual approach is specifically designed to avoid overwhelming small entities with immediate compliance obligations and allow for a smoother transition.
  • Exclusion of COTS-Only Contracts. The rule exempts contracts and orders that are exclusively for COTS items from CMMC requirements. This exclusion is particularly important for small businesses that may primarily supply commercial products, as it removes a significant compliance hurdle for a large segment of the small business community. The definition of COTS is aligned with FAR 2.101, ensuring clarity and consistency in application.
  • Regulatory Flexibility Analysis and Impact Estimates. The DOD conducted a regulatory flexibility analysis to assess the impact of the rule on small entities. The analysis estimates that by the fourth year of implementation, approximately 229,818 small entities – out of a total of 337,968 impacted entities – will be subject to CMMC requirements. The phased approach is expected to limit the number of small businesses affected in the early years: only 1,104 in year one, 5,565 in year two and 18,554 in year three. This measured ramp-up is intended to give small businesses time to allocate resources, seek guidance and, if necessary, adjust their business practices to meet the new requirements.

Conclusion

The final DFARS rule cements CMMC as a core requirement for DOD contractors and their supply chains. Compliance is now a prerequisite for contract eligibility and performance. Early preparation, robust internal controls and proactive supply chain management are essential to avoid disruptions and maintain competitiveness in the defense marketplace.

With the rule taking effect 60 days after Federal Register publication, contractors should take action to:

  • review current and upcoming DOD contracts for CMMC requirements
  • assess and document the CMMC level required for each information system
  • initiate or update self-assessments and third-party certifications as needed
  • engage with supply chain partners to ensure flowdown compliance

Footnote

1. On Sept. 5, 2025, President Donald Trump issued an executive order, "Restoring the United States Department of War," to rename the DOD to the U.S. Department of War (DOW). Because the draft regulations were issued under the DOD, that terminology has remained in this alert for the sake of consistency.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Christian B. Nagel
Christian B. Nagel
Photo of David Black
David Black
Photo of Amy L. Fuentes
Amy L. Fuentes
Photo of Holly A. Roth
Holly A. Roth
Photo of Kelsey M. Hayes
Kelsey M. Hayes
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More