The U.S. Department of War1 (the "Department") has reached a major milestone with realizing implementation of its new cybersecurity program. On August 25, 2025, the Department's proposed rule on the Cybersecurity Maturity Model Certification (CMMC) program was approved by the Office of Information and Regulatory Affairs (OIRA). It was later announced that the final rule will be published on September 10, 2025, in the Federal Register with an effective date of sixty (60) days following publication. The rule will amend the Defense Federal Acquisition Regulations (DFARS) to implement CMMC requirements into some Department contracts depending on the level sensitivity. The final rule, effective November 10, 2025, will usher in long-expected cybersecurity requirements. While many contractors are already implementing CMMC requirements, all Department contractors should review the rule now to prepare for its implementation.
Background
CMMC is the Department's program designed to ensure that companies that handle federal contract information or controlled unclassified information (CUI) are compliant with cybersecurity requirements. The program has gone through several iterations since it was first announced in 2019, and the current "CMMC 2.0" version includes three progressively advanced levels of certification dependent on the type and sensitivity of the information handled by a contractor. Most important, the first two levels must undergo either self-assessment or a third-party assessment depending on a contract's sensitivity. The third level will automatically undergo an assessment by the Defense Contract Management Agency's Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). These assessments are expected to be challenging and costly for government contractors.
The Department published the first proposed CMMC 2.0 program rule on December 26, 2023, and it was finalized on October 15, 2024. That rule set forth the CMMC program under Title 32. The newly published rule, to be published under Title 48, contains the clauses that will be inserted into government contracts. The rule amends Title 48 CFR parts 204, 212, 217 and 252. Specifically, the rule provides two clauses for insertion into contracts. The first is DFARS 252.204-7021 – Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirements. The second is DFARS 252.204-7025 – Notice of Cybersecurity Maturity Model Certification Level Requirements. On its effective date, the rule will start a four-phase departmentwide implementation of the CMMC program, with the first phase (implementing solicitations with self-assessed cybersecurity requirements under CMMC Levels 1 and 2) lasting 12 months. The implementation phases are set forth below:
|
Phase |
Level 1 (Self-Assessment) |
Level 2 (Self-Assessment) |
Level 2 (C3PAO)2 Certification |
Level 3 (DIBCAC) Certification |
|
I (0-12 months) |
CMMC clauses in applicable solicitations and contracts |
CMMC clauses in applicable solicitations and contracts |
Discretionary |
— |
|
II (13-24 months) |
|
|
CMMC clauses in applicable solicitations and contracts |
Discretionary |
|
III (25-36 months) |
|
|
|
CMMC clauses in applicable solicitations and contracts |
|
IV (37+ months) |
All solicitations and contracts will include applicable CMMC Level requirements as a condition of contract award. |
All solicitations and contracts will include applicable CMMC Level requirements as a condition of contract award. |
All solicitations and contracts will include applicable CMMC Level requirements as a condition of contract award. |
All solicitations and contracts will include applicable CMMC Level requirements as a condition of contract award. |
The CMMC three-level model is aligned with existing security requirements published by the National Institute of Standards and Technology in its Special Publication 800-171. For additional information, including details about the three CMMC levels, please review our Alert on the CMMC rule.
Next Steps
As the next step in the regulatory process, the Department will begin drafting solicitations with CMMC Level 1 and 2 self-assessment requirements in solicitations. Note that defense requiring activities will have the discretion to solicit for Level 2 third-party certification depending on the CUI involved, although this should not be the prevalent until Phase 2 begins in November 2026.
Because noncompliance with CMMC will disqualify contractors from bidding on solicitations that contain a CMMC-related clause, contractors should immediately identify their respective CMMC level and initiate a compliance process in order to remain eligible for certain Department solicitations. It is noted that contractors are not required to have the requisite CMMC certification at the time of the bid, but instead at the time that the award is made. However, contractors should start this process now if they are not ready, as the certification process may be lengthy.
For More Information
If you have any questions about this Alert, please contact Daniel R. Walworth, Geoffrey M. Goodale, Brian H. Pandya, Rolando R. Sanchez, Matthew Steinway, any of the attorneys in our Government Contracts and International Trade Group, any of the attorneys in our Privacy and Data Protection Group or the attorney in the firm with whom you are regularly in contact.
Footnotes
1. Under the executive order titled "Restoring the United States Department of War" issued on September 5, 2025, the U.S. Department of Defense "should [now] be known as the Department of War ... in official correspondence, public communications, ceremonial contexts, and non-statutory documents within the executive branch."
2. CMMC Third-Party Assessor Organization
Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm's full disclaimer.
