ARTICLE
25 September 2025

DOD Final Rule Incorporates CMMC 2.0 Into DFARS

GP
Goodwin Procter LLP

Contributor

Goodwin Procter LLP logo
At Goodwin, we partner with our clients to practice law with integrity, ingenuity, agility, and ambition. Our 1,600 lawyers across the United States, Europe, and Asia excel at complex transactions, high-stakes litigation and world-class advisory services in the technology, life sciences, real estate, private equity, and financial industries. Our unique combination of deep experience serving both the innovators and investors in a rapidly changing, technology-driven economy sets us apart.
Explore Firm Details
On September 9, 2025, the Department of Defense (DOD) issued the long-anticipated final rule to contractually implement the Cybersecurity Maturity Model Certification (CMMC) 2.0 program...
United States Government, Public Sector
Liza Craig,Peter M. Marta,Anne E. Railton
+3 Authors

Bottom Line Up Front

On September 9, 2025, the Department of Defense (DOD) issued the long-anticipated final rule to contractually implement the Cybersecurity Maturity Model Certification (CMMC) 2.0 program, amending the Defense Federal Acquisition Regulation Supplement (DFARS). Beginning November 10, 2025, cybersecurity certification requirements will be incorporated into all DOD solicitations and contracts, except those for commercially available off-the-shelf items. The CMMC 2.0 program requirements will be implemented in phases over the next three years to minimize the impact of these sweeping changes. Contractors and companies seeking federal funding should prepare for the impact of these programmatic requirements on their business efforts.

Background

The CMMC 2.0 program was established to complement and enhance the DOD's existing information security requirements applicable to contractors that are a part of the defense industrial base (DIB). Goodwin detailed the program in a December 2024 alert, "The CMMC 2.0 Program Has Arrived!" The goal of the CMMC 2.0 program is to enforce regulations implemented to protect sensitive categories of unclassified information shared by the DOD with its contractors. The CMMC 2.0 program will ensure that contractors are meeting the cybersecurity requirements applicable to nonfederal systems that are transmitting, receiving, storing, and processing information that must be safeguarded.

The CMMC 2.0 program, which has been in effect since December 16, 2024, established three tiers of cybersecurity requirements (i.e., "Levels") that require DIB contractors to do more than simply self-attest to compliance with long-established cybersecurity requirements. Under the CMMC 2.0 program, self-attestations related to compliance will be permitted in some instances, but most contractors will be required to submit independent third-party assessments and obtain certifications at the CMMC 2.0 program level applicable to the contract they will perform. Pursuant to the final rule, contractors required to handle federal contract information (FCI) or controlled unclassified information (CUI) that either fail to meet the CMMC 2.0 program standards or do not possess the applicable certifications will be ineligible for contract awards at the prime contract and subcontract levels.

The Four-Phase Rollout

The DOW is using a phased approach for the inclusion of CMMC 2.0 program requirements in solicitations and contracts. The implementation schedule was set forth in 32 Code of Federal Regulations part 170 and will occur over four phases, which we discuss in the following.

Phase 1 will begin on November 10, 2025. From this date onward, the DOW will include a requirement for either a Level 1 or Level 2 self-certification in all solicitations as a condition of contract award. A Level 1 self-certification relates to basic safeguarding of FCI and requires a company to fully implement the 15 cybersecurity requirements set forth in Federal Acquisition Regulation (FAR) 52.204-21 (b)(1). Importantly, a company will no longer be allowed to only partially meet these requirements while implementing a plan of action and milestones to achieve full requirements. A Level 2 self-certification will be applicable when both FCI and CUI are present and will require confirmation that a contractor has implemented the cybersecurity controls set forth in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171A Rev 3, as required by DFARS 252.204-7012. Notably, the DOD may, at its discretion, mandate a Level 1 or Level 2 self-certification as a precondition before a contracting officer exercises a contract option, even if that contract was awarded prior to November 10, 2025. During Phase 1, the DOD may also require certification by a CMMC third-party assessor organization (C3PAO) in lieu of a Level 2 self-certification in selected solicitations and contracts, when appropriate.

Phase 2 will begin on November 10, 2026. At that time, in addition to Phase 1 requirements, the DOD will begin to designate when Level 2 C3PAO certification will be required to be awarded a contract. Accordingly, companies that handle FCI and CUI should anticipate being required to obtain, in advance, a certification from an accredited C3PAO to establish eligibility for new contracting opportunities and for the award of options associated with previously awarded contracts. During Phase 2, the DOD expects to also begin conducting Level 3 assessments for higher-priority programs in preparation for Phase 3 of the rollout.

Phase 3 begins a year later, on November 10, 2027. During Phase 3, the DOD will continue Phase 1 and Phase 2 implementations and begin to implement Level 3 requirements. The Defense Contract Management Agency's Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) will be responsible for Level 3 assessments and verifications. The DIBCAC is also responsible for assessing contractor compliance with DFARS 252.204-7012, NIST SP 800-171, and other cybersecurity requirements imposed by contract or regulation. Level 3 DIBCAC assessments will be applicable to contracts involving the most sensitive CUI. Companies seeking contracts subject to these requirements must already be C3PAO certified before they can seek DIBCAC assessment and verification. Notably, the DOD has suggested that fewer than 1% of contracts are expected to require a Level 3 DIBCAC assessment and validation.

Phase 4 will commence on November 10, 2028, and represent full implementation of the CMMC 2.0 program. From this date forward, all DOD contracts, solicitations, and option periods will be assigned a CMMC 2.0 program level, and all contractors will have to be fully compliant with the requirements associated with that level. The DOD has estimated that by the conclusion of the rollout, nearly 338,000 contractors and subcontractors will be subject to the CMMC 2.0 program and will need to meet programmatic requirements to maintain eligibility for DOD contracts.

Ongoing Contractual Obligations

While the four-phased rollout establishes a timeline for compliance with the requirements that will be incorporated into solicitations and contracts, the final rule previews several additional obligations that contractors will need to meet. In addition to meeting the requirements of each level, they will need to be mindful of the following:

  • Continuous compliance: Contractors must maintain the mandated CMMC level for the entire duration of the contract. This includes providing the DOD with unique identifiers (UIDs) for all systems that store, process, or transmit CUI, as well as submitting an annual affirmation signed by a senior company official attesting that the certification remains accurate and current.
  • Mandatory reporting of changes: Contractors must notify the designated contracting officer whenever modifications are made to a system handling CUI and provide updated UIDs so they can be reviewed.
  • Supplier Performance Risk System (SPRS) posting: Contractors must post the results of Level 1 and Level 2 self-assessments in the SPRS before contract award or option extension.
  • Subcontractor obligations: Prime contractors must ensure that subcontractors handling FCI or CUI are in compliance with the requirements of the assigned CMMC level.

Implications for FCA Enforcement

The issuance of CMMC 2.0 represents a major shift for defense contractors and subcontractors handling FCI or CUI, with significant implications for federal procurement fraud enforcement under the False Claims Act (FCA) and other statutes. Compliance with CMMC requirements is relevant not only to contract eligibility, but it could also heighten the risk of FCA liability.

The FCA provides that any person who knowingly submits a materially false or fraudulent claim for government payment, or who knowingly makes or uses a false record or statement material to a false claim, is liable for up to three times the government's damages, plus per-claim penalties. It also applies to anyone who knowingly causes such conduct, even if the false claim or statement was actually made by someone else.

The Department of Justice (DOJ) has made it clear that the FCA remains a primary enforcement tool in combating defense procurement fraud, particularly in the cybersecurity space. In a February 2025 statement announcing an $11 million settlement with a federal defense contractor that falsely certified cybersecurity compliance in connection with payments for administering health benefits to service members, DOJ Civil Division Assistant Attorney General Brett Shumate underscored the DOJ's continuing use of the FCA to "'pursue knowing violations of cybersecurity requirements by federal contractors and grantees to protect Americans' privacy and economic and national security.'" Statements about cybersecurity compliance may implicate criminal enforcement concerns as well. In a May 2025 memorandum, the head of the DOJ's Criminal Division, Acting Assistant Attorney General Matthew Galeotti, highlighted 10 "high-impact" areas of focus for the DOJ's criminal enforcement efforts — with "federal program and procurement fraud" among the list of key priorities.

Over the last several months, the DOJ has announced a series of high-profile FCA settlements arising from allegations of knowing false certifications and failure to comply with cybersecurity requirements in government contracts:

  • In February 2025, Health Net Federal Services (HNFS) agreed to pay $11.25 million to resolve claims that it falsely certified compliance with cybersecurity requirements in a contract with the DOD to administer the Defense Health Agency's TRICARE health benefits program. The DOJ alleged that between 2015 and 2018, HNFS falsely certified compliance with cybersecurity controls in annual reports to the Defense Health Agency, because it failed to timely scan and remedy security flaws in its networks and systems and ignored audits identifying vulnerabilities.
  • In March 2025, MORSECORP reached a $4.6 million settlement over allegations that, under contracts with the departments of the Army and Air Force between 2018 and 2023, it failed to implement NIST SP 800-171 controls, used a third-party email provider that did not meet Federal Risk and Authorization Management Program standards, and operated without a system security plan. As part of the settlement, MORSECORP admitted and accepted responsibility for this conduct and acknowledged submitting an inflated cybersecurity compliance score to the DOD in 2021.
  • In May 2025, Raytheon, along with its parent, RTX Corporation, and successor entities, Nightwing Group LLC and Nightwing Intelligence Solutions LLC, paid $8.4 million to settle allegations that, across 29 DOD contracts and subcontracts between 2015 and 2021, Raytheon and its then-subsidiary Raytheon Cyber Solutions Inc. failed to implement a required system security plan for an internal system used to perform unclassified work and failed to ensure that the system complied with cybersecurity requirements under DFARS 252.204-7012 and FAR 52.204-21.
  • In July 2025, Aero Turbine Inc. and its then-private equity owner, Gallant Capital Partners LLC, agreed to pay $1.75 million to resolve allegations that, under an Air Force contract between 2018 and 2020, Aero Turbine failed to implement required NIST SP 800-171 cybersecurity controls and improperly shared sensitive defense information with an unauthorized software company based in Egypt.

These settlements reflect a common theme: Companies certified compliance with cybersecurity requirements while allegedly overlooking or ignoring deficiencies in their systems. And the settlements demonstrate the broad reach of FCA enforcement of inadequate cybersecurity controls, which may extend beyond government contractors themselves to subcontractors, affiliates, and private equity owners.

The incorporation of CMMC 2.0 into DFARS, and especially the move into Phase 2 to require independent Level 2 certification for contractors handling CUI, could shift this landscape. While FCA risk will not disappear (for example, misleading assessors or failing to maintain compliance could still trigger liability), contractors that obtain certification through an accredited C3PAO will be better positioned to demonstrate good faith compliance.

Key Takeaways

The DOD's final rule implementing the CMMC 2.0 program via the DFARS signals that cybersecurity compliance is now, more than ever, a binding condition of eligibility for defense contracts. Contractors should begin preparing now by:

  • Mapping their information systems to identify where FCI and CUI are processed or stored and determine which CMMC level applies
  • Preparing for Phase 2, when third-party Level 2 certifications will become mandatory for contractors handling CUI, and engaging early with accredited third-party assessors to avoid any bottlenecks
  • Strengthening oversight of subcontractors to ensure that compliance obligations are met throughout the supply chain

In short, CMMC 2.0 is both a compliance obligation and a potential enforcement shield: It raises the bar for eligibility for contracts but also provides a clear framework for contractors to demonstrate good faith compliance. Companies that act now will be best positioned to secure contract awards and mitigate exposure to FCA liability in the years ahead.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Liza Craig
Liza Craig
Photo of Peter M. Marta
Peter M. Marta
Photo of James D. Gatta
James D. Gatta
Photo of Anne E. Railton
Anne E. Railton
Photo of Joshuah Turner
Joshuah Turner
Photo of Dena Kia
Dena Kia
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More