CMMC Regulations: Key Questions And Answers For Defense Contractors

Highlights

• The U.S. Department of Defense (DOD) issued the long-awaited final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to implement the Cybersecurity Maturity Model Certification (CMMC) program.
• Effective Nov. 10, 2025, the regulations fundamentally change how cybersecurity requirements are incorporated into DOD contracts and subcontracts.
• This Holland & Knight alert provides answers to common questions about how the new rule impacts defense contractors.

On Nov. 10, 2025, the long-awaited final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to implement the Cybersecurity Maturity Model Certification (CMMC) program became effective. This rule, discussed in a previous Holland & Knight alert (see link below), fundamentally changes how cybersecurity requirements are incorporated into U.S. Department of Defense (DOD) contracts and subcontracts.

What does this mean for defense contractors? Below are the most common questions asked and responses from Holland & Knight's Government Contracts Group:

1. Is CMMC real now?

Yes. The final DFARS rule indicates that CMMC requirements will be added to select DOD solicitations starting Nov. 10, 2025.

2. What new cybersecurity standards does CMMC create?

None. Generally speaking, CMMC imposes new assessment or certification requirements for cybersecurity obligations that had already been imposed in defense contracts and/or by previously published government standards.

3. So, what changed on Nov. 10?

The new obligations will be the level of verification required by contractors to demonstrate they meet the preexisting cybersecurity obligations.

4. How will CMMC be implemented?

The requirements will be imposed through the clauses prescribed for applicable DOD¹ solicitations and contracts. The acquisition of commercially available off-the-shelf (COTS) items is excepted from the requirement. In particular, every DOD solicitation and contract that requires the processing, storage, or transmission of Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) will now specify the exact CMMC level required for the contractor's information systems.

5. What levels of CMMC will be required?

The CMMC level is determined by the program office or requiring activity based on the sensitivity of the information and the risk profile of the contract:

• Level 1: FCI. Contractors must perform an annual self-assessment against the Level 1 requirements and post the results in the Supplier Performance Risk System (SPRS).
• Level 2: Controlled Unclassified Information (CUI). In Accordance with (IAW) DFARS – 7012
  • Self-assessment
  • Third party assessors (Certified Third-Party Assessment Organization (C3PAO))
• Level 3: National Institute of Standards and Technology (NIST) 800-172 (DOD's Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) certifies)

6. What is the timing to come into compliance?

Plan of Action and Milestones (POA&Ms) must have specified end dates with a maximum amount of time before completion.

7. When will the requirements be imposed?

Requirements will begin being phased into DOD contracts – starting with major programs.

8. What are subcontractors' obligations for compliance?

Subcontractors also must comply, with prime contractors being tasked to ensure flowdown and – to a degree – compliance.

Please review our previous Holland & Knight alert, which provides a more detailed analysis of the final DFARS rule and recommendations for the next steps defense contractors should consider. (See " CMMC Goes Live: New Cybersecurity Requirements for Defense Contractors," Sept. 10, 2025).

Footnote

1. We continue to use the term "DOD" instead of Department of War (DOW) in accordance with currently effective regulations – including the FAR and DFARS.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.