Angela B. Styles’s articles from Akin Gump Strauss Hauer & Feld LLP are most popular:
- within Government and Public Sector topic(s)
- in United States
Akin Gump Strauss Hauer & Feld LLP are most popular:
- within Criminal Law topic(s)
On November 10, 2025, the Department of Defense (DoD), also referred to as the Department of War (DoW), officially began rolling out its Cybersecurity Maturity Model Certification (CMMC) Final Rule, marking the start of the program's phased implementation. CMMC requirements may now appear in new DoD solicitations, contract awards and option exercises.
Contractors should act now to:
- Achieve and maintain the required CMMC level—eligibility for DoD contracts now depends on certification aligned with the sensitivity of information handled.
- Identify whether your organization handles Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) and where it resides—understanding CUI data flows is essential to determining the applicable CMMC level and scope of assessment for both CUI and FCI.
- Plan early for third-party assessments under CMMC Level 2 and 3, as accredited assessors are in high demand and scheduling delays are expected.
- Conduct and upload self-assessments in SPRS, ensuring your System Security Plan and Plan of Action and Milestones are up to date.
- Flow down CMMC obligations to cover subcontractors and verify their readiness to the extent they will require CUI or FCI to perform.
- Implement processes for annual affirmations and maintain records to reduce False Claims Act exposure.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
