ARTICLE
15 September 2025

The DoD's CMMC Final Rule Is Here: What Defense Contractors Must Do Now

BI
Buchanan Ingersoll & Rooney PC

Contributor

Buchanan Ingersoll & Rooney PC logo
With 450 attorneys and government relations professionals across 15 offices, Buchanan Ingersoll & Rooney provides progressive legal, business, regulatory and government relations advice to protect, defend and advance our clients’ businesses. We service a wide range of clients, with deep experience in the finance, energy, healthcare and life sciences industries.
Explore Firm Details
On September 9, 2025, the Department of Defense (DoD) published its long-awaited final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to implement...
United States Technology
David K. Eapen,Michael G. McLaughlin, and Kurt Sanger
Your Author LinkedIn Connections

On September 9, 2025, the Department of Defense (DoD) published its long-awaited final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to implement the Cybersecurity Maturity Model Certification (CMMC) program. This rule, effective November 8, 2025, marks a watershed moment for the defense industrial base (DIB), making CMMC compliance a contractual prerequisite for nearly all DoD contractors and their supply chains.

What Is CMMC and Why Does It Matter?

The CMMC establishes a three-tiered cybersecurity framework that contractors must follow to safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) in accordance with DFARS 252.204-7012 and the National Institute of Standards and Techology (NIST) Special Publication 800-171.

The DoD's intent is clear: to ensure that sensitive defense information is protected across the entire supply chain, reducing the risk of cyberattacks and data exfiltration that threaten U.S. national security and economic interests.

As Katie Arrington, who is performing the duties of the DoD Chief Information Officer, has pointed out: "Nation-state attacks are something that we're feeling every day and we lose on average about $200-$250 million a day in the DIB, the defense industrial base, due to data loss, ransomware, IP theft, etc."

Who Is Affected?

All DoD contractors and subcontractors—regardless of size or core business—must comply if their contracts require them to process, store, or transmit FCI or CUI. The only major exception is for contracts solely for commercially available off-the-shelf (COTS) items.

Implementation Timeline and Phased Rollout

Effective Date: November 8, 2025

Phased Implementation: For the first three years, CMMC requirements will be included in select contracts as determined by DoD program offices. By November 9, 2028, all new solicitations and contracts requiring contractor information systems to handle FCI or CUI will mandate CMMC compliance.

No "Grace Period" for New Bidders: Contractors must have the required CMMC status at the time of award—delayed implementation for new entrants is not permitted.

CMMC Levels and Assessment Requirements

Level 1 (Self-Assessment): For contractors handling only FCI. Requires annual self-assessment and affirmation of compliance.

Level 2 (Self-Assessment or C3PAO Assessment): For contractors handling CUI. Less sensitive CUI may allow self-assessment, but most CUI will require a third-party assessment by a Certified Third-Party Assessment Organization (C3PAO).

Level 3 (DIBCAC Assessment): For contractors handling the most sensitive CUI, requiring a government-led assessment.

Key New Features

  • Plans of Action and Milestones (POA&Ms): Contractors at Levels 2 and 3 may receive a "conditional" CMMC status for up to 180 days while closing out deficiencies, provided they have an approved POA&M.
  • Affirmation of Continuous Compliance: An "affirming official" must attest annually (or upon changes) that the contractor remains compliant.
  • Unique Identifiers (CMMC UIDs): Each contractor information system in scope must be tracked in the Supplier Performance Risk System (SPRS) with a unique identifier.

What Must Contractors Do Now?

Assess Your Current Cybersecurity Posture: Conduct a thorough gap analysis against the CMMC requirements applicable to your anticipated contract level. Review all systems that process, store, or transmit FCI/CUI.

Close Gaps and Document Everything: Implement or upgrade controls as needed—especially around access control, incident response and data protection. Maintain detailed documentation of all policies, controls and processes.

Prepare for Assessment: For Level 2 or 3, engage with an accredited C3PAO early to schedule readiness assessments. For Level 1, ensure self-assessment procedures and annual affirmations are in place.

Update Contracting and Procurement Processes: Integrate CMMC requirements into internal procurement and subcontracting policies. Ensure all subcontractors handling FCI/CUI are compliant at the required CMMC level before awarding subcontracts.

Register and Maintain Status in SPRS: Enter all required assessment results and affirmations in the SPRS. Track and update CMMC UIDs for all relevant information systems.

Risks of Non-Compliance

Ineligibility for Award: Contractors lacking the required CMMC status in SPRS at the time of award will not be eligible for new contracts, task orders, or delivery orders.

Breach of Contract: Loss of CMMC status during contract performance can result in breach, termination, or exclusion from future opportunities.

Legal and Regulatory Exposure: Inadequate protection of CUI/FCI may trigger liability under other federal cybersecurity laws (e.g., FISMA) and open the door to damages, penalties and False Claims Act actions.

Business Disruption: Remediation after the deadline is likely to be costly, urgent and disruptive to operations.

Special Considerations

  • Subcontractor Compliance: Primes must ensure all lower-tier suppliers handling FCI/CUI are compliant before sharing information or awarding subcontracts. There is no automated tool—this requires active diligence.
  • POA&M Use: Conditional status is allowed for up to 180 days for Levels 2 and 3 only, with strict requirements for closing out deficiencies.
  • Documentation: Comprehensive, up-to-date records are essential for audit defense and demonstrating compliance.

Conclusion: Act Now

The CMMC final rule is not just another compliance hurdle—it is a fundamental shift in the defense contracting landscape. The November 8, 2025, deadline is firm and non-negotiable. Early action—gap analysis, remediation, documentation and engagement with assessors—is critical to maintaining eligibility and protecting your business.

Engage legal counsel and cybersecurity experts as soon as possible. Proactive compliance not only ensures continued access to DoD contracts but also demonstrates your organization's commitment to national security and the integrity of sensitive defense information.

Failure to act is not an option. The legal, financial and national security risks are simply too great. Buchanan's Cybersecurity and National Security Teams are ready to assist organizations in navigating the changing landscape of DoD compliance.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of David K. Eapen
David K. Eapen
Photo of Michael G. McLaughlin
Michael G. McLaughlin
Photo of Kurt Sanger
Kurt Sanger
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More