ARTICLE
20 October 2025

Leveling Up: Will CMMC Contract Obligations Impact Your Organization?

SM
Sheppard Mullin Richter & Hampton

Contributor

Sheppard Mullin Richter & Hampton logo
Sheppard Mullin is a full service Global 100 firm with over 1,000 attorneys in 16 offices located in the United States, Europe and Asia. Since 1927, companies have turned to Sheppard Mullin to handle corporate and technology matters, high stakes litigation and complex financial transactions. In the US, the firm’s clients include more than half of the Fortune 100.
Explore Firm Details
Will a final rule issued by the Department of Defense on September 10, 2025 (available here) cause companies to rethink their compliance approach? The rule –relating to the Cybersecurity Maturity Model Certification...
United States Technology
Liisa M. Thomas and Townsend Bourne
Your Author LinkedIn Connections
Sheppard Mullin Richter & Hampton are most popular:
  • within Energy and Natural Resources topic(s)

Will a final rule issued by the Department of Defense on September 10, 2025 (available here) cause companies to rethink their compliance approach? The rule –relating to the Cybersecurity Maturity Model Certification program or CMMC – will impact how defense contractors engage with the Department of Defense. (We wrote previously (here) about the separate, but related, CMMC rule that addressed substantive CMMC program requirements.)

This final rule will require defense contractors to affirm CMMC compliance on a phased approach, with full implementation by November 2028. The requirement will place a significant hurdle on defense contractors, who will need to affirm their CMMC compliance in order to contract with the Department of Defense. The first implementation phase begins November 10, 2025 and addresses self-assessment and affirmation for entities that handle "FCI" (or basic Federal Contract Information) and "CUI" (or Controlled Unclassified Information). More detail about the requirements are in our sister blog post here.

Performing assessments and obtaining certification will likely require organizational change on many levels. It will include C-suite attestations and flow down obligations to subcontractors. While obligations were already in effect before this rule, we expect CMMC to result in increased exposure under the False Claims Act if attestations are inaccurate.

Putting It Into Practice: Failing to get through the CMMC assessment and certification process can result in defense contractors losing their DoD business. Rushing through the assessment process, failing to involve key stakeholders, or otherwise mis-stepping, however, can expose entities to legal exposure. In the face of this, companies should consider organizational change principles: engage key stakeholders, conduct reviews under privilege, and treat CMMC as a key governance risk, not an IT problem.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Liisa M. Thomas
Liisa M. Thomas
Photo of Townsend Bourne
Townsend Bourne
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More