- within Privacy topic(s)
After half a decade of development and review, the U.S. Department of Defense (DoD)*/ will implement contracting regulations, effective November 10, 2025, making the Cybersecurity Maturity Model Certification (CMMC) Program a reality for hundreds of thousands of companies across the defense industrial base (DIB). More than ever before, companies doing business with DoD, either as primes or subcontractors, must document how they protect government information, defined as non-public Federal Contract Information (FCI) and sensitive Controlled Unclassified Information (CUI).
Civilian agency contractors also should take note. Similar cybersecurity requirements for the Federal Acquisition Regulation (FAR) have already been proposed, and with CMMC moving forward, the civilian agency rulemaking is likely to pick up pace.
The CMMC Program expands on existing cybersecurity contract provisions by establishing three levels of cybersecurity for contractors and subcontractors, depending on the requirements of the particular DoD solicitation or contract. Until now, DoD contracts imposed safeguarding and cyber incident reporting obligations for federal contractors generally without prior external verification. The new rules leave less to trust and rely more on verification that DoD contractors are complying with cybersecurity standards. Depending on the nature of information involved, additional CMMC guidance describes how contractors must conduct self-assessments (Level 1 and limited Level 2), obtain third-party assessments (Level 2), or prepare for government assessments (Level 3).
What to Look for and How to Comply
Contractors should look out for new clauses that will appear as DFARS 252.204-7021 and DFARS 252.204-7025 in new contract solicitations. Government program managers and contracting officers will mandate what CMMC Levels is required (i.e., Level 1 – 3) based on separately issued DoD guidance. The underlying cybersecurity standards to meet each CMMC Level derive from National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 (rev. 2) and SP 800-172 (for Level 3). After assessment and annually thereafter, contractors will enter their results and CMMC status affirmations in DoD's Supplier Performance Risk System (SPRS).
Level 1. A company can achieve CMMC Level 1 (Self-assessment) status by reviewing and affirming its implementation of 15 control requirements. Companies at CMMC Level 1 are then eligible for contracts involving FCI.
Level 2. Many companies will need CMMC Level 2 status based on compliance with all 110 safeguards in SP 800-171. Where a planned contract involves processing, storage, or transmission of information covered in the CUI Registry Defense Grouping, Level 2 certification, assessed by a CMMC Third-Party Assessor Organization (C3PAO) is required. Level 2 self-assessment will be permitted only where the contract involves handling non-DoD CUI.
Level 3. For contracts involving mission critical programs and unique technologies, a company must first have Final Level 2 (C3PAO) status, and then implement 24 NIST SP 800-172 "enhanced security requirements" for a Level 3 certification assessment by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
Interim Level 2 and Level 3 Status. Conditional status for CMMC Level 2 or Level 3 allows a company up to 180 days to execute a Plan of Action and Milestones (POA&M) to meet remaining assessment objectives. POA&Ms are not allowed for Level 1 self-assessments.
Phased Program Implementation – What Happens Next
CMMC coverage is rolling out in four one-year phases starting November 10, 2025. As of that date, offerors must pay attention to the CMMC DFARS clauses in solicitations, and subcontractors must be aware of modifications to prime contracts. Level 1 and Level 2 self-assessment will be mandatory for solicitations and contracts, but discretionary for option exercises. While Level 2 (C3PAO) will not automatically appear in every solicitation or contract during Phase 1, government contracting activities have discretion to add it. By 2028, with the exception of Commercial Off-The-Shelf (COTS) items, CMMC will be mandatory for every solicitation and contract involving FCI or CUI. Overall, DoD has adopted the following phased approach:
| Phase | CMMC Level | Contract Requirement(s) |
|---|---|---|
| Phase 1 (2025) | Level 1 (Self) and Level 2 (Self) | Mandatory: new contract award |
| Discretionary: contract options | ||
| Level 2 (C3PAO) | Discretionary: solicitations and contracts | |
| Phase 2 (2026) | Level 2 (C3PAO) | DoD "intends" to include Level 2 in solicitations and contracts. |
| Level 3 (DIBCAC) | Discretionary: solicitations and contracts | |
| Phase 3 (2027) | Level 2 (C3PAO) | Mandatory: solicitations and contracts |
| Level 3 (DIBCAC) | DoD "intends" to include Level 3 in solicitations and contracts. | |
| Phase 4 (2028) | Mandatory: Level 1, 2, or 3 in solicitations and contracts. | |
Because DoD programs have discretion over when to incorporate CMMC measures, there is no absolute set date when a CMMC status level will be included in a given contract.
What This Means for Contractors – Now is the Time
Achieving CMMC compliance takes time. At all CMMC Levels, the cybersecurity standards can present challenges depending on the contents, complexity, and age of information systems. Even a small set of Level 1 assessment objectives requires well-informed planning and review to enable officials to confidently attest that systems are compliant with the CMMC requirements. As pointed out in our prior Alert, this representation becomes a key factor when the U.S. Department of Justice considers bringing a cybersecurity enforcement action under the False Claim Act. The CMMC assessment process increases the likelihood that potential non-compliance will be identified.
Contractors can lessen the timing risk and uncertainty by communicating with DoD program and contracting personnel and planning to achieve the necessary CMMC status as soon as possible. Moreover, contractors should consider their potential CMMC obligations with a broad perspective and be cautious about assuming they will only have to self-assess. DoD estimates that when it fully implements the CMMC program, at least 35 percent of CMMC-covered DIB companies will need CMMC Level 2 (C3PAO) status. This amounts to approximately 118,000 DIB companies, including approximately 80,000 small entities, which will have to implement and undergo C3PAO assessments of the 110 controls in NIST SP 800-171.
CMMC requirements will "flow down" to subcontracts throughout the supply chain at all tiers that process, store, or transmit FCI or CUI in the performance of a DoD contract or subcontract. Contractors and subcontractors seeking third-party Level 2 (C3PAO) certification should take the time to pre-assess their systems and address any current gaps that would lead to a costly, unsuccessful C3PAO outcome.
The risk of falling behind will only increase as the new CMMC cybersecurity requirements become effective on November 10, 2025. Companies that plan to rely on federal contract revenue must seek advice and invest in compliance in the near term to avoid a steeper future learning curve.
Footnote
*/ The authors note that Executive Order 14347, 90 Fed. Reg. 4393-94 (Sept. 5, 2025), includes language referring to the "Department of War" for a "secondary title." "Department of Defense" remains the name in official usage. Accordingly, this Alert uses "DoD."
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
