It’s Alive: The CMMC Final Rule is Finally Here

On September 10, 2025, to borrow from the Beatles, the long and winding road brought DoD’s final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to incorporate Cybersecurity Maturity Model Certification program (CMMC) contractual requirements to the door of the defense industrial base. And defense industrial base contractors must be ready to comply.

The goal of the CMMC program is to provide DoD with assurances that a defense industrial base contractor can adequately protect two types of sensitive unclassified information: Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). DoD created the CMMC assessment framework in response to growing and persistent cyber threats targeting the defense industrial base. CMMC is an extension of existing security requirements in the FAR and DFARS that now require contractors certify that information systems that process, store or transmit FCI or CUI comply with required security controls.

The CMMC framework is broken out in three levels:

CMMC Level 1 (Self-Assessment)

• Purpose: Protects Federal Contract Information (FCI)
• Assessment: Self-assessment only, conducted annually
• Information Type: Unclassified information not intended for public release
• Control Requirements: 17 requirements listed in FAR 52.204-21

CMMC Level 2 (Self-Assessment or Third-Party)

• Purpose: Protects Controlled Unclassified Information (CUI)
• Assessment: Self-assessment, conducted annually OR certified third-party assessment (C3PAO), conducted every three years
• Information Type: Information requiring safeguarding or dissemination controls
• Control Requirements: 110 requirements listed in NIST 800-171

CMMC Level 3 (DIBCAC Assessment)

• Purpose: Protects high-priority CUI
• Assessment: Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), conducted every three years.
• Information Type: Highly sensitive unclassified information
• Control Requirements: All Level 2 requirements in addition to certain requirements from NIST 800-172.

Impact on Contract Awards:

Contracting officers may not award a contract to an offeror that does not have a current CMMC status posted in the Supplier Performance Risk System (SPRS) at the required CMMC level for each contractor information system that will process, store or transmit FCI or CUI and be used in the contract’s performance. The contractor’s proposal must identify each of their  information systems that will be used in performance of the contract by CMMC UID – an alpha-numeric set of characters assigned to each contractor CMMC assessment for each contractor information system.

Timing:

Beginning on November 10, 2025, and for the three years that follow, DoD can include CMMC requirements in solicitations and contracts if it determines that the contractor is required to have a specific CMMC level. On or after November 10, 2028, DoD will include CMMC requirements in any solicitation or contract if it determines that the contractor is required to use contractor information systems in the performance of a contract to process, store or transmit FCI or CUI. This includes contracts using FAR Part 12 procedures for the acquisition of commercial products and commercial services. Only contracts solely for the acquisition of commercial off-the-shelf items are excluded from the program.

Flowdown:

CMMC requirements must be flowed down to all subcontractors whose subcontracts require the processing, storage and transmission of FCI and CUI. Those subcontractors must submit affirmations of continuous compliance and the results of self-assessments in SPRS. Higher-tier contractors must confirm that the subcontractor has a current CMMC status at the applicable level for the information that it will process, store or transmit before subcontract award.

What’s Next for Contractors

Since contracting officers have the discretion to include the CMMC level requirements in contracts beginning on November 10, 2025 – and award cannot be made if the specified CMMC status is not posted in SPRS – contractors may lose out on valuable opportunities. This means contractors should be taking action now.

• Contractors need to evaluate their current contracts and assess whether FCI and CUI are involved. For DoD contractors that will require a CMMC Level 2 (C3PAO) certification, they should swiftly engage a certified third-party assessment organization to schedule an assessment if they have not already done so, as it is anticipated these organizations are presently backlogged.
• Ensure continuous CMMC compliance throughout the life of the contract. Contractors should be reviewing their system security plans that are complete and accurate in describing their current system compliance states. Identify the correct CMMC UID, or UIDs if the contractor has more than one, that will be included in proposals.
• Bolster subcontractor oversight and determine whether they too are ready to comply. Because contractors are only able to access their own CMMC certificate or self-assessment information, contractors should require that subcontractors provide their CMMC assessment scores or certificates prior to subcontract award. Remember it is up to the higher-tier contractor to determine the type of information flowed to the subcontractor and whether the subcontractor has a current CMMC status appropriate for the information that is flowed down.

Cybersecurity remains a paramount concern to the government, and the government is committed to ensuring contractors are complying with their cybersecurity obligations. This new rule is a large step forward in DoD’s effort to ensure that defense industrial base contractors are complying with their obligations to protect information from bad actors.

If you have any questions regarding this rule, please reach out your Cohen Seglias contact or contact any member of the Government Contracting group.