DFARS Final Rule on Cybersecurity Maturity Model Certification (CMMC) Published

By Joe Kirkwood

The Department of Defense (DoD) issued a final rule on September 10, 2025, amending the DFARS to implement the Cybersecurity Maturity Model Certification (CMMC) program requirements across defense contracts. The rule takes effect November 10, 2025.

Takeaways for contractors:

    • Contractors must have a current CMMC status at the level required by a given Defense solicitation in order to receive an award. Not all solicitations will have a requirement until November 10, 2028, when CMMC will be phased in for all defense contracts, but going forward from November 10 of this year, all solicitations should be checked.
    • CMMC applies to any contractor information system used to process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). Think of CMMC in terms of your systems that handle information.
    • The CMMC level tracks with the level of sensitivity of the information handled; some contracts with CMMC requirements will be easier to comply with than others as Level 1 is a relatively low burden.
    • Contractors to whom CMMC applies must maintain compliance throughout the life of the contract and provide annual affirmations in SPRS. Compliance may include self or third-party assessments depending on level.
    • Subcontractors must also meet applicable CMMC requirement to the same extent. Ensure you are getting CMMC requirements flowed down to you as a sub.
    • Contracts for commercially available off-the-shelf (COTS) items are excluded in both this initial phase and after 2028’s full implementation.

Next Steps Checklist for Contractors

Determine Your CMMC Level Needs – Review solicitations for the required level (1, 2 Self, 2 C3PAO, or 3).

Identify Covered Information Systems – Map systems that process, store, or transmit FCI or CUI (COTS-only work is exempt).

Complete Assessments and Register in SPRS – Perform the required self- or third-party assessment and upload results to SPRS.

Affirm Compliance Annually – An affirming official must submit yearly affirmations in SPRS for each system.

Plan for Conditional Certification – Close out any POA&Ms within 180 days to move from conditional to final status.

Flow Down to Subcontractors – Ensure subs handling FCI/CUI meet CMMC requirements and provide affirmations.

Track Timeline – 2025–2028: phased-in contracts only; 2028 onward: broad application to all covered DoD contracts.

BACK TO ARTICLES
Image