The Department of Defense (DoD) recently finalized a new rule, to be codified at Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7021 (contract clause) and 252.204-7025 (solicitation provision), which will become effective on November 10, 2025 and incorporate the Cybersecurity Maturity Model Certification (CMMC) Program requirements into nearly all new defense contracts over the course of a three-year phase-in period. While portions of the CMMC program were finalized late last year, this latest DFARS rule finally clears the way for the CMMC rubber to meet the defense contracting road.
What is the current status of the CMMC now that the DFARS rule is final?
The CMMC’s history is somewhat complicated, but the final DFARS rule marks the beginning of “Phase 1” if DoD’s four-phase, three-year rollout of the program. Specifically, this rulemaking implements the contracting aspects of the CMMC (first proposed in August 2024 after an interim rule published in September 2020), while DoD finalized the CMMC program procedures (which Venable previously summarized here) in a separate October 2024 rule.
Although the interim rule initially permitted a CMMC clause to be included in new contracts before the CMMC was finalized, it required approval by the Office of the Under Secretary of Defense for Acquisition and Sustainment. Then, in November 2021, DoD suspended the rollout of CMMC on an interim basis while it proposed and finalized two separate rules to implement CMMC: one for the program requirements (e.g., the procedures for third-party auditors verifying contractor compliance with cybersecurity requirements) at Title 32 of the Code of Federal Regulations (C.F.R.), and one for contract requirements (e.g., the specific terms of the CMMC solicitation provision and contract clause) at Title 48 of the C.F.R.
As DoD noted in the final program rule in October 2024, Phase 1 of the CMMC rollout “[b]egins on the effective date of the complementary 48 CFR part 204 CMMC Acquisition final rule,” 32 C.F.R. § 170.3(e)(1), which we now know is November 10, 2025. Since the effective date of the DFARS final rule is now known, the full implementation schedule contemplated in the final program rule can be determined and is summarized below.
Can you remind me of what the CMMC “levels” mean? I am rusty on the details of the CMMC framework.
After the final CMMC contracting rule, DoD will assign one of three levels of cybersecurity requirements to covered contracts based on the sensitivity of the information associated with their contractual performance activities and the accompanying cybersecurity risk profile:
- Level 1. These contracts are the lowest risk under the CMMC framework. DoD will assign Level 1 status to contracts under which a contractor information system will process, store, or transmit federal contract information (FCI) only. FCI is information not intended for public release that is provided by or generated for the government under a contract to develop or deliver a product or service to the government, excluding information provided by the government to the public (e.g., information on public websites). Most DoD contractors will need to achieve at least Level 1 status for one or more information systems. Under Level 1 contracts, contractors must annually self-assess their compliance with the 15 security measures at FAR 52.204-21.
- Level 2. These are medium-risk contracts under the CMMC framework. DoD will assign Level 2 status to contracts under which a contractor information system will process, store, or transmit controlled unclassified information (CUI). CUI is information that the government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that a law, regulation, or government-wide policy requires or permits an agency to handle using safeguards or dissemination controls. Under a small subset of lower-risk Level 2 contracts, contractors need only self-assess their compliance with the 110 security measures in NIST SP 800-171, Rev. 2 (as required by DFARS 252.204-7012) once every three years for relevant information systems. However, most Level 2 contracts will require that contractors obtain an annual compliance certification from a Certified Third-Party Assessment Organization (C3PAO) for applicable information systems. DoD will specify either “CMMC Level 2 (Self)” or “CMMC Level 2 (C3PAO)” in the solicitation and resulting contract.
- Level 3. These contracts involve engaging with the highest-risk information, including critical national security information. This is the smallest subset of CMMC contracts. Under Level 3, contractors may not self-certify or use a C3PAO to meet their compliance obligations. Rather, a contractor performing a Level 3 contract must obtain a certification of compliance with additional DoD-specific security measures based on NIST SP 800-172 from the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) for applicable information systems, once every three years.
Under Levels 2 and 3, a defense contractor may obtain “conditional status” to meet its compliance obligations, which will allow it to receive contracts without complete CMMC certification for up to 180 days, so long as it is actively closing out a Plan of Action and Milestones (POA&M). Once a contractor on conditional status has successfully completed its POA&M, it will achieve “final status,” which indicates complete CMMC compliance. Thereafter, the contractor must maintain compliance with the applicable mandatory standards. Conditional status is not available for Level 1 contracts.
At all levels, contractors must periodically reaffirm and maintain CMMC compliance throughout the life of their contracts for each contractor information system that processes, stores, or transmits FCI or CUI. Each contractor information system used in performance of the contract will be assigned a unique identification number in order to track compliance. Contractors must publish their mandatory annual certifications for each affected system in the Supplier Performance Risk System (SPRS). The government will confirm contractors’ compliance in SPRS prior to award, executing an option, or extending the period of performance under an existing contract.
How does this final DFARS rule affect the applicability and timeline for CMMC compliance?
As noted, the new CMMC rule will apply to all defense contracts involving information systems handling FCI or CUI, with the significant exception of contracts solely for the acquisition of commercially available off-the-shelf (COTS) items. To give contractors time to prepare for full implementation, this rule will be subject to a three-year phased-in implementation period. The implementation will occur over four phases:
- Phase 1. Beginning on November 10, 2025, DoD will include the Level 1 or 2 self-assessment requirements as a condition of award in all new contracts (except those solely for COTS items) that require the use of contractor information systems to process, store, or transmit FCI or CUI. DoD states it may also include these requirements as a condition for exercising an option for contracts awarded prior to the rule’s effective date. It may also require Level 2 contractors to obtain certification from a C3PAO in lieu of self-assessment.
- Phase 2. Beginning on November 10, 2026, DoD will add the requirements of Level 2 (C3PAO) to applicable solicitations and contracts as a condition of award, but DoD may instead delay the inclusion of these requirements to an option period instead of including them pre-award. It may also include Level 3 requirements in applicable solicitations and contracts.
- Phase 3. Beginning on November 10, 2027, DoD will add the requirements of Level 2 (C3PAO) to all applicable contracts as a condition of award and as a condition of exercising an option. DoD also intends to implement the requirements for Level 3 as a condition of award but may delay this requirement to an option period instead.
- Phase 4 (Full Implementation). Beginning on November 10, 2028, DoD will include the CMMC Program requirements in all applicable solicitations and contracts, including option periods, for contracts awarded prior to the beginning of Phase 4.
The new CMMC rule also includes a mandatory flow-down for subcontractors, cloud service providers (CSPs), and external service providers when their subcontract or other contract instrument requires the handling of FCI or CUI on a non-government information system as part of performance under the prime contract. This will apply only to subcontractor, CSP, or ESP information systems that will actually process, store, or transmit FCI or CUI.
DoD expects that this rule will have far-reaching impacts, particularly to small business contractors. In its final rulemaking, DoD estimated that 337,968 prime contractors and subcontractors will be affected by the CMMC Program expansion, and it identified approximately 229,818 of those contractors as small business concerns.
What are the key risks related to CMMC that contractors should be considering?
Even though defense contractors are already subject to most of the security measures at issue because their contracts incorporate FAR 52.204-21 and/or DFARS 252.204-7012, we expect this rule to result in a significant increase to defense contractors’ existing compliance obligations because of the requirements for periodic assessment, certification, and affirmation. As noted, for contracts above Level 1, this will usually require third-party certification by a C3PAO. Additionally, the mandatory flow-down to subcontractors will require prime contractors to verify that their subcontractors, ESPs, and CSPs have completed, prior to award, and annually during the term of their agreements, annual affirmations of continuous compliance in SPRS for each subcontractor, CSP, or ESP information system that processes, stores, and transmits FCI or CUI in performing the subcontract or other contractual instrument. While there is a notable exception for contracts that are solely for the acquisition of COTS items, we expect that compliance with the new CMMC rule will impose significant costs on contractors, with small business contractors likely to bear the steepest impacts.
In addition to our Government Contracts team, Venable’s Cybersecurity Services team is well positioned to help defense contractors navigate these new requirements. Our team includes four former senior officials from the National Institute of Standards and Technology (NIST), who bring deep experience with cybersecurity standards and compliance. Together, our government contracts team and cybersecurity professionals provide an integrated approach to managing both the contractual and technical aspects of CMMC implementation.
There is no question that the new rule will have far-reaching impacts across the defense contracting industry. Venable will continue to monitor this rule and its application. Should you have any questions, please contact the authors of this article or any lawyers in Venable’s Government Contracts Group or Cybersecurity Services Team.