This alert serves to remind contractors of the much-ballyhooed Cybersecurity Maturity Model Certification (CMMC) and updates our previous articles on the Department of Defense’s (DoD) proposed CMMC Program rule and DoD’s issuance of a new final rule, codified at Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7021 (contract clause) and 252.204-7025 (solicitation provision). The new DFARS rule implements the CMMC Program’s requirements into DoD contracts over the course of a three-year phase-in period. This week, as of November 10, 2025, Phase 1 of this rule’s rollout has finally become effective, with significant implications for defense contractors.
As discussed in our prior articles, the new CMMC rule will apply to defense contracts involving contractor information systems handling federal contract information (FCI) or controlled unclassified information (CUI) only. There is a significant exception for contracts solely for the acquisition of commercially available off-the-shelf (COTS) items, which will not be subject to CMMC requirements. A DoD service or component may also waive CMMC for a given acquisition “[i]n very limited circumstances[.]” 32 C.F.R. § 170.5(d).
We note that there is some ambiguity in DoD’s regulations regarding exactly which solicitations and contracts will include the CMMC Program’s requirements during Phase 1 of the rollout. The reason for this is that DoD implemented CMMC in two complementary regulations, 32 C.F.R. Part 170 and 48 C.F.R. Subpart 204.75, which have differing language. The former contemplated including CMMC Level 1 (Self) or Level 2 (Self) requirements in “all applicable DoD solicitations and contracts” (i.e., those involving FCI/CUI, which are non-COTS, and for which waiver is not appropriate). See 32 C.F.R. § 170.3(e)(1) (emphasis added). (See our September 2025 article for a detailed explanation of the various CMMC levels.) By contrast, the final rule implementing 48 C.F.R. Subpart 204.75 stated: “During the first three years of the phased rollout, the CMMC requirement will be included only in certain contracts for which the CMMC Program Office directs DoD component program offices to include a CMMC requirement.” 90 Fed. Reg. 43560, 43573 (Sept. 10, 2025) (emphasis added). The text to be codified at 48 C.F.R. § 204.7504(a) similarly states that, until November 9, 2028, the DoD program office will determine whether to include a CMMC requirement, whereas after that date, CMMC will be required any time FCI or CUI is processed, stored, or transmitted. See id. at 43575.
This regulatory ambiguity presents challenges for defense contractors seeking to understand when they should expect to see CMMC requirements in their solicitations and contracts and, if CMMC applies, which level will be assigned.
In addition, we have identified a few instances of inconsistencies in DoD sub-agencies’ rollout of the new solicitation provisions. For example, when the new CMMC provision at DFARS 252.204-7025 appears in a solicitation, the contracting officer must complete the provision’s fill-in to identify the applicable CMMC level. In one recent solicitation, the contracting officer included the CMMC provision but failed to complete the fill-in identifying the relevant CMMC level. In contrast, in another solicitation issued by a different DoD element, the agency wrote that it “anticipates that all solicitations and contracts issued on or after November 10, 2025 will require Basic (Level 1) certification or higher[,]” and defense contractors “not certified at Basic (Level 1) or higher [] will not be eligible to receive a contract award” (emphasis added).
Staying abreast of the different approaches taken by DoD and its sub-agencies in their implementation of the CMMC Program will require contractors to carefully review non-COTS solicitations and contracts to ensure that they understand whether CMMC applies and, if so, what level of certification they must achieve to meet their compliance obligations. Venable will continue to monitor DoD’s application of CMMC requirements to solicitations and contracts. If you have any questions, do not hesitate to contact the authors of this article or any professionals in Venable’s Government Contracts Group or Cybersecurity Services team.