On September 10, 2025, the Department of Defense (DoD) issued a Final Rule officially incorporating the Cybersecurity Maturity Model Certification (CMMC) Program into the Defense Federal Acquisition Regulation Supplement (DFARS). The Final Rule establishes the processes for integrating the CMMC requirements into DoD Contracts and Subcontracts and creates two new contract clauses that make CMMC compliance a condition for award. The Final Rule is effective November 10, 2025, which gives entities a brief window of time to familiarize themselves with the Rule before DoD officially starts the roll out process in all DoD contracts that involve processing, storing or transmitting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

Background

This Final Rule comes almost a year after the DoD published their Final Rule implementing the CMMC Program at 32 C.F.R. 170, which we covered in a previous blog post. While cybersecurity safeguarding requirements have long existed for DoD contracts, the CMMC Program establishes a three-tiered assessment framework to enforce the requirements. The Contracting Officer (CO) is charged with selecting which tier or level applies to a solicitation, based on the type and level of information expected to be used during performance. The required cybersecurity controls, and whether self-assessment is permitted or external assessment is required, depends on which level the CO selects:

• Level 1 requires contractors to comply with 15 basic information security controls, listed at FAR 52.204-21. This level requires contractors to annually conduct a self-assessment and annually assess their compliance with these requirements. Contractors are required to upload documentation relating to the self-assessments and self-attestations into the Supplier Performance Risk System (SPRS).
• Level 2 builds on the requirements of Level 1 by adding the 110 security controls specified in NISP SP 800-171 and includes the same annual attestation requirements. Depending on the type of CUI, entities must either receive a third-party certification by a CMMC Third-Party Assessment Organization (C3PAO) or self-assess every three years. Whether third-party certification is required is for the CO to decide.
• Level 3 builds on the requirements of Level 2 by incorporating 24 additional security controls. To be certified at Level 3, contractors must be certified at Level 2 by a C3PAO and must then pass an assessment conducted by Defense Contract Management Agency’s (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). This assessment, which focuses on the additional Level 3 controls, must be conducted at least once every three years. Contractors must also attest their compliance with these requirements annually and upload attestations into SPRS.

Now, through the new DoD Final Rule, these elements of the CMMC program will be incorporated into the contractor’s and subcontractor’s contractual requirements. 

Phased Rollout

As outlined at 32 C.F.R. 170.3, the DoD is implementing the CMMC program’s accreditation and assessments through four phases over the course of four years. The phases are:

• Phase 1 – Commences November 10, 2025
• The DoD will require Level 1 self-assessment and Level 2 self-assessment as a condition of contract award. COs also have the discretion to require Level 2 C3PAO-assessment if they deem it necessary.
• Phase 2 – Commences November 10, 2026 (i.e., one year after the start of Phase 1)
• Building on Phase 1 requirements, the DoD will also require Level 2 C3PAO assessment as a condition of contract award. COs also have the discretion to incorporate Level 2 C3PAO assessment as a requirement for option periods as well and have the discretion to require Level 3 certification if they deem it necessary.
• Phase 3 – Commences November 10, 2027 (i.e., one year after the start of Phase 2)
• Building on Phase 1 and 2 requirements, the DoD will also require Level C3PAO assessment as a condition of contract award and as a condition to exercise a contract option. DoD also intends to require Level 3 certification as a condition of contract award on appropriate contracts and may also include it as a condition for the extension of an option period under existing contracts.
• Phase 4 – Commences November 10, 2028 (i.e., one year after the start of Phase 3)
• The DoD will include all requirements of the CMMC Program in all solicitations and contracts, including as a condition for exercising all option periods going forward for contracts awarded prior to Phase 4. 

In summary, the Final Rule reveals that DoD will gradually increase the level of cybersecurity protocols that contractors and subcontractors are contractually obligated to follow. That said, COs have the discretion to impose third-party accreditation requirements on a more accelerated basis, including as soon as November 10, 2025.

Key Takeaways from the Final Rule

New Clauses

Starting on November 10, contractors and subcontractors will see two new DFARS clauses, a revised DFARS 252.204-7021 and a new DFARS 252.204-7025, in DoD contracts that require processing, storing, or transmitting CUI or FCI. Although contracts solely for the acquisition of commercially off-the-shelf (COTS) items are exempt from these requirements, whether this exemption applies is entirely within the CO’s discretion. Notably, a CO is permitted to add these provisions to solicitations issued prior to November 10, as long as the resulting contract is awarded on or after that date.

The updated DFARS 252.204-7021 establishes that compliance with the designated CMMC tier is a condition for award for any contract or subcontract that contains this clause. It describes CMMC compliance requirements, incorporating much of the language laid out at 32 C.F.R. 170. Also, the clause provides clarity to certain phrases that gave commenters pause during the rulemaking process, such as defining what is considered “current” in the realm of CMMC certification and what is covered by FCI.

DFARS 252.204-7025, which shall be included in every solicitation and contract that DFARS 252.204-7021 appears, provides notice of the CMMC level that an entity must possess prior to award. Under both clauses, the CO will specify which CMMC level is required to be eligible for award. Contractors are required to possess that CMMC level, or higher, at the time of award and must maintain that level, or higher, throughout the performance of the contract.  

Accreditation and Affirmations

The CMMC Program imposes various assessment, accreditation, and affirmation requirements that vary depending on the CMMC level and must occur and be documented either on an annual or triennial basis. On top of ensuring proper accreditation, the Final Rule reminds companies that there are annual reporting requirements that a contractor, through its affirming official, must comply with. The affirming official is the designated individual at the company tasked with ensuring continued CMMC compliance at the company. For example, the affirming official must annually affirm the company’s continued compliance to the CMMC level for each of their Cybersecurity Maturity Model Certification Unique Identifier (CMMC UID). They must also maintain an annual affirmation of the company’s compliance in SPRS for each self-assessment and each C3PAO and DIBCAC assessment. 

Keeping track of these differing requirements can be confusing, and contractors should have systems in place to avoid inadvertently lapsing and falling out of compliance. Contractors that make erroneous self-assessments or attestations will be subject to contractual enforcement measures as well as liability under the False Claims Act.

Subcontracting

The Final Rule reiterates that subcontractors must also comply with the requirements of the CMMC program if under their subcontract they will be processing, storing, or transmitting FCI or CUI—and that prime contractors are responsible for ensuring subcontractor compliance. Therefore, prime contractors are responsible for flowing down DFARS 252.204-7021 and DFARS 252.204-7025, and for confirming subcontractors are compliant with the requisite CMMC tier, before they award a subcontract.

This poses a challenge for several reasons, the primary of which is prime contractors can only confirm their own CMMC certificate and self-assessment information on SPRS at this time, not potential subcontractors. As a result, prime contractors should require prospective subcontractors to submit documentation of their CMMC compliance as a condition for awarding a subcontract. The Final Rule confirms that subcontractors can provide prime contractors with prints or screenshots of their CMMC status and affirmation information in SPRS. They can also send copies of their CMMC certification for Level 2 (C3PAO) and Level 3 (DIBCAC).

Additionally, during performance, prime contractors must submit annual affirmations of their subcontractor’s CMMC compliance. This will require continued communications between the prime and subcontractor to ensure CMMC requirements are met and maintained. Ultimately, a subcontractor’s CMMC level, and the maturity of its compliance approach, are likely to become significant considerations for prime contractors when selecting subcontractors.

Assessor Backlogs

Another consideration for contractors is the current backlog of third-party assessors. This has been a persistent problem since the CMMC program rolled out last year, which is why we continue to recommend that entities get in line for third-party assessment as soon as possible if they believe they will need it. Subcontractors will be under an even more intense time crunch, given the requirement that prime contractors confirm the cyber compliance of prospective subcontractors before entering into a subcontract. Contractors will be looking for this certification before considering potential teaming arrangements. For this reason, while the phased rollout may provide the impression that there is more time to adjust, companies should act expeditiously to obtain any potential third-party assessments they are likely to need. 

Conclusion

The long-delayed CMMC reckoning is upon us! While the roll out of the requirements will be phased, companies should act early in response to the requirements to be in a better competitive position and mitigate any issues created by assessor backlogs.

Miles & Stockbridge’s government contracts lawyers can counsel government contractors as they navigate the CMMC program and its potential requirements for their solicitations and contracts.

Opinions and conclusions in this post are solely those of the author unless otherwise indicated. The information contained in this blog is general in nature and is not offered and cannot be considered as legal advice for any particular situation. The author has provided the links referenced above for information purposes only and by doing so, does not adopt or incorporate the contents. Any federal tax advice provided in this communication is not intended or written by the author to be used, and cannot be used by the recipient, for the purpose of avoiding penalties which may be imposed on the recipient by the IRS. Please contact the author if you would like to receive written advice in a format which complies with IRS rules and may be relied upon to avoid penalties.