On September 10, 2025 the Department of Defense (DoD) issued its final rule (Rule) amending the Defense Federal Acquisition Regulation Supplement (DFARS) to the Cybersecurity Maturity Model Certification (CMMC) program, a cybersecurity framework for evaluating a DoD contractor’s information security protections. The Rule charts out enhanced cybersecurity requirements for Pentagon contractors and includes phased implementation requirements impacting differently situated contractors over the course of the next several years. It follows on the release of the final CMMC rule in October 2024, which itself laid out the mechanisms DoD would be using to certify contractor compliance with the certification program requirements.
The Rule, which applies to unclassified contractor information systems, enshrines policies and procedures for the CMMC in DFARS. Once operative, DoD contracting officers must determine their CMMC status and include that status in each solicitation required by the relevant DoD program office or requiring activity (the entity needing goods or services).
Requirements
The Rule requires DoD contractors to maintain current CMMC status in Supplier Performance Risk System (SPRS), submit CMMC unique identifiers (UIDs) for each system that will process, store, or transmit FCI / CUI used in the course performing a relevant contract, and complete annual affirmations of compliance. It further imposes flow down CMMC requirements on subcontractors handling FCI / CUI via 32 CFR 170.23.
Continued compliance with 32 CFR 170 is required for the life of any contract where there is a CMMC requirement to that contract.
The CMMC sorts relevant systems into one of three levels:
| Level | Scope | Assessment Type | Requirements | Validity |
| 1 | Contractor information systems that process, store, or transmit FCI only | Self-Assessment | i. Implement basic safeguarding requirements from FAR 52.204-21. ii. Annual affirmation of continuous compliance by an affirming official. iii. Must be Final Level 1 status in SPRS at time of award.
| Assessment must be not older than 1 year |
| 2 | Contractor systems handling CUI, where a third-party assessment is not required. | Self-assessment or Third-party assessment by a CMMC Third-Party Assessment Organization (C3PAO) | Self-assessment i. Implement 110 NIST SP 800-171 R2 controls. ii. Annual affirmation in SPRS. iii. Can be conditional or final. | Conditional (both): not older than 180 days Final (both): not older than 3 years, with annual affirmation. |
C3PAO assessment Same as above but validated by C3PAO; can be conditional or final.
| ||||
| 3 | For systems handling highly sensitive CUI or supporting critical DoD missions. | Government-led assessment by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). | i. Implement enhanced security requirements beyond 110 NIST SP 800-171 R2 to include 24 from NIST SP 800-172 ii. Can be Conditional or Final. | Conditional: not older than 180 days.
Final: not older than 3 years, with annual affirmation. |
Following a system assessment, each contractor will receive a CMMC Unique Identifier (UID) and one of the following SPRS status:
- Final Level 1 (Self)
- Conditional Level 2 (Self)
- Final Level 2 (Self)
- Conditional Level 2 (C3PAO)
- Final Level 2 (C3PAO)
- Conditional Level 3 (DIBCAC)
- Final Level 3 (DIBCAC)
Once fully implemented, DoD contracting officers will be required to verify a contractor’s CMMC status in the Supplier Performance Risk System (SPRS) prior to (i) awarding contracts; (ii) exercising options; or (iii) extending periods of performance. The Rule is estimated to affect nearly 340,000 unique entities.
Timeline
The Rule will be rolled-out in two phases:
- For the next three years, until November 10, 2028, CMMC requirements apply only if program offices choose to include them.
- On year four and thereafter, on November 10, 2028 the CMMC is mandatory for all contracts involving Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), except for Commercially available off-the-shelf (COTS)-only contracts.
Changes from Draft Rule
The final Rule implemented material changes from the previous draft rule.
- Clarified various definitions.
- Removes requirement to report information security lapses directly to contracting officers.
- Replaces “senior company official” with “affirming official.”
- Subcontractor must submit affirmations of continuous compliance and the results of self-assessment in SPRS.
- Clarified that subcontractor requirements apply only to subcontractor information systems that process, store, or transmit FCI or CUI during the performance of the subcontract
Four Action Items for DoD contractors:
- Assess the applicability of the Rule by identifying if any current, pending, or proposed contracts that involve the handling or FCI, CUI, or support critical DoD missions.
- Conduct either a self-assessment (if allowable) or obtain CPAO or DIBCAC assessment (as required) and create a UID for each relevant system through SPRS.
- Implement regular internal audit procedures of CMMC-relevant systems to maintain accurate, ongoing accounting of such systems and their SPRS status.
- Assess flow down requirements to subcontractors that handle FCI/CUI and implement new legal and administrative procedures reflective of the Rule, such as including CMMC clauses in contracts and verifying subcontractor compliance.
