The CMMC Rule is Here: What Contractors Need to Know

The Department of Defense (DoD) recently published in the Federal Register its long-awaited final rule (the Rule) amending the Defense Federal Acquisition Regulation Supplement (DFARS) to formally implement the Cybersecurity Maturity Model Certification (CMMC) program. The Rule, effective November 10, 2025, will move CMMC from a policy framework into binding contractual obligations for most defense contractors.

The Rule makes CMMC a condition of eligibility for most contract awards and continued performance, reinforced by annual affirmations of continued compliance from senior officials within the contractors’ organizations and flowdown obligations that extend across the supply chain. DoD has also adopted a two-phase implementation approach: during the first three years, program offices may decide when and how to insert CMMC into solicitations, and beginning in November 2028, CMMC compliance will be mandatory—in some form—for essentially all DoD contracts, excluding procurements that are solely for commercially available off-the-shelf (COTS) items.

Once implemented, CMMC requirements will impose new compliance obligations. Notwithstanding the uncertain prevalence of CMMC requirements in solicitations over the next three years, contractors must be prepared for some uneven application of requirements in the near term, heightened enforcement exposure through the False Claims Act (FCA) and greater accountability for subcontractor compliance. The following sections highlight the key elements of the Rule and their implications for companies operating in the defense supply chain.

What the CMMC Rule Means for Contractors

The Rule establishes a new baseline for DoD contractor cybersecurity compliance. While the framework has existed in regulation for several years, it lacked effect without implementing DFARS clauses. The Rule changes that by embedding CMMC into the DFARS through DFARS 252.204-7021 and 252.204-7025, making certification and annual affirmations a binding condition of award and performance for even the receipt of Federal Contract Information. Contractors will need to demonstrate compliance not only to win new awards but also to maintain eligibility throughout contract performance.

CMMC Levels of Compliance

The Rule identifies three levels of compliance, each tied to the sensitivity of information being processed, stored or transmitted on a contractor’s information system:

• Level 1. Applies to information systems that handle only Federal Contract Information (FCI). Companies at this level must complete an annual self-assessment and post results in the Supplier Performance Risk System (SPRS). These assessments do not require a third-party review, but an affirming official must attest to compliance each year.
• Level 2. Applies when contractor systems handle Controlled Unclassified Information (CUI). Depending on the program office’s determination, the required assessment may be performed internally (self-assessment) or externally by a Certified Third-Party Assessment Organization (C3PAO). Results must be recorded in SPRS and supported by annual affirmations.
• Level 3. Reserved for contracts involving the most sensitive types of CUI, often associated with national security missions or programs where compromise could have a direct impact on military or defense operations. Examples include controlled technical information, weapons system design data or other critical defense technologies that require enhanced protection. At this level, assessments are conducted directly by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). Contractors must maintain a current certification and continue to submit annual affirmations in SPRS.

Given the breadth of the FCI definition, contractors should assume that nearly all non-COTS DoD contracts will be subject to at least Level 1 requirements, making CMMC a baseline obligation across the defense supply chain.

Certification Timing and Conditional Status

The Rule also sets standards for when certifications are valid:

• Level 1: Certification must be no older than one year, supported by an annual affirmation of compliance.
• Levels 2 and 3: Certifications may be valid for up to three years, provided an annual affirmation of compliance is submitted.

In all cases, contractors must have a current certification in SPRS at the time of award and maintain that status through performance and option periods. However, at Levels 2 and 3, companies may receive a contract award with a conditional certification if they have an approved Plan of Action and Milestones (POA&M) in place. Conditional status is valid for up to 180 days, during which all remediation must be completed.

Definition of CUI

The Rule incorporates the very broad definition of CUI codified at 32 CFR as meaning “information the Government creates or possesses, or information an entity creates or possess for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls” (32 CFR 2002.4(h)). The definition is decidedly broader and unwieldy compared to the narrower definition of “covered defense information” (CDI) protected under the current DFARS 252.204-7012. For companies that have chosen to meet current DoD cybersecurity requirements using the narrower definition of CUI, transitioning to the broader CUI definition may expand the scope of covered systems and create new compliance challenges.

Flowdowns to Subcontractors

The Rule makes clear that CMMC obligations extend beyond prime contractors and apply throughout their supply chain. Specifically, prime contractors must flow down their CMMC obligations to any subcontractor or supplier that will process, store or transmit FCI or CUI in connection with contract performance.

Notably, prime contractors are responsible for verifying that each covered subcontractor or supplier holds a current certification at the appropriate level before sharing FCI or CUI or awarding the subcontract. Because access to SPRS is limited to the entity that owns the certification, primes cannot view subcontractor status directly and must rely on documentation provided by the subcontractor (such as SPRS screenshots or copies of certificates). This requirement introduces an added layer of diligence for prime contractors, who will need to build processes for confirming subcontractor compliance and ensuring that CMMC obligations are appropriately enforced throughout their supply chains.

False Claims Act Risk

The Rule significantly raises the stakes for inaccurate or incomplete cybersecurity representations. Because CMMC certification is now a prerequisite for contract award and continued performance, any misstatement about certification status in SPRS may be viewed as material to the government’s payment decision. In addition, the requirement for an affirming official to make annual attestations of continuous compliance creates recurring points of potential exposure if those affirmations are made without a reasonable basis. Conditional certifications supported by POA&Ms and prime contractor obligations to verify subcontractor compliance add further pressure points.

At the same time, for contractors subject to Level 2 (C3PAO-reviewed) or Level 3 (DIBCAC-reviewed) assessments, the involvement of an outside assessor may help mitigate FCA risk by providing independent validation of the company’s cybersecurity posture. While not a shield against allegations of false statements, concealment and reckless disregard, good faith reliance on an external review can strengthen a defense if compliance is later challenged.

Together, these provisions heighten the risk that inaccurate postings or attestations could give rise to FCA liability, underscoring the importance of robust internal verification before making any certification or affirmation under the Rule.

Phased Implementation Timeline

The Rule establishes a two-phase implementation framework that departs from DoD’s earlier step-by-step rollout. Instead of a uniform sequence, contractors now face a more flexible—but less predictable—two-phase structure:

• Phase 1 (November 10, 2025–November 10, 2028): For the first three years, program managers decide whether to include CMMC in solicitations and contracts. Any of the three levels may be required during this period, but inclusion is discretionary. Contracts solely for COTS items remain exempt.
• Phase 2 (Beginning November 10, 2028): After the three-year discretionary period, CMMC requirements become mandatory across all covered DoD contracts. Because FCI is defined broadly, this means that in practice almost all DoD contracts will be subject to at least some level of CMMC, with only COTS-only procurements excluded.

This structure creates variability across programs. Some will incorporate CMMC requirements immediately, while others may defer until the universal mandate takes effect in 2028. As a result, contractors must closely review solicitations to identify whether CMMC applies, which level is required and how related flowdown obligations may affect subcontracting relationships. Proactive compliance planning during Phase 1 will be critical to avoid surprises as program offices exercise their discretion.

Next Steps for Contractors

The Rule leaves contractors with a relatively short runway to prepare, particularly given the uneven way CMMC will appear in solicitations during the next three years. To stay ahead of shifting requirements, contractors should focus on the following priorities:

• Review and assess internal definitions of CUI. Conduct an inventory of CUI that the company regularly handles and determine if changes to definitions are necessary using the broad definition of CUI compared to CDI.
• Assess readiness. Identify CMMC level requirements and conduct internal gap assessments against the CMMC requirements and identify remediation needs early, including the development of a system security plan. Pay particular attention to the new required protections for FCI.
• Develop a POA&M strategy. Anticipate the possibility of conditional certification, with clear timelines and resources allocated to close out deficiencies within the 180-day window.
• Engage with business units. Map which information systems handle FCI or CUI and confirm proper scoping for certification purposes, anticipating required level of compliance.
• Plan for affirmations. Identify who within the organization will serve as the affirming official and ensure they have reliable processes to validate compliance before signing annual attestations.
• Address supply chain exposure. Update subcontract templates to incorporate DFARS 252.204-7021 flowdown language and build processes for tracking subcontractor compliance.
• Monitor solicitations. During the three-year discretionary phase, track which program offices are inserting CMMC clauses and at what levels. Requirements will vary contract by contract.
• Evaluate and update training and communication across the company. These efforts should include the C-Suite and Boards of Directors to ensure that everyone is prepared and has a clear understanding regarding the company’s approach to compliance.

These steps may help contractors reduce the risk of missed obligations, but the combination of contractual enforcement and potential FCA exposure underscores the importance of carefully tailoring compliance strategies to specific programs and contract terms.