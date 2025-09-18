In August 2024, The Department of Defense (DoD) released a proposed amendment to the Defense Acquisition Regulations Supplement (DFARS) – which provides acquisition policies and procedures for the DoD – that would require a Cybersecurity Maturity Model Certification (CMMC) program to become a required part of the DoD’s contracting process. The CMMC program is a cybersecurity framework designed for federal contractors and subcontractors to safeguard two particular categories of information: federal contract information (FCI) and controlled unclassified information (CUI). FCI is defined as information provided by or generated for the government under a contract that is not intended for public release, and CUI is sensitive information that requires safeguarding under law, regulation, or government policy but is not classified.

CMMC Program Rule and Procurement Rule History

In December 2024, the DoD finalized part one of the CMMC requirements through the CMMC Program Rule that established the CMMC program. The Program Rule outlines security safeguards and other requirements that covered contractors and subcontractors must implement. The CMMC program sets forth three levels of security compliance:

Level 1: This level is for contractors who handle FCI and includes basic safeguarding, which is verified through an annual self-assessment.

Level 2: This level is for contractors who handle CUI and includes intermediate requirements. Depending on the solicitation, contractors may complete either a self-assessment or an independent third-party assessment via a Certified Third-Party Assessment Organization.

Level 3: This is the highest level, requiring compliance with all requirements for Level 1 and Level 2 contractors along with a government-led assessment by the Defense Industrial Base Cybersecurity Assessment Center.

On September 10, 2025, the DoD issued part two of the CMMC requirements though the CMMC Procurement Rule. This Rule formalizes cybersecurity as a condition of doing business with the DoD, requiring contractors and subcontractors to demonstrate they meet the specified security standards before accessing FCI and CUI. For the defense industrial base, the Rule has significant implications for contract eligibility, subcontractor oversight, and ongoing compliance.

Scope of the Final Procurement Rule

CMMC requirements apply to any DoD contract where a contractor will process, store, or transmit FCI and/or CUI. The rule carves out several exclusions, such as for contracts solely for commercial off-the-shelf items, which are commercial products sold ready-made to the general public. Additionally, subcontractors that do not handle FCI or CUI under their subcontract are not required to certify.

The Final Procurement Rule replaces the term “DoD unique identifier” with “CMMC Unique Identifier.” Each certification will generate a unique identifier, which will be logged in the Supplier Performance Risk System, the DoD’s procurement risk analysis tool.

Flow-Down and Subcontractor Responsibilities

Under the Final Procurement Rule, prime contractors must ensure subcontractors handling FCI or CUI meet the appropriate certification levels. Subcontractors must be certified at the correct level before work begins. If a subcontract involves handling FCI or CUI, the subcontract must include CMMC requirements. In addition, prime contractors and subcontractors may not share FCI or CUI downstream with entities that lack certification.

Foreign Subcontractors

There is no specific prohibition on sharing FCI or CUI with foreign contractors or subcontractors as long as they are certified at the appropriate level. Any CUI marked NOFORN (no foreign dissemination) may not be disseminated to foreign governments, foreign nationals, foreign or international organizations, or non-US citizens. CMMC does not change this rule. However, generally, foreign subcontractors will be subject to the same requirements as any domestic subcontractors. Each contractor is responsible for identifying the appropriate CMMC level for all its subcontractors based on the type of information they have access to.

Conditional Certifications

For a contractor who has not yet been certified due to deficiencies in meeting CMMC requirements, the Final Procurement Rule allows for Level 2 and Level 3 contractors to obtain a conditional certification valid for up to 180 days. Awards may be made during this conditional period. Within the 180 days, the contractor must document and execute a Plan of Action and Milestones to resolve deficiencies. If the contractor does not remediate and achieve final certification by the end of the 180-day period, this could result in loss of eligibility or liability for misrepresentation.

Continuous Compliance

CMMC is not a one-time “check-the-box” requirement that is important only for contract award. The Final Procurement Rule makes clear that contractors must maintain compliance with the required certification level throughout contract performance. Certification status can be re-validated during the contract life cycle.

Removed Reporting Requirement

Under the Procurement Final Rule, CMMC no longer requires contractors to notify the contracting officer of security incidents. DFARS 252.204-7012 governs incident reporting for contracts that entail covered defense information. Under this DFARS clause, contractors must report certain cyber incidents that affect covered defense information to the DoD. Contractors must still comply with DFARS 252.204-7012 requirements where applicable, but there is no additional CMMC incident reporting requirement.

Gradual Roll-out

The Final Procurement Rule takes effect on November 10, 2025, but the requirements will roll out gradually. Only some solicitations will include CMMC requirements, based on DoD’s determination, for the first three years. From year four onward, CMMC will apply to all contracts where contractors handle FCI or CUI (excluding commercial off-the-shelf products). This staggered rollout gives companies time to prepare for CMMC compliance. Still, contracts may begin requiring certification as soon as the rule becomes effective.

Importance of CMMC Compliance

Without CMMC certification, contractors will not be able to compete for covered contracts. Furthermore, if a contractor loses certification during performance, this could trigger termination for default. Certification status will also be an important diligence and valuation factor in business transactions involving defense contractors, such as mergers and acquisitions.

What Contractors Should Do Now

Contractors should begin assessing CMMC compliance by conducting a gap analysis against applicable CMMC requirements. In addition, contractors should review subcontractor agreements to incorporate flow-down requirements and risk allocation, paying close attention to key clauses such as indemnification. Contractors will also need to implement monitoring systems for subcontractor certification status and educate their internal business units and teams on CMMC obligations.

Conclusion

Since the CMMC final rule makes cybersecurity certification a contractual prerequisite for doing business with the DoD, federal contractors and subcontractors must prepare now by aligning systems with the new standards, strengthening oversight of their supply chains, and ensuring continuous compliance. Early action will be critical to preserving eligibility, protecting business opportunities, and reducing legal and financial risks as DoD phases in CMMC enforcement.