Department of Defense Issues Final Rule Implementing Contractor Requirements to Safeguard Sensitive Information
Friday, September 12, 2025
Print Mail Download info_icon_img/>i

On September 10, 2025, the U.S. Department of Defense (“DoD”) published its final rule amending the Defense Federal Acquisition Regulation Supplement (“DFARS”) to incorporate contractual requirements related to the Cybersecurity Maturity Model Certification (“CMMC”) program (the “CMMC DFARS Rule”).

The CMMC program is a DoD initiative that establishes tiered, enforceable cybersecurity requirements for contractors handling Federal Contract Information (“FCI”) and Controlled Unclassified Information (“CUI”), making verified protection of sensitive information a prerequisite for performing DoD contracts.

The CMMC DFARS Rule marks the next critical step in the rollout of the program. This rule follows the CMMC Policy Rule, published in October 2024, which established the program’s structure, assessment methodology, and governance framework. While the CMMC Policy Rule defined the program in principle, the CMMC DFARS Final Rule makes compliance with CMMC an enforceable condition of contract eligibility.

Overview of CMMC Levels and Certification Requirements

The CMMC framework includes three levels of cybersecurity maturity, each corresponding to different types of information and varying degrees of required protections:

  • Level 1 focuses on basic cyber hygiene practices primarily aimed at protecting FCI. Contractors handling Level 1 information can perform a self-assessment to demonstrate compliance, rather than undergoing a formal third-party evaluation.
  • Level 2 is an intermediate level intended to protect CUI. Level 2 incorporates a broader set of security practices and processes. Contractors are generally required to complete a self-assessment, although certain programs may require a third-party certification depending on the risk profile of the information or contracting officer direction.
  • Level 3 represents a proactive and robust cybersecurity posture, with enhanced practices for sensitive CUI and other mission-critical data. Contractors seeking Level 3 certification must undergo a third-party assessment, which provides independent validation of cybersecurity controls and processes.

Under the CMMC DFARS Rule, contractors that process, store or transmit FCI or CUI must obtain and maintain a “current” CMMC level. Each covered information system will receive a unique identifier (“UID”) in the Supplier Performance Risk System (“SPRS”) or the Enterprise Mission Assurance Support Service (“eMASS”), which contractors must submit with proposals and maintain throughout contract performance. Contracting officers will verify CMMC status in SPRS before awarding contracts, task orders, or delivery orders.

A notable flexibility from its proposed version, the CMMC DFARS Rule distinguishes between conditional and final CMMC status. Conditional status may be granted for Level 2 and Level 3 certifications based on approved Plans of Action and Milestones (“POA&Ms”) allowing contractors to apply for covered contracts for up to 180 days, with final status contingent upon successful closeout of the POA&Ms.

Potential Concerns and Scope Issues

The CMMC DFARS Rule does not fully resolve concerns, particularly for entities outside the traditional defense industrial base, that the CMMC program’s systems-based approach may lead to over-implementation of security controls for information misidentified as CUI, because CUI designations are inherently data-specific.

Notably, the proposed rule establishing CUI safeguarding requirements in the Federal Acquisition Regulations (FAR)—applicable across the executive branch—would require agencies to list the specific information designated as CUI in the solicitation. While agencies could incorrectly categorize information as CUI under the FAR proposal, contractors can challenge errors directly. Under the CMMC DFARS Final Rule, contractors simply receive notice that DoD has determined that CUI is present and that all relevant systems must implement the required safeguards, creating uncertainty about the scope of compliance obligations.

DoD could have addressed these concerns through programmatic guidance clarifying what should be in scope for organizations implementing CMMC. It could have revised the definition of CUI to limit it to information for which a law explicitly imposes a duty on the private sector to safeguard the designated information. However, DoD rejected requests to revise the definition of CUI, noting that it falls under the National Archives and Records Administration and is therefore outside the scope of the CMMC DFARS Rule.

DoD could have also clarified that only information directly related to the performance of a DoD contract qualifies as CUI subject to CMMC—for example, excluding Proprietary Postal Information unrelated to DoD stored on a system supporting a DoD contract from triggering CMMC requirements. While the preamble suggests CMMC only covers DoD-funded acquisitions, the CMMC DFARS Rule’s regulatory requirements apply to “information systems that will process, store, or transmit FCI or CUI and that will be used in performance of the contract.” Because the qualifier “used in the performance of the contract” applies to systems, rather than the FCI or CUI itself, it remains unclear whether non-DoD CUI could fall under CMMC requirements.

Phased Implementation

While the CMMC DFARS Final Rule is effective November 10, 2025, DoD has announced a phased schedule to incorporate its provisions into contracts over the next three years. During the initial phase-in period, the new contract clause will only be used in solicitations where program managers or requiring activities specifically require CMMC, and it will not apply to contracts solely for commercially available off-the-shelf items. After the three-year phase-in, the clause will be applied more broadly to all contracts involving systems that process, store, or transmit FCI or CUI.

Conclusion

The CMMC DFARS Final Rule cements cybersecurity as a core contractual requirement for DoD contractors, reinforcing the importance of protecting FCI and CUI across the supply chain. While the tiered framework and assessment processes provide structure, uncertainties around scope and applicability—particularly for information not directly tied to DoD contracts—highlight the need for careful planning and proactive compliance. Contractors should use the phased implementation period to align their systems and processes with the CMMC requirements, address potential gaps, and understand the scope of their CUI to fully comply with requirements while seeking to avoid over-implementation or unnecessary controls.

Copyright © 2025, Hunton Andrews Kurth LLP. All Rights Reserved.

Current Public Notices

Post Your Public Notice Today!

PUBLIC NOTICE OF UCC ARTICLE 9 SALE: Interest in 315 Lake LLC and Madskye LLC
Published: 9 September, 2025
PUBLIC NOTICE OF UCC SALE: Gizmo Medical, LLC
Published: 9 September, 2025
PUBLIC NOTICE OF UCC ARTICLE 9 SALE: Harrisburg Hotel, LLC
Published: 8 September, 2025
PUBLIC NOTICE OF ABC SALE: Superplastic, Inc.
Published: 4 September, 2025
PUBLIC NOTICE OF RECIEVERSHIP SALE: Bison Hardwood, LLC
Published: 28 August, 2025
PUBLIC NOTICE OF UCC SALE: Shoreview Holding LLC
Published: 25 August, 2025
PUBLIC NOTIC OF AUCTION OF ASSETS: BolderPlay
Published: 22 August, 2025
PUBLIC NOTICE OF DISPOSITION OF COLLATERAL: Vertify, Inc
Published: 20 August, 2025
PUBLIC NOTICE OF UCC ARTICLE 9 SALE: News Direct Corp.
Published: 20 August, 2025
PUBLIC NOTICE OF UCC SALE: BMD-III CHT Mezz, LLC
Published: 18 August, 2025
PUBLIC NOTICE OF UCC ARTICLE 9 SALE: Membership Interests in RINO 17 LLC
Published: 11 August, 2025
PUBLIC NOTICE OF UCC ARTICLE 9 SALE: LCP Hollywood Lender LLC
Published: 8 August, 2025
PUBLIC NOTICE OF ASSIGNMENT: Common Cents Distributors, LLC
Published: 26 June, 2025
Discover more public notices

Current Legal Analysis

More from Hunton Andrews Kurth

California Privacy Protection Agency Defends Broad Authority to Investigate Potential CCPA Violations
by: Hunton Andrews Kurth’s Privacy and Cybersecurity
Federal Agency Updates: EEOC, OFCCP, and Department of Labor
by: Robert T. Dumbacher , Meredith Gregston
EU Court of Justice Clarifies Definition of “Personal Data” in the Context of Pseudonymization
by: Hunton Andrews Kurth’s Privacy and Cybersecurity
DOE Directs FERC to Rescind the Updated Certificate Policy Statement
by: Ted J. Murphy , Deidre G. Duncan
Five Priorities for College & University Legal Counsel Starting the Academic Year
by: Amy Fabiano , Brigid Harrington
Plaintiffs Allege Violation of Bulk Data Transfer Rule in Class Actions
by: Hunton Andrews Kurth’s Privacy and Cybersecurity
FTC to Study AI Chatbot Risks to Children
by: Hunton Andrews Kurth’s Privacy and Cybersecurity
FTC Warns Tech Companies Against Weakening Protections of U.S. Consumer Data Based on Foreign Pressure
by: Jenna N. Rode
Buyer Beware: Analyzing New Jersey Court’s Ruling on Prior Knowledge Exclusions
by: Geoffrey B. Fehling , Machaella Reisman
California Bill Would Expand Data Broker Registration Requirements
by: Veronica P. Adams
Federal Court Vacates US Department of Education Guidance on Title VI
by: Amy Fabiano , Brigid Harrington
Colorado Publishes Proposed Amendments to Colorado Privacy Act Rules Regarding Minors
by: Hunton Andrews Kurth’s Privacy and Cybersecurity
California Independent Contractor Law Challenged Under 14th Amendment
by: Holly H. Williamson

Upcoming Events

 
NLR Logo
We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up for any (or all) of our 25+ Newsletters.

 

Sign Up for any (or all) of our 25+ Newsletters