DoD Issues Final Rule Implementing CMMC in DFARS

Townsend L. Bourne

Email

202-469-4917

Bio and Articles

Find Your Next Job !

LEGAL ASSISTANT II

Specialist: Legal Information Center Research

Experienced Family Law Attorney

Explore More Job Openings

Don’t Fall Behind: The CMMC Final Rule to Update the DFARS is Here!

by: Townsend L. Bourne of Sheppard, Mullin, Richter & Hampton LLP - Government Contracts, Investigations & International Trade Law Blog

Monday, September 15, 2025

Print Mail Download info_icon_img

/>i

On September 10, 2025, the final rule to implement the Cybersecurity Maturity Model Certification (“CMMC”) program in the Defense Federal Acquisition Regulation Supplement (“DFARS”) was published with an effective date of November 10, 2025 (i.e., 60 days after publication). This is the trigger for the new CMMC clause to start appearing in solicitations and contracts.

The final rule aligns with the Title 32 Code of Federal Regulations (“CFR”) CMMC Program rule (effective December 2024; we previously analyzed here) and the final rule refers back to the Title 32 rule for many of the requirements. Most importantly, the final rule includes the new DFARS clause (252.204-7021), which differs somewhat from the proposed version of the clause we analyzed here, as well as a notice provision (252.204-7025) for inclusion in solicitations. The final rule includes the text of the DFARS 252.204-7021 that will be included in DoD contracts to spell out the various CMMC obligations for contractors and subcontractors.

Key Updates and Considerations

Many of the updates in the final rule are clarifications and minor changes to language in order to mirror what was established in the CMMC Program rule last year. However, there are some key updates and considerations reflected in DoD’s responses to comments received on the proposed rule (DoD received 97 public comments on the proposed rule), as summarized below.

CMMC UIDs – Each contractor CMMC assessment is assigned a CMMC unique identifier (“UID”) in Supplier Performance Risk System (“SPRS”). The CMMC UID is ten alpha-numeric characters. Companies must provide to the Contracting Officer the CMMC UID(s) for each information system that will process, store, or transmit FCI or CUI used in the performance of the contract.
- With their proposals, offerors must provide the CMMC UIDs for each information system that will process, store, or transmit FCI or CUI during performance of the contract.
Affirming Official – The final rule uses the term “affirming official,” consistent with the Title 32 CMMC Program rule, replacing the previous term “senior company official” for who at the company may provide the annual affirmation of CMMC compliance.
Eligibility Requirements – The solicitation notice provision (DFARS 252.204-7025) provides that contractors will not be eligible for award unless they have: (a) the current CMMC status at the level required for the contract entered in SPRS; and (b) a current affirmation of continuous compliance with the requirements. These requirements apply to all of the information systems that will process, store, or transmit FCI or CUI and will be used in performance of the contract.
Reporting – The final rule eliminates a 72-hour reporting requirement that was in the proposed rule requiring notification for any “lapses in information security or changes in compliance with 32 CFR part 170.” This is a welcome change. DoD specifically notes that after consideration “an additional reporting requirement in this rule is not necessary to protect DoD information.” 90 FR 43562. It will rely on the incident reporting requirement currently at DFARS 252.204-7012 for this reporting.
- Note, the final version of the DFARS clause maintains requirements for contractors to report their CMMC UIDs and information in SPRS (see below).
Subcontractor Management – The subcontract flowdown language in the DFARS clause was updated to clarify that subcontractors must submit affirmations of continuous compliance and the results of CMMC self-assessments in SPRS.
- In response to comments on subcontractor management, DoD confirmed it will not share subcontractor CMMC information with prime contractors. DoD expects prime contractors to flow down the CMMC requirements and not share information with subcontractors that “have not indicated they meet the [requisite] CMMC level.” 90 FR 43566. Prime contractors should work with subcontractors to conduct verifications of subcontractor compliance. DoD suggests subcontractors might voluntarily share their CMMC SPRS assessment scores or certificates by printing or taking a screenshot in SPRS. 90 FR 43566.

A Phased Implementation Timeline

As a reminder, DoD adopted a phased implementation approach for CMMC. The final rule is effective, and Phase 1 of CMMC will begin, on November 10, 2025. Below is an overview of the four phases for CMMC implementation.

Note, the final rule states contracting officers may choose to include the new DFARS clause in a solicitation issued prior to November 10, 2025 where the resulting contract is awarded after that date. 90 FR 43565.

Phase	Start Date	Impact
Phase 1	November 10, 2025 (the date the CMMC Title 48 rule becomes effective)	Inclusion of Level 1 (Self) or Level 2 (Self) requirement in applicable solicitations/contracts (as a condition of award).
Phase 2	November 10, 2026 (one calendar year after Phase 1 begins)	Level 2 (C3PAO) (third party certification assessment) requirement in applicable solicitations/contracts (as a condition of award).
Phase 3	November 10, 2027 (one calendar year after Phase 2 begins)	Level 2 (C3PAO) as a condition for exercising option periods; and Level 3 (DIBCAC) requirement for all applicable solicitations/contracts (as a condition of award).
Phase 4, full implementation	November 10, 2028 (one calendar year after Phase 3 begins)	Full implementation of the CMMC requirements in all applicable solicitations and contracts, including option periods.

New DFARS 252.204-7021 Clause

Below are the requirements for contractors in the new DFARS 252.204-7021 clause per the final rule:

Have and maintain a current CMMC status at the requisite CMMC level, or higher, for all information systems used in performance of the contract that process, store, or transmit FCI or CUI;
Flow down the correct CMMC level to subcontracts and in other contractual instruments;
Maintain the required CMMC level for the duration of the contract for all applicable information systems;
Only store, process, or transmit FCI or CUI in information systems that have the required CMMC level or higher;
Complete on an annual basis, and maintain as current, an affirmation (by the affirming official) of continuous compliance with the requirements associated with the requisite CMMC level in SPRS for each CMMC UID applicable to each information system used in performance of the contract;
Ensure all subcontractors and suppliers complete prior to subcontract award, and maintain on an annual basis, an affirmation (by the affirming official) of continuous compliance with the requirements associated with the CMMC level required for the subcontract or other contractual instrument for each subcontractor information system used in performance of the subcontract;
Where applicable, close out any valid plan of action and milestones to achieve a final CMMC Status from conditional status.

The clause also includes a section on reporting (DFARS 252.204-7021(e)). Contractors are to report to the Contracting Officer: (a) the CMMC UID(s) issued by SPRS for each information system that will process, store, or transmit FCI or CUI during performance of the contract; and (b) any changes to the CMMC UIDs generated in SPRS throughout the life of the contract.

Further, contractors must maintain in SPRS: (a) the results of current self-assessments for each CMMC UID, not covered by C3PAO or DIBCAC assessment, applicable to information systems used in performance of the contract; and (b) complete on an annual basis and maintain as current an affirmation (by the affirming official) of continuous compliance for each assessment required under the contract.

Important Updates & Reminders

As companies continue to prepare for CMMC, below are important reminders and updates to keep in mind.

The CMMC requirements will apply to almost all DoD solicitations and contracts – The rule will apply to acquisitions of commercial products or services (except for exclusively COTS procurements) and to procurements at or below the simplified acquisition threshold, but not to purchases at or below the micro-purchase threshold. In response to comments on the COTS exception, DoD provided limited clarity, simply reiterating the language in the rule that “Any awards that are exclusively for items that meet the FAR definition would be considered ‘exclusively COTS’ awards.” 90 FR 43562.
Don’t forget about your systems with Federal Contract Information – CMMC requirements apply to contractor systems that store, process, or transmit Controlled Unclassified Information (“CUI”) or Federal Contract Information (“FCI”) in performance of the contract. While CUI has been a focus for contractors, requirements for FCI will become more important as companies must provide attestations and confirm self-assessments for the 15 basic security controls for FCI.
CMMC Certification or Self–Assessment must be complete at contract award – DoD specifies Contracting Officers will not be able to make an award, exercise an option, or extend performance of a contract unless CMMC requirements are met. Language was updated to require Contracting Officers to check SPRS prior to award to verify that the company has a current CMMC status in SPRS reflecting the CMMC level required.
Prime contractors will be responsible for compliance of subcontractors – DoD acknowledges prime contractors do not have access to the SPRS database to confirm compliance by subcontractors. However, prime contractors are expected to “conduct verifications” for subcontractor compliance. The rule also specifically states it does not exempt foreign suppliers from these requirements.