Final Rule on Cybersecurity Maturity Model Certification (CMMC)

The Cybersecurity Maturity Model Certification (CMMC) has been a long-anticipated framework designed to bolster cybersecurity across the defense industrial base. After extensive development and revisions, the Department of Defense (DoD) has issued the final rule, effective November 10, 2025, which amends the Defense Federal Acquisition Regulation Supplement (DFARS) to incorporate CMMC requirements. This rule represents a significant advancement in ensuring that contractors handling unclassified information for the DoD maintain robust cybersecurity measures, addressing vulnerabilities that have been exploited in the past.

Comparison with Previous Requirements

The new CMMC rule builds upon the existing DFARS 252.204-7012 and NIST SP 800-171 requirements by adding a verification component through third-party assessments. While DFARS 252.204-7012 required contractors to implement NIST SP 800-171 controls, CMMC introduces a tiered certification process to ensure compliance. This shift from self-attestation to third-party verification aims to provide greater assurance of cybersecurity practices within the defense supply chain. The rule also clarifies definitions and procedures, such as the introduction of CMMC unique identifiers (UIDs) in the Supplier Performance Risk System (SPRS) and the requirement for continuous compliance affirmations, which were not explicitly detailed in previous regulations.

Broad Applicability of the New CMMC Rule 

Beginning November 10, CMMC will apply to all DoD solicitations and contracts (except for contracts that are exclusively for commercially available off-the-shelf (COTS) items) that require contractors to store, process, or transmit federal contract information (FCI) or controlled unclassified information (CUI) on contractor information systems. The rule adopts the definition of COTS items from FAR 2.101. It is important to know that the rule also adopts FAR 52.204-21’s definition of FCI, which is extremely broad. Under that provision, FCI includes “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government,” but excludes information provided by the Government to the public or that which is necessary to process payments. FAR 52.204-21(a). Any system that processes, stores, or transmits FCI and is owned or operated by a contractor is covered under the new rule. FAR 52.204-21(a). CUI is information that the Government creates or processes or that an entity creates or processes for on behalf of the government, which an agency is permitted to manage using safeguarding controls under any law, regulation, or Government-wide policy. 32 C.F.R. 2002.4(h). Therefore, these broad definitions of FCI and CUI mean that contractors should plan on every DoD contract, other than those exclusively for COTS items, requiring some level of CMMC compliance. The contracting officer will provide the CMMC level required in the solicitation and applicable contract clause. Existing contracts can be modified at the contracting officer’s discretion to include CMMC assessments, so long as that is consistent with other contractual requirements.

Key Points of the New Rule

The final rule establishes a phased implementation of CMMC requirements, mandating that contractors achieve a specific CMMC level before contract award. The rule introduces a framework for assessing contractor compliance with cybersecurity requirements, including self-assessments and third-party assessments. Contractors must maintain their CMMC status throughout the contract's duration and provide affirmations of continuous compliance. The rule also specifies procedures for reporting and maintaining CMMC UIDs in SPRS. Notably, the rule allows for conditional CMMC statuses for levels 2 and 3, providing a 180-day window to achieve final certification, thus offering some flexibility while maintaining security standards.

Impact on Prime Contractors

In addition to satisfying the applicable CMMC requirements themselves, prime contractors are also responsible for ensuring that their subcontractors comply with the appropriate CMMC level. This includes flowing down CMMC requirements to subcontractors and verifying their compliance before awarding subcontracts. Prime contractors must also ensure that subcontractors maintain their CMMC status and provide necessary affirmations in SPRS. This requirement emphasizes the need for primes to actively manage and monitor their supply chain's cybersecurity posture. However, the final rule also limits the flow down requirements for subcontractors in two ways. First, the rule clarifies that subcontractors that do not process, store, or transmit FCI on their systems during the performance of the subcontract would not be required to have a CMMC assessment. This means subcontractors merely using the prime’s systems, but not their own, would not have flow down CMMC requirements. Depending on the role of the subcontractor, it may or may not need to self-certify its CMMC compliance or obtain a CMMC assessment from a CMMC Third-Party Assessment Organization (C3PAO) or DCMA’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). If a subcontractor will only process, store, or transmit FCI (not CUI), then a CMMC Level 1 (Self) is required. If the sub will process, store, or transmit CUI, then a CMMC Level 2 (Self) is required. If a sub will process, store, or transmit CUI and the prime contract requires a CMMC Level 2 (C3PAO) or Level 3 (DIBCAC), then the subcontractor must have a CMMC Level 2 (C3PAO) status. 32 C.F.R. 170.23. Lastly, subcontractors are not required to share their CMMC assessment scores in SPRS with prime contractors, although this was requested by respondents during the CMMC’s final rule development. 

Before obtaining any CMMC assessment, the scope of the assessment must be specified. 32 C.F.R. 170.19. Specifying the scope of the assessment requires contractors to consider the information systems, people, and facilities which process, store, or transmit FCI or will be during the contract. All of these assets must be assessed against the applicable CMMC level requirements. As an example, specialized assets are those which can process, store, or transmit FCI but cannot be fully secured, such as Internet of Things devices. For a Level 1 CMMC assessment, specialized assets are not within scope. However, they are within scope for CMMC Levels 2 and 3. Contractors must also consider any External Service Providers (ESPs) they use, as ESPs must meet certain requirements depending on whether or not they are cloud service providers (CSPs) for Levels 2 and 3 of CMMC. When an ESP is not a CSP, its services may be included in the contractor’s assessment scope. If the ESP is a CSP, it will have to meet the FedRAMP requirements of 48 C.F.R. 252.204-7012 when processing, storing, or transmitting CUI. 

Prime contractors must thoroughly understand the interaction and use of its systems with those of a subcontractor in order to manage its subcontracts and determine which CMMC requirements need to be flowed down to them. 

Impact on Small Businesses

The phased implementation of CMMC aims to minimize the financial impact on small businesses. However, small entities will need to invest in achieving the required CMMC level, which may include costs associated with assessments and compliance measures. The rule exempts contracts solely for commercially available off-the-shelf (COTS) items, providing some relief to small businesses that primarily deal in such products. Nonetheless, small businesses must prepare for the eventual requirement to comply with CMMC standards to remain competitive in the defense contracting space. The DoD has acknowledged the potential burden on small businesses and aims to provide resources and guidance to facilitate compliance.

Consequences of Noncompliance

The Department of Justice (DOJ) has shown that it is prepared to pursue charges under the False Claims Act (FCA) for contractors misrepresenting their cybersecurity practices. Just this year, several contractors have paid substantial sums for failing to meet cybersecurity requirements and falsely representing compliance with contractual requirements and NIST standards. In one particular case, a prime contractor used a third-party email service provider without requiring and verifying that the third party met FedRAMP security requirements, resulting in the contractor paying a settlement of $4.6 million. This illustrates the importance of vetting and flowing down the appropriate requirements to subcontractors and third parties. 

Moving forward, contractors should expect that the trend of enforcing cybersecurity compliance through FCA charges will continue. CMMC compliance will now provide another avenue for the DOJ to pursue these claims.

Conclusion

The final CMMC rule represents a significant advancement in securing the defense supply chain against cyber threats. Contractors must familiarize themselves with the new requirements and prepare for compliance to ensure continued eligibility for DoD contracts. As the implementation progresses, it is crucial for all stakeholders to stay informed and proactive in addressing cybersecurity challenges.