On September 9, 2025, the Department of Defense issued a long-awaited final rule regarding the
Cybersecurity Maturity Model Certification (CMMC). This final rule which has been published in the
Federal Register and amended the Defense Federal Acquisition Regulation Supplement (DFARS), serves a means to codify the CMMC framework and create new obligations for contractors.
The purpose of the CMMC is to assess contractors’ implementation of cybersecurity requirements and aid in the protection of unclassified information related to the Department of Defense. All contractors working with federal contract information (FCI) or controlled unclassified information (CUI) will be subject to the CMMC requirements. The implementation of this rule is set to begin on November 10, 2025.
The CMMC Framework
Under the CMMC, contractors who work with FCI or CUI must comply with one of three levels of cybersecurity monitoring. The applicable level shall be determined by the sensitivity of the information handled.
- Level 1: Applicable to less sensitive FCI
- Contractors will be required to complete an annual self-assessment and affirmation of continuous compliance.
- This will be the most common level, likely to impact over 60% of participating entities.
- Level 2: Applicable to both FCI and CUI
- Contracting officers will have the discretion to require either a self-assessment every three years or a verification check to be performed by a Certified Third-Party Assessor Organization every three years.
- Additionally, contractors must provide an annual affirmation of continuous compliance.
- Level 3: Reserved for the most sensitive CUI
- Certification must be performed by the Defense Industrial Base Cybersecurity Assessment Center every three years, and the contractor must provide an annual affirmation of continuous compliance.
The Implementation Timeline
The CMMC will be rolled out in a three-year implementation period which will officially begin on November 10, 2025, and take full effect by November 10, 2028.
Prior to November 20, 2028, the CMMC shall apply only if the contract or solicitation requires the contractor to have a specific CMMC level.
Beginning on November 10, 2028, the CMMC must be implemented in all contracts that require the processing, storing, or transmission of FCI or CUI information, except for contracts and solicitations related to the acquisition of commercially available off-the-shelf (COTS) items.
Impacts of the CMMC
- Scope of CMMC: By 2028, it is expected that nearly 340,000 entities will be impacted by the CMMC, 68% of which will be small entities.
- Failure to Meet CMMC Standards: Upon its implementation, failure to meet CMMC standards shall result in the ineligibility for contract awards and continued performance.
- Impacts on Subcontractors: If FCI or CUI will be shared, prime contractors are responsible for flowing down the CMMC requirements and ensuring that subcontractors meet the appropriate CMMC level prior to awarding the subcontract.
- FCA Liability: In 2021, the Department of Justice’s Civil Cyber-Fraud Initiative established that cybersecurity claims are actionable under the False Claims Act (FCA). Accordingly, contractors must act cautiously when completing self-assessments under Level 1 and 2 of the CMMC, given that any “knowing” misrepresentations may result in FCA liability.
