Will a final rule issued by the Department of Defense on September 10, 2025 (available here) cause companies to rethink their compliance approach? The rule –relating to the Cybersecurity Maturity Model Certification program or CMMC – will impact how defense contractors engage with the Department of Defense. (We wrote previously (here) about the separate, but related, CMMC rule that addressed substantive CMMC program requirements.)
This final rule will require defense contractors to affirm CMMC compliance on a phased approach, with full implementation by November 2028. The requirement will place a significant hurdle on defense contractors, who will need to affirm their CMMC compliance in order to contract with the Department of Defense. The first implementation phase begins November 10, 2025 and addresses self-assessment and affirmation for entities that handle “FCI” (or basic Federal Contract Information) and “CUI” (or Controlled Unclassified Information). More detail about the requirements are in our sister blog post here.
Performing assessments and obtaining certification will likely require organizational change on many levels. It will include C-suite attestations and flow down obligations to subcontractors. While obligations were already in effect before this rule, we expect CMMC to result in increased exposure under the False Claims Act if attestations are inaccurate.
Putting It Into Practice: Failing to get through the CMMC assessment and certification process can result in defense contractors losing their DoD business. Rushing through the assessment process, failing to involve key stakeholders, or otherwise mis-stepping, however, can expose entities to legal exposure. In the face of this, companies should consider organizational change principles: engage key stakeholders, conduct reviews under privilege, and treat CMMC as a key governance risk, not an IT problem.
