Wilson Sonsini Goodrich & Rosati

[co-author: Tony Misher]

On September 10, 2025, the Department of Defense (DoD) issued a final rule adding new Subpart 204.75 – Cybersecurity Maturity Model Certification Compliance, to the Defense Federal Acquisition Regulation Supplement (DFARS). The new subpart sets forth Cybersecurity Maturity Model Certification (CMMC) program definitions, policies, procedures, but perhaps most noteworthy for contractors, a new provision and clause to be included in certain DoD solicitations and contracts that will require contractors to have achieved a specified CMMC level in order to be eligible for award. On November 10, 2025, CMMC program requirements will begin appearing in DoD contracts.

The Clause: DFARS 252.204-7021

DFARS 252.204-7021 will be implemented in two phases to minimize financial impacts to industry, especially small businesses, and disruption to the existing supply chain. From November 10, 2025, until November 10, 2028, DFARS 252.204-7021 will apply to all solicitations and contract actions when the government determines that the contractor must have a specific CMMC level. Starting on November 10, 2028, the clause will be included in solicitations and contract actions where the government determines contract performance will involve use of a contractor information systems to process, store, or transmit Federal Contract Information (FCI) or controlled unclassified information (CUI). The clause does not apply to commercially available off-the-shelf acquisitions.

The clause creates many compliance requirements for contractors, chief among them:

  1. Achieve and maintain, for the duration of the contract, a CMMC status and level1 at or higher than that identified in the contract. If a contractor does not have the requisite CMMC level, they will be ineligible for award (see below).
  2. Only use information systems to store, process, or transmit FCI or CUI that have the CMMC level and status specified by the contract.
  3. Before awarding a subcontract, ensure the subcontractor has a CMMC level and status at the required CMMC level for information systems used to store, process, or transmit FCI or CUI—and include the clause in the subcontract where the subcontractor will be required to store, process, or transmit FCI or CUI.
  4. Report in Supplier Performance Risk System (SPRS) on an annual basis and maintain as current an affirmation of continuous compliance for each self-assessment, C3PAO assessment, or DIBCAC assessment required under the contract.

The new compliance obligations are significant and place a continuing responsibility on contractors to affirm their risk management practices and to monitor subcontractor compliance. Additionally, they create potential new risks of liability associated with the False Claims Act.

The Provision: DFARS 252.204-7025

When the clause is to be included in a solicitation, so too is a new provision, DFARS 252.204-7025. This provision tells contractors that they “will not be eligible for award of a contract, task order, or delivery order” if the offeror does not have in SPRS 1) a current CMMC status at the CMMC level required by the solicitation and 2) a current affirmation of continuous compliance. In other words, a proposal or quote will not even be competitive unless the contractor has previously reported its CMMC and compliance status in SPRS. Moreover, DFARS 252.204-7025 also requires contractors with a CMMC status of Conditional to close out any plan of action and milestones within 180 days of the Conditional CMMC Status Date to achieve a CMMC status of Final, as well as to provide in its proposal the CMMC UIDs issued by SPRS. This allows the contracting officer to know which information systems of the contractor that will be used to store, process, or transmit FCI or CUI.

Contracting Officer Responsibilities

Under the new rule, the program office sets the required CMMC level and status for a given acquisition. Contracting officers are required to check SPRS for a contractor’s CMMC level and status before awarding any contract to confirm eligibility for award, as well as before exercising any option or extending the period of performance.

Next Steps

Now that CMMC compliance will be required in certain DoD contracts starting November 10, 2025, contractors should evaluate their programs to ensure they are (or remain eligible) for DoD contracts requiring CMMC compliance. Steps to consider taking in the near term may include:

  1. Review or enter CMMC status in SPRS.
  2. Keep a record of Unique Identifiers.
  3. Close out any plan of action and milestones as soon as possible to ensure achieving Final status.
  4. Develop a schedule to have regular internal reviews of CMMC compliance.
  5. Schedule a C3PAO assessment if one has not been done yet. Note that experience has shown C3PAO availability is limited and demand for assessments will likely increase because of this new rule.
  6. Review subcontract templates and supplier agreements to ensure they include the new clause as a flow down; review 32 U.S.C. § 170.23 to understand how to flow down CMMC levels to subcontractors and suppliers.
  7. Ask subcontractors and suppliers for screenshots of their CMMC status in SPRS (since contractors can only see their own information in SPRS).

[1] There are three CMMC levels which are keyed to the types of assessments used by the contractor. They are Level 1: contractor self-assessment, Level 2: self or CMMC third party assessment organization (C3PAO) assessment, and Level 3: assessment by the Defense Contract Management Agency Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). Levels can have a status of either Final or Conditional.

×