New Cybersecurity Requirements for Defense Contractors Under CMMC Final Rule

The Department of Defense (DoD) issued a final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to implement the Cybersecurity Maturity Model Certification (CMMC) program. Effective November 10, 2025, the final rule establishes a framework for cybersecurity requirements in defense contracts, requiring contractors to verify that they’ve implemented required security measures to safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Here are the key changes defense contractors and subcontractors should be aware of. 

Tiered Model of Cybersecurity Requirements 

CMMC imposes new assessment or certification requirements for cybersecurity obligations that have already been in place in defense contracts or previous government standards. These obligations will allow the DoD to confirm that the security requirements for a specified CMMC level have been implemented across the contract period of performance.  

The final rule introduced a phased, three-year implementation, with full compliance required by November 2028. CMMC requirements will be gradually incorporated into new contracts and contract modifications, allowing government contractors time to adapt and implement necessary changes. By November 10, 2028, all contracts requiring the storage or transmission of FCI or CUI will be subject to the appropriate CMMC level. 

Based on the contract’s risk profile and the information’s sensitivity, it will be assigned one of three cybersecurity levels: 

Level 1  

Applies to FCI only. Requires contractors to perform an annual self-assessment against 17 required security practices (derived from FAR 52.20421) and post the results in the Supplier Performance Risk System (SPRS). 

Level 2 

Applies to CUI. Requires implementation of 110 controls based on NIST SP 800-171. Most contracts demand third-party certification by a CMMC Third-Party Assessment Organization (C3PAO). 

Level 3  

Applies to highly sensitive CUI. Includes controls based on NIST SP 800-172 and additional measures to counter Advanced Persistent Threats (APTs). Level 3 requires government-led assessments and certification from the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) every three years. 

Key Implications for Government Contractors 

Previously, cybersecurity requirements were often self-attested and loosely enforced. Now, contractors must have a current CMMC certificate at the required level and maintain it throughout the contract. Eligibility for award, option exercises, and extensions is conditioned on having a valid CMMC status recorded in SPRS.  

In addition to reaffirming compliance annually, government contractors are also required to keep their CMMC Unique Identifiers (UIDs) current in SPRS. These obligations extend to subcontractors, meaning contractors must flow down CMMC requirements throughout their supply chain to ensure compliance. 

To enforce these standards, the final rule makes CMMC certification a condition of award rather than just an evaluation factor. Additionally, CMMC clauses will now be integrated into DFARS solicitations and contracts, making compliance legally enforceable and central to eligibility for awards, option exercises, and extensions. 

As DFARS requirements continue to change, it is essential for both contractors and subcontractors to stay informed and aligned with these regulations. For guidance on the CMMC final rule and your compliance obligations, please reach out or complete the form below.