The CMMC Program

As a reminder, the CMMC Model is a three-level structure, where the required CMMC level for each contract will be dictated by the requirements set forth in the prime contract. Please see McDermott Will & Schulte’s articles on each of the CMMC levels for more information.

The Final DFARS Rule applies this CMMC Model 2.0 to individual procurements, by amending DFARS Subpart 204.75 and the clauses prescribed therein. The Final DFARS Rule prescribes a new clause at DFARS 252.204-7025, Notice of Cybersecurity Maturity Model Certification Level Requirements, that contracting officers will insert in solicitations to identify the CMMC level applicable to the contract that will result from the solicitation (90 Fed. Reg. 43570 (DFARS 204.7504(b) and 252.204–7025)). DFARS 252.204-7025 includes a fill-in for the contracting officer to notify the CMMC requirement needed for the solicitation. The DFARS Rule also revises the clause at DFARS 252.204-7021 to incorporate the requirements of CMMC into contracts that involve handling FCI or CUI, including contracts for commercial products and services but excluding contracts solely for commercially available off-the-shelf (COTS) items. It likewise has a similar fill-in.

Implementation schedule

The Final DFARS Rule adopts the phased rollout schedule of the Proposed Rule, which contemplates a four-phase implementation over a three-year period. Consistent with that approach, on November 10, 2025, DoD will begin Phase 1, incorporating the solicitation and contract clauses that will apply CMMC Levels 1 and 2 self-assessments to individual contractors and subcontractors to store, process, and transmit FCI and CUI only on systems that have achieved the relevant CMMC level. Phase 2, beginning one year after Phase 1, will see Level 2 Certification requirements implemented, followed by Level 3 Certification in Phase 3 one year later. During Phases 1 – 3, program managers may apply CMMC requirements at their discretion until Phase 4, in which the clause becomes mandatory for all applicable contracts other than those limited to COTS acquisitions.

Applicability to contracts 

The Final DFARS Rule emphasizes that the specified CMMC level “is required for all information systems, used in the performance of the contract, that will process, store, or transmit” FCI or CUI (id. at 43574–76 (DFARS 204.7502(a)(3), 204.7503(b)). Accordingly, the Final DFARS Rule seeks to verify CMMC compliance at the time of award of a CMMC-covered contract or order and to confirm compliance throughout the life of the contract or order. Therefore, contract award eligibility is now expressly conditioned on having current CMMC status, affirmations, and UIDs properly recorded in SPRS.

As CMMC is phased into contracts and for all non-COTS contracts three years after the rule becomes effective on November 10, 2025, contracting officers may not award a contract or order to an offeror that does not have a “current” CMMC certificate or self-assessment, as applicable, in the SPRS at the CMMC level specified in the solicitation ((90 Fed. Reg. 43575, (DFARS 204.7503(b)).

• For CMMC Level 1, a current self-assessment is one that is not older than one year, provided that there have been no changes in CMMC compliance since the date of the assessment (id. (DFARS 204.7501)).

• For CMMC Levels 2 and 3, a current certificate (or self-assessment, when applicable to Level 2) is one that is not older than three years, again provided that there have been no changes in CMMC compliance since the date of the certification or assessment (id.).

The Final DFARS Rule also requires a current “affirmation of continuous compliance” in SPRS with respect to each such information system prior to award (DFARS 204.7503(b)(1)(ii)). This is a reference to the affirmations required by proposed 32 C.F.R. § 170.22. Affirmations are current if they are not older than one year and if there have been no changes in CMMC compliance since the affirmation (DFARS 204.7501). As we noted in our earlier review of the Proposed Rule, contractors must vet these representations carefully, as any potential inaccuracy or ambiguity could generate litigation risk under a variety of criminal and civil laws, including the FCA.

For existing contracts, the Final DFARS Rule also prohibits contracting officers from exercising options on contracts and orders without a current CMMC certificate or self-assessment, as applicable, and a current affirmation of continuous compliance (DFARS 204.7503(c), DFARS 204.7502(b)). The contractor must have a current CMMC certificate or self-assessment and affirmation of continuous compliance for each information system that processes, stores, or transmits FCI and CUI in performance of the contract (id. (DFARS 204.7503(c)).

Applicability to subcontractors

Consistent with the Proposed Rule, the Final DFARS Rule explicitly requires contractors to flow down CMMC requirements for CMMC level and assessment type to subcontractors. Prime contractors must flow down the DFARS clause to subcontractors and suppliers that store, process, or transmit FCI or CUI, and further, ensure that any such subcontractors and suppliers have a current CMMC certificate or self-assessment, as applicable, and complete affirmations of continuous compliance for each subcontractor/supplier information system that handles FCI or CUI (DFARS 252.204-7021 (definition of “Current”)). Despite many requests following the Proposed Rule, DoD indicated, once again, that it does not intend to provide any mechanism for prime contractors to verify the CMMC status of subcontractors. Instead, DoD suggests that prime contractors should independently validate the CMMC compliance of its subcontracts as with any other flow-down provision (id. at 43653).

DoD clarified in the Final Rule that a subcontractor that does not process, store, or transmit FCI or CUI on its own information systems during performance of the subcontract would not have a CMMC assessment requirement, including any subcontractor who uses prime systems to perform services under the contract (id. at 43563).

Terminology and other changes

In addition to the changes identified above, the Final DFARS Rule has a few additional changes from the Proposed Rule:

In response to significant commentary from the DIB, DoD has removed the 72-hour notification for “any lapses in information security or changes in the status of CMMC certification or CMMC self-assessment levels during the performance of the contract” (id. at 43561 & 2, DFARS 252.204-7012(c)). Instead, DoD asserts that the existing security incident reporting requirement and the annual affirmation are sufficient.

DoD considered requiring offerors to have the applicable CMMC certification or self-assessment at the time of proposal submission but determined that the requirement should instead apply at the time of award. The department expressed concern that imposing this requirement at the proposal stage might deprive offerors of sufficient time to complete the certification or assessment process for their first CMMC-covered contract.

• The Final DFARS Rule also updates some terminology, to better streamline between it and the Federal Acquisition Regulation (FAR), including the following:

• They have removed the “data,” as this caused confusion and made the rule read more broadly than DoD intended. As a result, “data” was replaced with FCI and CUI. (id. at 43563).

• Further, DoD has changed the official signing off on CMMC assessments from “senior company official” to “affirming official” to avoid confusion on whether someone is senior enough to be considered a “senior company official.” (id. at 43567).

• In addition, the Final DFARS Rule refines and adds key definitions, including “current,” “CMMC unique identifier,” “Federal contract information,” “plan of action and milestones,” and “CMMC status,” to align terminology with 32 CFR part 170 and provide clarity for contractors and contracting officers (id.)

Takeaways and recommendations: The best time to obtain CMMC certification was last week. The second-best time is now.

As we have written in the past, the key aspects of the Final DFARS Rule, and of the CMMC Program as a whole, are that:

• The CMMC level specified in a particular solicitation and contract “is required for all information systems, used in the performance of the contract, that will process, store, or transmit” FCI or CUI, as applicable.

• CMMC compliance is not merely a “point in time” inquiry but requires continuous reaffirmation throughout the contract, including prior to the exercise of any options (DFARS 252.204-7021 (definition of “Current”)).

As we approach the fourth quarter of 2025, contractors should review the renewal dates of their existing DoD contracts and their pipeline of anticipated DoD opportunities for 2026 and beyond against the phased implementation plan discussed in this article and identify potential compliance deadlines. Contractors with an existing CMMC certification should be ready to move forward with new contracts. Those who have already performed a self-assessment of their compliance with CMMC requirements should review their plans to come into compliance with unmet requirements and prepare for a certification assessment in 2026 – if not earlier. Those who have not performed a CMMC self-assessment should prepare to do so as soon as possible.

Next steps for contractors include the following:

• Identify the appropriate CMMC level for all upcoming Federal contract renewals. 
  • As stated above, the requirements will be phased in over the next three years. Contractors should review their contracts now to determine how quickly they will be required to implement assessments or certifications and should roadmap these requirements in advance of renewal, especially where the requirements will apply to subcontractors.

• Complete the appropriate level CMMC assessment or certification.
  • Any delay will preclude a business’s ability to apply for DoD dollars.
  • Consider and evaluate a variety of technical solutions to CMMC compliance, including third party “managed enclave” solutions; however, carefully assess the extent to which those solutions can deliver CMMC compliance and understand (A) how the solution will need to be implemented in your business to leverage the solution’s cybersecurity capabilities for your CMMC compliance and (B) what remaining CMMC obligations you will have. If you are a subcontractor for whom CMMC compliance may not be immediately feasible, consider reaching out to your prime contractors or other subcontractors with CMMC-compliant systems and ask for access to work off of those systems.
  • Contractors that identify gaps in their security controls in the course of the CMMC assessment or certification process should evaluate the extent to which those gaps reflect historical noncompliance. The CMMC cybersecurity controls map to the controls in NIST Special Publication 800-171, which contractors have long been required to implement under DFARS 252.204-7102 if they store, process, or transmit CUI under a contract with that clause. Given the Federal Government’s use of the FCA to police violations of that clause, contractors should seek legal guidance in resolving and reporting identified gaps that may call into question their historical compliance.

• Incorporate CMMC questions and evidence into vendor due diligence questionnaires.
  • When onboarding new vendors, it is critical to understand if they will be using their own systems to process FCI or CUI, and if so, what their CMMC status is. Being armed with this knowledge while onboarding can ensure a seamless process once the DoD project begins.

• Prime contractors: Review and update vendor contracts to protect them from subcontractors losing their CMMC certifications.
  • Carefully evaluate breach, termination, indemnification, and insurance provisions to ensure adequate remedies if a subcontractor loses its CMMC certification, experiences a cybersecurity incident, or otherwise causes a work disruption based on CMMC compliance.