The defense contractor waiting game is over at last. The Department of Defense (DoD) finally issued the final rule for the Cybersecurity Maturity Model Certification (CMMC) last month. This action secures the largest change in defense industry cybersecurity requirements in years. It represents a significant departure from a self-attestation to an auditable compliance model. Do you know how this rule affects your current contract base?
Defense Industrial Base (DIB) companies must prepare for radical changes in contract eligibility. The new regulations are defined in a three-tier framework, a clear-cut four-stage deployment schedule, and reporting obligations.
Check out these nine insights from the CMMC news that affect primes and sub-primes.
1. Final Rule Posted
DoD released the final rule for CMMC on September 10, 2025. The release in the Federal Register immediately set forth the timelines for implementation across the DIB. It formally established the statutory basis for the CMMC program within the defense acquisition system.
The effective date of the new Defense Federal Acquisition Regulation Supplement (DFARS) rule has now been officially set for November 10, 2025. That will be the beginning of Phase 1 of the implementation plan. From that date on, contracting officers are legally permitted to add the CMMC clause to new contracts and solicitations. This plain CMMC news finally makes preparation a certainty for all organizations handling sensitive defense information.
2. DFARS Rule Updates
The new rule incorporates crucial terms in the contract requiring compliance. Specifically, the DFARS 252.204-7021 clause articulates the minimum roles for every contractor. It requires that you have and sustain an active CMMC level applicable to you. You must ensure that all of the information systems processing, storing, or transmitting Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) meet the specified security standards.
3. Four-Phase Rollout
The DoD adopted a conservative four-phase rollout strategy for the program’s implementation. Phase 1 initiates the process on the effective date of November 10, 2025. For new contracts, CMMC clause inclusion remains optional in the first year. The transition takes three years, and Phase 4 begins on November 10, 2028. Implementation will be complete on that last date, and CMMC will be an official requirement for nearly all applicable DoD contracts.
4. FCI/CUI Handling
The use of CMMC is directly related to what kind of unclassified information you work with. Contracts for the processing of Federal Contract Information (FCI) activate the lowest compliance level. Contractors need to evaluate their data flows closely to determine the CMMC level they need.
Only Commercial Off-The-Shelf (COTS) products are still exempt from CMMC mandates, providing some relief for suppliers with only commercial standard materials with no access to sensitive government data. Remember that any change in contract introducing CUI or FCI will also introduce the CMMC requirement. Contractors must continue to look at the data requirements for every contract and subcontract.
5. Three CMMC Levels
The CMMC program uses three security maturity levels to protect defense information. Level 1 involves annual self-certification for protecting FCI. Level 2 surrounds the protection of CUI and requires adherence to all 110 controls of NIST SP 800-171. Level 3 is used for the highest-value CUI and adds 24 more controls from NIST SP 800-172.
6. Conditional Status POAM
Near-compliant companies can also qualify for contract consideration temporarily. The law has a Conditional CMMC Status if you want Level 2 or Level 3 certification. You get this status if you pass a minimum score in an assessment and record the remainder of the shortfalls.
These identified deficits must be documented in a Plan of Action & Milestones (POA&M). The firm has 180 days to resolve all POA&M items. Closing the POA&M beyond this half-year deadline makes the Conditional Status lapse.
7. UID Reporting SPRS
Contractors must report their assessment results to the Department of Defense. Every conforming system used for sensitive contract work must contain a unique identifier. Organizations must generate and record this CMMC Unique Identifier (UID) in the Supplier Performance Risk System (SPRS). Contracting officers use SPRS to verify a company’s CMMC status before making an award decision.
8. Annual Compliance Affirmation
The DoD requires organizations to be continuously compliant throughout the life of the contract. Your firm needs to have a senior executive who electronically verifies this status each year in SPRS. The annual affirmation formally claims continuous compliance with the required CMMC level. Organizations must have all internal procedures in place to track and regulate this yearly requirement.
9. Subcontractor Flowdown Required
Prime contractors these days have a direct responsibility for the security posture of their entire supply base. They must formally pass down the appropriate CMMC requirements to their subcontractors. This is a serious liability because one rogue subcontractor can disqualify the prime contractor.
Primes must take proactive measures to confirm that all the subcontractors possess a current CMMC status in SPRS before entering into a subcontract. Confirmation ensures that the level of security is as high as the sensitivity of information exchanged. Prime contractors also need to ensure their subcontractors perform their mandatory annual compliance affirmations.
The Bottomline
The CMMC program is up and running and needs a robust, attributable level of security throughout the DIB. The phased rollout is underway now, and the effective date of November 10, 2025, means that CMMC requirements are being inserted into solicitations today. Your ability to compete for DoD contracts hangs on reaching and maintaining the relevant level of CMMC, registering your status in SPRS, and obtaining your whole supply base.
