Last week marked an important milestone in the Cybersecurity Maturity Model Certification 2.0 (CMMC) program, the U.S. Department of Defense (DoD) program intended to ensure the security of sensitive DoD information in contractor information systems, as DoD issued the contract clause that will make CMMC compliance a prerequisite for contract award beginning in as soon as two months. Last year, DoD finalized the technical requirements of the CMMC program, codifying the requirements at 32 C.F.R. Part 170. Those regulations formally established the CMMC program and the CMMC Assessment and Certification Ecosystem, but they did not provide the mechanism by which DoD contracting officers would enforce compliance with the CMMC program in DoD contracts. The September 10, 2025, final rule (the “CMMC Contracting Rule”) filled that gap and allows DoD to start using CMMC compliance as a condition of eligibility to receive a contract award, beginning November 10, 2025.
This article first provides a refresher on the CMMC program, then identifies some key takeaways for defense contractors and subcontractors from the CMMC Contracting Rule, and finally recommends some action items for enhancing your organization’s CMMC readiness posture as the program begins rolling out into defense contracts over the coming months and years.
What Is CMMC, Again?
CMMC is the DoD’s mechanism for verifying defense contractors are compliant with its pre-existing cybersecurity requirements. CMMC has undergone several delays and reforms since it was originally announced in 2019, but is seen as key to fortifying security across the defense industrial base (DIB) and ensuring contractors are safeguarding DoD data at a time when cyberattacks are increasing in frequency and complexity.
At a high level, the CMMC program requires defense contractors to meet cybersecurity benchmarks based on the sensitivity of the information they handle and provide annual attestations of compliance. The model includes the following three certification levels, ranging from basic protections for Federal Contract Information (FCI) to more stringent requirements for controlled unclassified information (CUI):
- Level 1 includes contracts with FCI only and requires compliance with the 15 security controls currently enumerated in Federal Acquisition Regulation (FAR) clause 52.204-21, Basic Safeguarding of Covered Contractor Information Systems. Level 1 compliance requires a self-assessment, which must be conducted annually and an annual affirmation of compliance.
- Level 2 includes contracts with CUI and requires compliance with the 110 security controls in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Rev. 2. Depending upon the type of CUI processed, stored, or transmitted by contractors on their information systems, some contractors subject to a CMMC Level 2 requirement will be able to carry out an annual self-assessment, while others will need a verification check done by a certified third-party assessor organization (C3PAO). Level 2 compliance attestations, whether by self-assessment or C3PAO certification, are required every 3 years.
- Level 3 is a more stringent level of security that will be required for contracts involving CUI that the DoD concludes is especially sensitive. Contractors seeking to obtain CMMC Level 3 contracts will have to comply with the 110 security controls in NIST SP 800-171, Rev. 2, as well as the 24 additional controls in NIST SP 800-172. After obtaining the Level 2 C3PAO certification, contractors seeking to obtain a CMMC Level 3 certification will then need to obtain a certification from the Defense Contract Management Agency’s (DCMA) DIB Cybersecurity Assessment Center (DIBCAC). This Level 3 DIBCAC assessment must be conducted every three years to maintain CMMC Level 3 (DIBCAC) status.
Key Takeaways for Contractors from the CMMC Contracting Rule
1) CMMC Requirements Can Start Appearing in DoD Solicitations and Contracts in Less Than Two Months
The CMMC Contracting Rule gives DoD the discretion to begin including the CMMC Contract Clause in solicitations, and thereby make CMMC compliance a condition of contract award, as soon as November 10, 2025.
2) What to Expect During DoD’s Phased Rollout of CMMC
The CMMC Contracting Rule references the phased implementation of the CMMC requirements as set forth at 32 C.F.R. § 170.3. That regulation announced DoD’s intention to implement CMMC in 4 phases over the course of the next three years.
- Phase 1: Beginning on November 10, 2025, applicable solicitations and contracts will require CMMC Level 1 (Self) or Level 2 (Self) as a condition of contract award. DoD also has discretion to require CMMC Level 1 (Self) or Level 2 (Self) for options exercised after November 10, 2025, on contracts issued prior to November 10, 2025, as well as to include CMMC Level 2 (C3PAO) instead of Level 2 (Self) for some procurements.
- Phase 2: Beginning on November 10, 2026, applicable solicitations and contracts will require CMMC Level 2 C3PAO assessments as a condition of contract award. DoD will have discretion to delay the inclusion of CMMC Level 2 (C3PAO) to an option period instead of as a condition of contract award. DoD will also have discretion to include the requirement for CMMC Level 3 (DIBCAC) for some procurements.
- Phase 3: Beginning on November 10, 2027, applicable solicitations and contracts will require CMMC Level 2 (C3PAO) assessments as a condition of contract award and as a condition to DoD exercising an option period on a contract awarded after November 10, 2025. DoD will also include the requirement for CMMC Level 3 (C3PAO) as a condition of contract award for applicable solicitations and contracts. DoD will have discretion to delay the requirement for CMMC Level 3 (C3PAO) to an option period instead of as a condition to contract award.
- Phase 4: Beginning on November 10, 2028, CMMC requirements will be included in all applicable DoD solicitations and contracts and in option periods on contracts awarded prior to November 10, 2028.
3) Which DoD Contracts are Impacted?
When the CMMC Contracting Rule takes effect on November 10, 2025, if the program office or requiring activity determines that a contractor is required to have a specific CMMC level, contracting officers can begin inserting in solicitations and contracts DFARS clause 252.204-7021 and specify the required CMMC level for the procurement in DFARS clause 252.204-7025. This includes solicitations and contracts for commercial products and commercial services and contracts of all values.
The only exception provided in the Final Rule is that DFARS clause 252.204-7021 does not apply to solicitations and contracts solely for the acquisition of commercially available off-the-shelf (COTS) items. COTS items are items of supply that are: (i) sold in substantial quantities in the commercial marketplace; and (ii) offered to the Government, under a contract or subcontract at any tier, without modification, in the same form in which it is sold in the commercial marketplace. As a result, any type of product modification, even if such modification is of a type that is standard in the commercial marketplace, would render the product a non-COTS item and potentially subject the contract to CMMC compliance requirements.
Moreover, contracting officers have discretion to bilaterally modify existing contracts awarded prior to November 10, 2025, to include DFARS 252.204-7021 “based on DoD’s needs.” Contractors should carefully review such modifications and ensure compliance prior to accepting the DFARS clause in their contract.
On and after November 10, 2028, DoD must include DFARS clause 252.204-7021 in solicitations and contracts, other than contracts solely for COTS items, if the “program office or requiring activity determines that the contractor is required to use contractor information systems in the performance of the contract, task order, or delivery order to process, store, or transmit FCI or CUI.” As a result, on and after November 10, 2028, essentially every DoD solicitation and contract, other than those solely for COTS items, will require some level of CMMC compliance.
4) No CMMC, No Contract
Prior to awarding a contract to a successful offeror, the DoD must verify that an offeror has the required CMMC level status in SPRS prior to awarding the contract to such offeror. In other words, the Final Rule provides an enforcement gateway that enables contracting officers to require certification (or self-attestation, depending on level) as a condition of contract eligibility. This is a significant operational pivot—shifting CMMC from policy to procurement, by authorizing use of the CMMC DFARS clause in DoD solicitations and contracts and requiring CMMC compliance as a condition to contract award.
5) “Conditional” CMMC Status Can Provide a Temporary (Repeat, Temporary) Reprieve for Contractors With Some Cybersecurity Work Still to Do
Importantly, the CMMC Contracting Rule provides some measure of flexibility by permitting award to a contractor holding a “conditional” CMMC Level 2 and Level 3 status, if the conditional status period is less than 180 days. To convert a “conditional” Level 2 or Level 3 status to a final CMMC status, the contractor must successfully close out its Plan of Action and Milestones (POA&M) for the requirements not yet met. Because “conditional” status is only acceptable for 180 days, the contractor must ensure it remediates any requirements not met within 180 days of the conditional approval. The CMMC regulations identify certain physical security requirements that must be met for conditional approval, and such requirements cannot be part of a POA&M.
If the contractor does not perform the required remediation within the 180-day window, the conditional CMMC status will expire, and the DoD can exercise standard contractual remedies, including termination of the contract. Further, the contractor will not be eligible for additional contracts with the CMMC requirement until the contractor achieves the requisite CMMC level status.
6) Flow Down Considerations and Implementation of Processes to Verify Subcontractor CMMC Status
The CMMC contract clause, DFARS 252.204-7021, must be included by prime contractors and higher-tiered subcontractors in subcontracts that contain a requirement to process, store, or transmit FCI or CUI. This puts the onus on higher-tier contractors to assess what types of information their subcontractors will need to process, store, and transmit, to determine whether CMMC requirements must be flowed down, and what level of CMMC compliance will apply to the subcontractor. Prior to awarding a subcontract subject to a CMMC requirement (other than subcontracts solely for COTS items), the prime contractor or higher-tiered subcontractor is responsible for confirming that the subcontractor has a current CMMC self-assessment or certificate to the required CMMC level. Unfortunately, only DoD currently has access to SPRS (the system in which businesses will report their CMMC status), so higher-tier contractors will need to determine what documentation they will require from subcontractors (for example, certifications or SPRS screenshots) to verify the subcontractor’s compliance.
7) Key Changes from the Proposed Rule to the Final Rule
The proposed rule contained a requirement for contractors to notify the contracting office within 72 hours “when there are any lapses in information security or changes in the status of CMMC certificate or CMMC self-assessment levels during performance of the contract.” The proposed rule did not define precisely what DoD meant by “lapses in information security.” Recognizing the difficulty in complying with this requirement and determining that the DFARS clause already includes sufficient safeguards in the definition of “current” CMMC status, the annual affirmation requirement, and the reporting of cyber incidents within 72 hours, DoD removed the requirement for contractors to report “lapses in information security” or changes in compliance with 32 CFR Part 170 from the final CMMC contract clause. For a CMMC status to be “current”, there must be no changes in compliance with the requirements in 32 CFR Part 170 since the CMMC status date.
Recommended Action Items for Contractors to Prepare for Contractual CMMC Requirements
Preparing for CMMC compliance necessitates strategic planning and commitment. Here are key actionable steps for defense contractors to take to ensure continued DoD contract eligibility:
- Identify all the information systems that you would use to store, process, or transmit FCI or CUI during the performance of your DoD contracts and subcontracts, as well as the type of information that is stored, processed, or transmitted through each system. You can then assess which CMMC level requirements will apply to each of those identified contractor information systems and evaluate whether those information systems meet the security requirements for that level.
- Ensure that changes to IT infrastructure and security controls are planned and vetted well in advance, to avoid allegations that a change in that infrastructure or those security controls put the contractor out of compliance with the applicable CMMC requirements. A senior company official is responsible for submitting affirmations of “continuous compliance” with CMMC requirements on at least an annual basis. Changes such as dropping certain security controls or beginning to share FCI or CUI on an information system for which the contractor does not have a “current” CMMC certificate or assessment could give rise to allegations that the contractor’s affirmation of continuous compliance is no longer accurate.
- Continue to keep your System Security Plan (SSP) current and close out unmet requirements in your POA&M. Confirm that NIST requirements that must be met to achieve a conditional CMMC status have been met.
- Start planning for monitoring and enforcing CMMC compliance in your own subcontractors and suppliers. Begin categorizing the level of CMMC compliance you expect each subcontractor will need to achieve for the work they perform. Communicate with the subcontractors and suppliers you currently use, or anticipate possibly using in the future, to perform DoD contracts to assess where those subcontractors/suppliers stand in implementing the security controls required you anticipate they will need once CMMC goes “live.” Consider how you will require subcontractors or suppliers to certify or otherwise document that they have the current CMMC Level certification or assessment required and how you will work those requirements into your subcontract terms and conditions.
- If a third-party assessment is required, schedule it well in advance. There is a limited number of approved C3PAOs, and getting on their schedule sooner rather than later will ensure a timely assessment prior to the issuance of a solicitation requiring such assessment and certification.
- Continue to timely report cyber incidents within 72 hours.
结论
As we approach the November 10, 2025, effective date of Phase 1 of the CMMC rollout, defense contractors face a transformative moment in cybersecurity compliance. Foley takes a multidisciplinary approach to CMMC compliance by providing clients end-to-end advice to help secure their contract eligibility and maintain a secure defense ecosystem – from recommending the best proactive strategic steps for compliance, reviewing defense contract requirements, managing and coordinating the compliance project, hiring and overseeing IT firms, reviewing SSPs and POA&Ms, to handling cybersecurity incidents.
Should you have any questions about the Final Rule or the CMMC requirements, please contact Jen Urban, Erin Toomey, Frank Murray, or Samuel Goldstick.
