Skip to Main Content

Parker Poe

Keeping you informed

Department of Defense Issues Final Rule Implementing Contractual Requirements Related to Cybersecurity

    Client Alerts
  • September 23, 2025

The U.S. Department of Defense (DOD) issued a final rule this month that fundamentally changes eligibility for DOD procurement by tying contract awards directly to cybersecurity readiness. The rule amends the Defense Federal Acquisition Regulation Supplement to formally implement Cybersecurity Maturity Model Certification (CMMC) program requirements for DOD solicitations and contracts. This rule also serves as a framework for similar rulemaking by other branches that contract with the private sector. 

While there is already an active backdrop of federal cybersecurity rules, regulations, standards, revisions, enforcement efforts, orders and more that may have jaded contractors and subcontractors, this rule comes with additional teeth. Contractors will soon no longer be eligible to receive awards for a large number of DOD contracts unless they can demonstrate compliance with these cybersecurity requirements.

The rule, together with the CMMC program, is intended to help the DOD assess contractor implementation of existing cybersecurity requirements for the protection of sensitive federal contract information and controlled unclassified information throughout the DOD supply chain. The rule is effective November 10, 2025, and its requirements will be phased in over three years.  

Key Requirements Under the Rule

CMMC Levels. Compliance with the rule and the CMMC program is now a contractual requirement for awards involving information systems used in performance of the contract, task order, or delivery order that process, store, or transmit federal contract information and controlled unclassified information. The rule requires DOD contracts and solicitations to specify one of three CMMC levels, each corresponding with the sensitivity of the information the contractor’s systems will process, transmit, or store. (Contractors will be put on notice of the applicable CMMC requirements through the Defense Federal Acquisition Regulation Supplement (DFARS) solicitation provision DFARS 252.204-7025, and contract clause DFARS 252.204-7021.) 

  • CMMC Level 1 (Self) - This level applies to systems that handle only federal contract information, without controlled unclassified information. This level requires an annual self-assessment as well as an annual affirmation of compliance with the 15 security requirements in Federal Acquisition Regulation clause 52.204-21.
     
  • CMMC Level 2 (Self or Third Party) - Level 2 applies to systems that handle controlled unclassified information. This level requires either a self-assessment or a certified third-party assessment organization assessment every three years depending on the requirements of the solicitation. It also requires an annual affirmation of compliance with the 110 security requirements from the National Institute of Standards and Technology (NIST).
     
  • CMMC Level 3 (DIBCAC) - Level 3 requires an assessment every three years by the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) and an annual affirmation verifying compliance with the 110 controls from NIST above, plus an additional 24 requirements.

Going forward, DOD solicitations will provide that an offeror is ineligible for award if it does not have both:

  • Its current CMMC status recorded in the Supplier Performance Risk System at the level required by the solicitation.
     
  • An affirmation of continuous compliance with applicable security requirements for each contractor information system that will process, use, store, or transmit federal contract information and controlled unclassified information in performance of the contract.

In addition, the rule requires contractors to keep the required CMMC level throughout the life of the contract. Solicitations will also require that offerors include with their proposals the CMMC unique identifier for each of their contractor information systems. 

Supply Chain. The CMMC requirements for prime contractors also extend to subcontractors that handle federal contract information and controlled unclassified information. Prime contractors must “flow down” the applicable CMMC requirements and verify that subcontractors meet the required level before awarding a subcontract. Primes are prohibited from sharing federal contract information and controlled unclassified information with subcontractors that are not compliant with the appropriate CMMC level. Subcontractors, in turn, must flow down the applicable CMMC requirements to their own suppliers and verify their compliance in the same manner.

Implementation Schedule. To make compliance less burdensome for contractors, the rule will be phased-in over a three-year implementation period. For the first three years, these CMMC requirements will be imposed only when required by the solicitation or contract as determined by program offices. After the fourth year, all DOD contracts and solicitations will be subject to these CMMC requirements with the exception of those for commercially available off-the-shelf items.

Conditional CMMC Status. The rule introduces a two-step compliance track, giving contractors time to achieve full compliance without losing contract opportunities. For CMMC levels 2 and 3 only, a contractor may be awarded conditional CMMC status for 180 days as it resolves all open items in its plan of action and milestones in order to achieve final CMMC status. Final CMMC status is achieved once a contractor has successfully closed all required milestones and demonstrated full compliance with requirements applicable to the contractor’s CMMC level.

Next Steps & Final Takeaways for Contractors & Subcontractors

CMMC compliance is now a contractual prerequisite to federal procurement contract awards, and contractors without the required certification levels will be ineligible to receive contracts.

Contractors should prepare for the rule to take effect by:

  • Determining the applicable CMMC level for each information system, based on the type of information it processes, stores, or transmits.
     
  • Identifying subcontractors and suppliers in the supply chain and developing a plan to verify their compliance before the rule takes effect.
     
  • Preparing for required certifications and, if necessary, planning to pursue conditional status to remain eligible for award while completing full compliance.

Contractor & Subcontractor Pointers:

  • Monitor solicitations as well as new contracts and subcontracts carefully for inclusion of the new CMMC requirement.
     
  • Monitor existing contracts and subcontracts carefully, as existing contracts can be amended to include the new requirement.
     
  • With or without the new rule or CMMC program, contractors are still obligated to comply with the underlying cybersecurity rules, such as DFARS 252.204-7012.
     
  • Contractors and subcontractors must take care to represent compliance accurately or they risk serious and costly consequences, such as for false claims and other penalties.
     
  • Contractors and subcontractors should ensure that their technology leadership has appropriate authority to pursue and implement necessary federal compliance requirements.  

For more information, please contact us or your regular Parker Poe contact. Click here to subscribe to our latest alerts and insights.

×
By using this website, you agree to our use of cookies.