The Department of Defense has officially issued the Final DFARS Rule implementing the Cybersecurity Maturity Model Certification (CMMC), making cybersecurity compliance a contractual requirement across the Defense Industrial Base.
Effective Date: ~November 9, 2025
Full Implementation: By November 10, 2028, all DoD contracts handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) must comply with CMMC.
Key Takeaways
- CMMC is now a mandatory contract requirement — no certification, no award.
- Three Levels of Certification:
- Level 1 – Self-assessment for FCI.
- Level 2 – Self or third-party (C3PAO) assessment for CUI.
- Level 3 – DIBCAC (DoD-led) assessment for high-security environments.
- Annual affirmation of compliance required in SPRS by an authorized official.
- Conditional certifications (180-day POA&Ms) permitted for Level 2/3.
- Subcontractors must have matching CMMC levels before handling data.
What To Do Now
- Identify systems managing FCI/CUI and ensure they’re listed in SPRS.
- Plan for third-party assessments if Level 2 applies.
- Establish annual affirmation workflows and documentation.
- Require subcontractors to demonstrate CMMC readiness before data exchange.
Keywords: CMMC Final Rule 2025, DFARS 2019-D041, DoD cybersecurity compliance, CMMC certification, DIBCAC, SPRS, government contractor cybersecurity, defense industrial base security
Leave a Reply