DOD Contractors: CMMC Phase 1 starts November 10, 2025
The Department of Defense (DoD) has issued its highly anticipated final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to incorporate contractual requirements for the Cybersecurity Maturity Model Certification (CMMC) Program. When the DFARS CMMC clause is included in a solicitation, prospective offerors will not be eligible unless they have reported to DoD, via the Supplier Performance Risk System (SPRS), an action that is subject to the False Claims Act, their CMMC compliance status for their IT systems which process, store, or transmit (or will) Federal Contract Information (FCI) or Controller Unclassified Information (CUI). This final rule sets into motion the four-phase implementation schedule described in the CMMC Program Rule described below.
What does the CMMC require?
The CMMC Program crystallizes the assessment and attestation processes for contractors to confirm compliance with largely established cybersecurity requirements. As part of the CMMC program, contractors who process FCI or CUI on their IT Systems must:
-
- Conduct a self-assessment or undergo an assessment to meet one of three levels of cybersecurity requirements (see below),
- Complete annual affirmation of (continued) compliance with applicable level of cybersecurity requirements in DOD’s Supplier Performance Risk System (SPRS), and
- Flow down CMMC requirements to subcontractors, as necessary.
The CMMC’s three levels of cybersecurity standards incorporate security requirements from existing regulations and guidelines as described below.
| Level | Requirements | Assessment and Affirmation Frequency |
| Level 1: Basic Safeguarding of FCI | 15 security requirements in FAR 52.204-21 | Annual self-assessment entered in SPRS and affirmed each year thereafter by affirming official |
| Level 2: Broad Protection of CUI
|
110 security requirements in NIST SP 800-171 Revision 2 | Every 3 years, either:
(i) a self-assessment entered into SPRS and affirmed each year thereafter by affirming official; or (ii) an assessment by a CMMC Third-Party Assessor Organization (C3PAO) entered into CMMC Enterprise Mission Assurance Support Service (eMASS) and affirmed each year thereafter by affirming official |
| Level 3: Higher-Level Protection of CUI Against Advanced Persistent Threats
|
110 security requirements in NIST SP 800-171 Revision 2
AND 24 identified requirements from NIST SP 800-172 |
Every 3 years, a Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) Assessment is entered into eMASS and affirmed each year thereafter by affirming official |
How does the final rule amend the DFARS?
The final rule amends the DFARS to include solicitation (through DFARS 252.204-7025) and contractual (through DFARS 252.204-7021) requirements. Prior to award, exercise of an option, or extension of any period of performance, the offeror or contractor, as the case may be, must (1) post the results of a CMMC Level 1 or Level 2 self-assessment to SPRS and (2) identify the contractor information systems that will be used to process, store, or transmit FCI or CUI in performance of the contract. Additionally, a contractor must maintain the required CMMC status for the life of the contract and, through its “affirming official,” annually complete an affirmation of continuous compliance with the specified security requirements in SPRS for each identified contractor information system that processes, stores, or transmits FCI or CUI in the performance of the contract.
What is the four-phase implementation schedule?
CMMC Program requirements will be implemented as follows in four distinct phases that are keyed off of the publication data of the final rule – September 10, 2025.
| Phase 1
60 days from publication of final rule |
November 10, 2025
|
Level 1 and Level 2 self-assessment required for all applicable DoD solicitations and contracts as a condition of contract award.
DoD may, at its discretion, include (1) the Level 1 and Level 2 self-assessment requirement for applicable DoD solicitations and contracts awarded prior to the effective date; or (2) Level 2 (C3PAO) requirement in place of the Level 2 (Self) for applicable DoD solicitations and contracts. |
| Phase 2 | November 10, 2026 | Phase 1 requirements, plus DoD intends to include Level 2 (C3PAO) requirements for applicable DoD solicitations and contracts as a condition of contract award.
DoD may, at its discretion, delay the inclusion of Level 2 (C3PAO) requirement to an option period instead of as a condition of contract award. DoD may also, at its discretion, include the requirement for CMMC Status of Level 3 (DIBCAC) for applicable DoD solicitations and contracts. |
| Phase 3 | November 10, 2027 | In addition to Phase 1 and 2 requirements, DoD intends to include the requirements for (1) Level 2 (C3PAO) for all applicable DoD solicitations and contracts as a condition of contract award and as a condition to exercise an option period on a contract awarded after the effective date and (2) Level 3 (DIBCAC) for all applicable DoD solicitations and contracts as a condition of contract award.
DoD may, at its discretion, delay the inclusion of requirement of Level 3 (DIBCAC) to an option period instead of as a condition of contract award. |
| Phase 4 | November 10, 2028 | DoD will include CMMC Program requirements in all applicable DoD solicitations and contracts including option periods on contracts awarded prior to the beginning of Phase 4. |
The CMMC Program requirements will not be included in contracts for commercially available off-the-shelf products or those which do not require contractors to process FCI or CUI.
What does the final rule mean for DoD Contractors with CMMC requirements?
- If you haven’t done so already, assess (1) compliance with applicable security standard(s) for all IT systems that process FCI or CUI and (2) readiness of subcontractors with flow-down CMMC obligations.
- Post self-assessment and affirmation in SPRS for each information system used to process FCI or CUI.
- Implement processes and procedures for maintaining compliance and making timely updates in SPRS.
The opinions expressed herein are solely those of the authors. This article does not constitute legal advice. For legal advice for your situation, you should contact an attorney.
Sign up