Headlines & Insights

On September 10, 2025, the Department of Defense issued its final DFARS rule implementing the Cybersecurity Maturity Model Certification (CMMC) in contracts, with clauses beginning to appear in solicitations on November 10, 2025. This rule works in tandem with the CMMC Program Rule finalized in October 2024, which established the program’s framework at 32 C.F.R. part 170. Together, these rules make CMMC an award gate for work that involves Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). Practically, solicitations will specify the required CMMC level, and contracting officers will verify your status in the Supplier Performance Risk System (SPRS). Level 1 must be fully implemented at the award. The 180-day Plans of Action and Milestones mechanism is available only for Levels 2 and 3 and only under defined conditions. The September rule also introduces CMMC unique identifiers (UIDs) for each contractor information system handling FCI or CUI, which must be recorded in SPRS.

Organizations that touch CUI will need Level 2 compliance. Do not assume a self-assessment will suffice at the time of a contract award. Agencies may require a third-party C3PAO assessment on a solicitation-by-solicitation basis, and certain estimates indicate that a substantial share of Level 2 work will require C3PAO certification. Scheduling the assessment, remediating gaps, and validating controls can take months, so late starts create real bid-readiness risk even during the phased rollout.