Pentagon Issues Cybersecurity Maturity Model Certification Requirements for Defense Contractors

On September 10, 2025, the US Department of Defense (Department of Warhttps://www.whitehouse.gov/presidential-actions/2025/09/restoring-the-united-states-department-of-war/.) published a Final Rule in the Federal Register amending the Defense Federal Acquisition Regulation Supplement (DFARS) to incorporate Cybersecurity Maturity Model Certification (CMMC) program requirements into DOD contracts beginning on November 10, 2025. The Final Rule implements the requirements of the CMMC program, which DOD established on October 15, 2024, and which became effective on December 16, 2024.

What Are the CMMC Requirements?

The CMMC program requires defense contractors and subcontractors to implement cybersecurity standards for their information systems that process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), undergo and report the results of assessments, and submit compliance affirmations to qualify for DOD contract awards. Specific CMMC requirements vary based on the CMMC level, which is assigned by DOD program managers or requiring activities (i.e., the DOD organization that requests an acquisition to fill a requirement) — and not contracting officers — according to the type and sensitivity of the information involved in the procurement. Contractors handling only FCI are assigned a lower CMMC level and are subject to fewer requirements than contractors handling CUI. 

The CMMC program has three levels, each of which requires contractors to provide an annual affirmation by a designated senior level representative of continuous compliance with that level’s requirements and also at the completion of applicable plan of action and milestones (POA&M) closeouts.

Level 1

Level 1 requirements apply to defense contractors handling only FCI. Level 1 requires contractors to conduct annual self-assessments against the 15 security requirements in Federal Acquisition Regulation 52.204-21 and report the results in the Supplier Performance Risk System (SPRS). A POA&M documenting unmet requirements and the contractor’s plan to meet such requirements is not permitted under Level 1. DOD estimates that 62% of defense contractors will be subject to Level 1 requirements.

Level 2

Level 2 (Self) and Level 2 (C3PAO) requirements apply to defense contractors that process, store, or transmit CUI. Level 2 (Self) requires contractors to perform a self-assessment, while Level 2 (C3PAO) requires a third-party assessment performed by a Certified Third-Party Assessment Organization (C3PAO). Both are performed against the 110 security requirements in NIST SP 800-171 Revision 2. 

Under Level 2 (Self), contractors must post their CMMC self-assessment scores in SPRS, while C3PAOs will enter Level 2 (C3PAO) assessment results into the CMMC Enterprise Mission Assurance Support Service (eMASS), which automatically transmits the results to SPRS. 

While Level 2 assessments must be performed every three years, contractors must provide an affirmation of continuous compliance annually. Solicitations and contracts will specify whether a self-assessment or C3PAO assessment is required, with most requiring C3PAO assessments. A C3PAO assessment will be required for contracts that involve information covered by the CUI categories from the DOD CUI Program Organizational Index.

Contractors that have not met all requirements may achieve conditional Level 2 status if they meet certain of those requirements, document unmet requirements in a POA&M, and complete a close-out assessment within 180 days of the conditional status date confirming they meet all requirements. DOD estimates that 2% of defense contractors will be subject to Level 2 self-assessment requirements and 35% will be subject to Level 2 C3PAO assessment requirements.

Level 3

Level 3 imposes the most extensive requirements and applies to defense contractors that process, store, or transmit the most sensitive CUI information, which requires a higher level of protection against advanced persistent threats. Level 3 requires contractors to satisfy all Level 2 requirements and 24 select requirements from NIST 800-172. 

Contractors subject to Level 3 requirements must undergo an assessment by the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) every three years. DIBCAC assessment results will be entered into the CMMC eMASS and automatically transmitted to SPRS. 

Contractors that have not met all security requirements may achieve conditional Level 3 status if they meet certain of those requirements, document unmet requirements in a POA&M, and complete a close-out assessment within 180 days of the conditional status date confirming they meet all requirements. DOD estimates that 1% of defense contractors will be subject to Level 3 requirements.

Under the Final Rule, DOD will not award a task order or delivery order under existing Indefinite Delivery Contracts (IDCs) unless the contractor has a current CMMC status at the level required by the task or delivery order. While CMMC requirements will not apply to commercial off-the-shelf (COTS) items, they will apply to commercial products and services, including contracts below the simplified acquisition threshold.

CMMC’s Four-Phase Rollout

DOD will roll out the CMMC program in four phases over the next three years:

• Phase 1 will begin on November 10, 2025. During this phase, DOD will begin including DFARS 252.204-7025 in solicitations and an updated version of DFARS 252.204-7021 in contracts, delivery orders, and task orders for those subject to CMMC Level 1 or Level 2 requirements. Those DFARS provisions will specify the applicable CMMC level and, for Level 2, whether a self-assessment or C3PAO assessment is required. DOD may include CMMC Level 2 (C3PAO) requirements in place of Level 2 (Self) at its discretion.
• Phase 2 will begin on November 10, 2026. During this phase, DOD plans to include CMMC Level 2 (C3PAO) requirements in applicable solicitations and contracts. DOD may, at its discretion, delay the inclusion of CMMC Level 2 (C3PAO) requirements to an option period instead of as a condition of contract award. DOD may also include CMMC Level 3 requirements for applicable solicitations and contracts.
• Phase 3 will begin on November 10, 2027. During this phase, DOD plans to include CMMC Level 2 (C3PAO) requirements for all applicable DOD solicitations and contracts as a condition of contract award and as a condition to exercise an option period on contracts awarded after the start of this phase. DOD also plans to include CMMC Level 3 requirements for all applicable solicitations and contracts as a condition of contract award. DOD may, in its discretion, delay the inclusion of CMMC Level 3 requirements to an option period instead of as a condition of contract award.
• Phase 4 will begin on November 10, 2028. After this date, DOD plans to include every level of CMMC requirements in all applicable solicitations and contracts, including option periods on contracts awarded prior to the beginning of Phase 4.

According to the Final Rule, “[t]he rollout is intended to minimize both the financial impacts to the industrial base, especially small entities, and disruption to the existing DoD supply chain.”

CMMC Requirements Flow Down to Subcontractors

Throughout these phases, defense contractors must be cognizant of their obligation to flow down CMMC requirements to subcontractors. According to the Final Rule, “[s]ubcontractors are to comply in the same way as the prime contractor, with the exception of sharing CMMC UID data with the contracting officer.” The CMMC’s flow-down requirements are outlined under 32 CFR 170.23. 

The Final Rule requires prime contractors to determine the appropriate CMMC level for their subcontractors based on the type of information that the subcontractor will be handling and CMMC requirements in the applicable prime contract. DOD does not require the flow-down of CMMC requirements to subcontractors that do not receive FCI or CUI from the prime contractor.

Key Takeaways

• Prepare for November 10. During Phase 1 of the CMMC program, defense contractors will see inclusion of CMMC Level 1 and Level 2 requirements in solicitations and in new task orders and delivery orders for existing contracts. While Phase 1 will include CMMC Level 1 and Level 2 (Self) requirements, DOD has discretion to require Level 2 (C3PAO) assessments during this phase as well. Defense contractors should review their active DOD contracts (and subcontracts) to determine the likely CMMC level and plan accordingly.
• POA&M options remain, but are much more limited. Previously, contractors could more freely rely on POA&Ms to address gaps in cybersecurity controls. Under the Final Rule, for certain levels of CMMC and for certain categories of controls, POA&Ms are disallowed; for others, they can be used, but only under strict conditions (e.g., a maximum time for remediation, often 180 days, and with close-out assessed; conditional certification status may depend on remediation via POA&Ms). Lack of timely remediation or misuse of POA&Ms can lead to conditional status lapsing or other noncompliance consequences.
• Compliance affirmation and self-assessments for CMMC Level 1. Defense contractors and subcontractors that handle FCI, subject to the 15 requirements in FAR 52.204-21, are now required to perform self-assessments against those requirements, report the results in SPRS, and affirm compliance prior to contract award and annually thereafter. FCI constitutes a broad category of information and generally includes all non-public information provided by or generated for the government under a contract, such as project schedules and emails related to the contract. Because CMMC is much more prescriptive (compared to the NIST Cybersecurity Framework and other maturity-based frameworks) self-assessors should take care and pressure test the use of compensating controls to satisfy a particular control if the standard control is not feasible.
• Some contractors may not be significantly affected. CMMC Level 2 does not impose additional technical requirements for defense contractors already performing under contracts that include DFARS 252.204-7012. DFARS 252.2024-7012 and CMMC Level 2 both require compliance with all 110 NIST SP 800-171 requirements. Contractors subject to CMMC Level 2 requirements will, however, be subject to assessments every three years (either Self or C3PAO) and be required to submit annual continuous compliance affirmations. 
• Third-party assessments could mitigate False Claims Act risks. The Department of Justice, through its Civil Cyber-Fraud Initiative, increasingly uses the False Claims Act (FCA) to investigate and prosecute contractors that knowingly misrepresent their cybersecurity compliance. Third-party assessments performed by C3PAOs under CMMC Level 2 or DIBCAC under CMMC Level 3 may provide a crucial layer of defense to an allegation that a contractor had knowledge of noncompliance with cybersecurity requirements. Accordingly, though not required by the Final Rule, contractors subject to CMMC Level 1 and Level 2 (Self) requirements should consider hiring C3PAOs to assess compliance with requirements under those CMMC levels to strengthen their defense against potential FCA violation allegations.
• Additional costs for contractors. DOD’s incorporation of CMMC requirements could impose additional costs onto some defense contractors, including costs for the implementation of cybersecurity controls, C3PAOs to conduct assessments, and systems to document compliance with CMMC requirements. These costs may be prohibitive to some small defense contractors but could also become baked into the bidding process.