Skip to main content
All
September 16, 2025

CMMC Final Rule: Key Takeaways for Defense Contractors

Advisory
By

On September 10, 2025, the Department of Defense (DoD) completed the Cybersecurity Maturity Model Certification (CMMC) rulemaking process. CMMC comprises two regulatory regimes. 32 C.F.R. Part 170 establishes the CMMC program requirements (the Program Rule), and the September 10, 2025 final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) (the DFARS Rule) establishes DFARS policies, contract clauses, and other provisions to implement the Program Rule. This Advisory discusses key takeaways for DoD prime contractors and subcontractors.

CMMC Overview

  • Effective Date/Phase 1 Start Date: In accordance with 41 U.S.C. § 1707, the DFARS Rule takes effect on November 10, 2025 (60 days after publication). Phase 1 of the four-phase process for implementing CMMC begins that same day.1
  • Applicability: Subject to the four-phase implementation process and absent a waiver, CMMC applies to all DoD solicitations and contracts (other than contracts exclusively for commercially available off-the-shelf items) that require contractors to store, process, or transmit federal contract information (FCI) or controlled unclassified information (CUI) on contractor information systems.2
  • Implementation: DoD will implement CMMC through a four-phase process:

Phase Timing Description
 1 Begins November 10, 2025
  •  DoD includes CMMC Level 1 and Level 2 self-assessment requirements in applicable DoD solicitations and new contracts as a condition of contract award.
  •  DoD has discretion to include CMMC Level 2 Certified Third-Party Assessment Organization (C3PAO) certification assessment requirements.
  • DoD has discretion to require CMMC Level 1 and Level 2 self-assessments for applicable contracts issued before November 10, 2025 as a condition of exercising an option period.
 2

Begins November 10, 2026
(one calendar year after Phase 1 begins)
  • Phase 1 requirements + DoD includes CMMC Level 2 C3PAO certification assessment requirements for applicable DoD solicitations and new contracts as a condition of contract award.
  • DoD has discretion to delay CMMC Level 2 C3PAO certification assessment requirements to an option period.
 3 Begins November 10, 2027
(one calendar year after Phase 2 begins)
  • Phase 1 and Phase 2 Requirements + DoD includes CMMC Level 2 C3PAO certification assessment requirements for applicable DoD solicitations and contracts as a condition of contract award and as a condition to exercise an option period on a contract awarded after November 10, 2025.
  • DoD includes CMMC Level 3 certification assessment requirements in applicable DoD solicitations and contracts as a condition of contract award, but DoD may delay CMMC Level 3 certification assessment requirements to an option period.
 4 Begins November 10, 2028
(one calendar year after Phase 3 begins)
  • Full implementation of CMMC: DoD incorporates CMMC requirements into all applicable DoD solicitations and contracts, including option periods on contracts awarded prior to the beginning of Phase 4.

  • CMMC Levels and Assessments: As shown in the chart below, CMMC requirements are divided across three levels with the following security and assessment requirements. The DoD program office or requiring activity is responsible for identifying applicable CMMC requirements and determining for Level 2 whether a self-assessment or a C3PAO certification assessment is required. Solicitations will specify the requirements in DFARS 252.204-7025.
CMMC Level Applicability Security Requirements Assessment and Affirmation Requirements
 Level 1 Applies if the contractor will store, process, or transmit FCI in unclassified contractor information systems
 Contractor must implement the 15 security controls required by FAR 52.204-21
  • Current self-assessment
    • A CMMC Level 1 assessment is current if it was performed within the past year.
  • 100% implementation is required.
 Level 2 Applies if the contractor will store, process, or transmit CUI in unclassified contractor information systems Level 1 + NIST SP 800-171 Rev. 2
  • Current self-assessment or C3PAO certification assessment depending on DoD requirements.
    • DoD will decide whether to require a self-assessment or a C3PAO certification assessment based on risk considerations.
    • A CMMC Level 2 assessment is current if it was performed within the past three years, there have been no changes in compliance, and the contractor’s affirming official affirmed continuous compliance within the past year.
  • Conditional Level 2 Status:
    • Contractors achieve a Conditional Level 2 status if they (1) have an assessment score of at least 80%; (2) certain critical requirements are met; and (3) all non-critical requirements not met are documented in a plan of action and milestones (POAM).
    • Contractors must close out the POAM and achieve Final Level 2 status within 180 days.
 Level 3 Applies if DoD determines additional security controls are needed to protect the CUI related to the contract from Advanced Persistent Threats Level 2 + 24 additional requirements from NIST SP 800-172
  • Defense Contract Management Agency Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) certification assessment, and DIBCAC can also assess Level 2 compliance.
  • Conditional Level 3 Status:
    • Contractors can achieve a Conditional Level 3 status if they (1) achieve an assessment score of at least 80%; (2) certain critical requirements are met; and (3) all non-critical requirements not met are documented in a POAM.
    • Contractors must close out the POAM and achieve Final Level 3 status within 180 days.
  • A CMMC Level 3 certification assessment is current if the contractor underwent a Level 2 and a Level 3 assessment within the past three years, there have been no changes in compliance, and the contractor’s affirming official affirmed continuous compliance within the past year.

  • Scoping: A critical requirement for CMMC compliance is identifying the contractor information systems that must be included in the CMMC assessment. For Level 1, information systems that store, process, or transmit FCI are in scope. Specialized Assets (i.e., assets that can process, store, or transmit FCI but cannot be fully secured) are outside the CMMC Level 1 scope. Scoping for Levels 2 and 3 is more complex and requires, among other things, identifying which assets store, process, or transmit CUI; which assets can, but are not intended to, store, process, or transmit CUI; and the nature of the assets.
  • External Service Providers (ESPs): Many contractors of all sizes rely to some extent on ESPs, including cloud service providers (CSPs). Whether an ESP is within scope and the nature of the assessment turns on certain considerations, and most importantly whether the ESP stores, processes, or transmits CUI or Security Protection Data. If a DoD contractor uses a CSP to store, process, or transmit CUI, then the CSP must comply with requirements in DFARS 252.204-7012, including meeting Federal Risk and Authorization Management Program (FedRAMP) moderate baseline requirements. FedRAMP authorizations are likely to be increasingly important for CSPs and contractors. The Program Rule states that if a contractor is “using a FedRAMP Authorized CSP (at the FedRAMP Moderate or higher baseline),” then the contractor “is not responsible for the CSP’s compliance,” but if the CSP does not have a FedRAMP authorization, the contractor “is responsible for determining if the CSP meets the requirements for FedRAMP Moderate equivalency.”3
  • Subcontractors: Prime contractors and higher-tier subcontractors must flow down CMMC requirements to lower-tier subcontractors that will store, process, or transmit FCI or CUI on unclassified contractor information systems.4 The prime contract’s CMMC requirements and the nature of the information a subcontractor will store, process, or transmit during performance using those information systems will dictate subcontractor CMMC obligations. Prime contractors and subcontractors must address CMMC requirements during subcontract negotiations, and that includes considering risk-shifting provisions.

Key Implications

  • Contract Eligibility: Current and prospective DoD contractors that are not already CMMC compliant at levels they anticipate needing to compete in DoD procurements must come into compliance to be eligible for award of DoD contracts and to retain existing contracts if DoD includes CMMC requirements as a condition of exercising an option period. Ensuring Supplier Performance Risk System (SPRS) profiles are current is critical because contracting officers will rely on information in SPRS rather than compliance representations in proposals.5
  • Enforcement Risks: Current and prospective contractors must ensure not only initial but also continuous compliance with CMMC requirements and close out POAMs in a timely manner. Noncompliance can lead to contract disputes and False Claims Act liability. Express certification requirements increase liability risks.
  • Impact on Existing Information Security Requirements: CMMC does not affect other information security requirements. Thus, defense contractors must continue to comply with cyber incident reporting requirements in DFARS 252.204-7012, among other requirements.

© Arnold & Porter Kaye Scholer LLP 2025 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.

  1. 32 C.F.R. § 170.3(e)(1) (“Phase 1. Begins on the effective date of the complementary 48 CFR part 204 CMMC Acquisition final rule.”).

  2. Id. § 170.3(a)(1); DFARS 204.7504(a)(1).

  3. 89 Fed. Reg. 83092, 83139 (Oct. 15, 2024).

  4. See 32 C.F.R. § 170.23.

  5. See DFARS 204.7503(b) (“Award. Contracting officers shall check SPRS and not award a contract, task order, or delivery order to an offeror that does not have a current CMMC status posted in SPRS at the CMMC level (see 32 CFR 170.15 through 170.18) required by the solicitation, or higher, for each CMMC UID provided by the offeror.”).

Find more content tagged:

Key Contacts

Thomas A. Pettit
Thomas A. Pettit
Senior Associate
Washington, D.C.
+1 202.942.6075
Ronald D. Lee
Ronald D. Lee
Partner
Washington, D.C.
+1 202.942.5380

Related Services