Department of Defense releases final DFARS rule implementing Cybersecurity Maturity Model Certification (CMMC) requirements

Alert
|
7 min read
Melissa Taylormoore |
F. Paul Pittman |
Todd Rouse

The Department of Defense (DoD) has issued a Final Rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to embed contractual requirements under the Cybersecurity Maturity Model Certification (CMMC) program—partially implementing Section 1648 of the National Defense Authorization Act (NDAA) for Fiscal Year 2020. This measure further formalizes how DoD intends to assess contractor cybersecurity practices and safeguard sensitive unclassified information across its industrial base.

Context & Effective Date

  • The rule follows an interim rule from September 29, 2020, and a proposed rule from August 15, 2024.
  • A parallel rule codifying the CMMC program (32 CFR Part 170) was published on October 15, 2024, and became effective December 16, 2024.
  • The DFARS final rule will take effect 60 days after its official Federal Register publication, expected on September 10, 2025, meaning new obligations will begin in November 2025.

Key Rule Provisions

Enhanced Definitions (DFARS 204.7501)

The final rule makes several important changes to DFARS definitions to better align with the terminology used in the CMMC program and in the Supplier Performance Risk System (SPRS). One of the most significant revisions is to the term “current,” which now explicitly refers to compliance with 32 CFR Part 170 requirements. Under this definition, a CMMC status is considered “current” only if there have been no changes that would affect compliance, including in situations where a contractor is operating under a conditional or final status or has submitted affirmations of continuous compliance.

The rule also replaces the former term “DoD unique identifier” with “CMMC Unique Identifier (UID).” This UID is a ten-character alphanumeric code assigned to each system that has undergone a CMMC assessment and serves as the primary tracking mechanism in SPRS. Contractors must provide these UIDs for all information systems that process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), and must ensure they are kept up to date throughout the performance of a contract.

In addition, the rule formally incorporates definitions for Federal Contract Information (FCI) and Plan of Action and Milestones (POA&M). The definition of FCI is drawn directly from FAR 52.204-21 and refers to information not intended for public release that is provided by or generated for the government under a contract. POA&M, a term already widely used in the CMMC program, refers to a contractor’s documented strategy for addressing known gaps in compliance. POA&Ms play a key role in allowing contractors to receive a conditional CMMC status for a limited period while corrective actions are completed.

Finally, the rule clarifies the meaning of “CMMC status” as the term is displayed in SPRS. Contracting officers will now see a defined set of statuses that reflect whether a contractor has a conditional or final certification and whether required affirmations have been submitted. This clarity is designed to reduce confusion during the award process and to ensure that DoD has a consistent view of a contractor’s cybersecurity posture across the supply chain.

Policy & Conditional Certification (DFARS 204.7502)

The final rule allows contractors to hold a conditional Cybersecurity Maturity Model Certification (CMMC) status at Levels 2 and 3 for a period of up to 180 days. During this time, contractors must close any outstanding items identified in their Plan of Action and Milestones (POA&M) in order to transition from conditional to final certification. This framework provides contractors with limited flexibility to address residual gaps while still allowing DoD programs to move forward with awards, but it also underscores the expectation that deficiencies be remediated within a defined and relatively short timeline.

Procedures for Contracting Officers (DFARS 204.7503)

The rule also introduces new procedural requirements designed to improve clarity for contracting officers. Contractors are now required to submit a CMMC Unique Identifier (UID) in the Supplier Performance Risk System (SPRS) for each information system that processes, stores, or transmits Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). These UIDs must be kept current throughout the contract lifecycle, ensuring that the government has visibility into which systems have been assessed and at what level. The addition of paragraph headings within the rule also aims to make these requirements more transparent for both industry and government stakeholders.

Clause Prescription & Solicitation Requirements (DFARS 204.7504)

In terms of solicitation and contract requirements, the Department of Defense has confirmed a phased approach to implementation. For three years following the effective date of the rule, the CMMC clause will apply to solicitations and contracts, with an explicit exemption for those involving only commercial off-the-shelf (COTS) items. Each solicitation must specify the applicable CMMC level, using standardized fill-in options: Level 1 Self-Assessment, Level 2 Self-Assessment, Level 2 Third-Party Assessment Organization (C3PAO), or Level 3 Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) assessment. The rule also imposes subcontract flowdown requirements, mandating that subcontractors provide affirmations of continuous compliance and ensure their assessment results are available in SPRS. Importantly, the terminology has been updated to replace the “senior company official” with the “affirming official,” consistent with the structure set forth in 32 CFR Part 170.

Highlights from Public Comment Responses

In finalizing the rule, DoD addressed a wide range of comments from industry. One key clarification was that contractors must submit changes to their CMMC UIDs in SPRS throughout the life of the contract, reinforcing the requirement for continuous updates. The Department also decided not to add new reporting obligations for lapses in information security, noting that DFARS 252.204-7012 already establishes sufficient requirements in this area. Similarly, the scope of the rule was narrowed by removing broader references to “data” and limiting applicability specifically to FCI and CUI. Another important clarification is that decisions about which CMMC level applies to a given requirement remain the responsibility of program offices or requiring activities—not contracting officers.

The exemption for COTS items was preserved and explicitly tied to the definition in FAR 2.101, while requests for a blanket extension for new bidders were rejected. Instead, DoD emphasized that POA&Ms remain the proper mechanism for contractors to hold conditional status while addressing compliance gaps. The Department also clarified that the rule applies only to contractor information systems used in performance of the contract that process FCI or CUI, not to broader enterprise systems. With respect to subcontractors, the final rule makes clear that prime contractors are responsible for verifying subcontractor compliance prior to award. Finally, several minor but meaningful edits were made to improve consistency and remove ambiguity across the regulatory text.

What This Means for Defense Contractors

The rule is scheduled to take effect in November 2025, and solicitations issued after that date may begin incorporating CMMC clauses. Defense contractors should begin preparing now by conducting a comprehensive inventory of information systems handling FCI or CUI and ensuring that each is properly tracked in SPRS with a valid CMMC UID. Companies pursuing Level 2 or Level 3 certification should be prepared to rely on POA&Ms strategically, but also to remediate outstanding deficiencies within the 180-day conditional period.

Prime contractors must also strengthen their subcontractor oversight processes, verifying subcontractor certifications before award and ensuring proper flowdown of CMMC requirements, including affirmations of compliance through SPRS. While the three-year phased rollout offers some breathing room—particularly for small businesses—the costs and resource commitments required to achieve compliance will demand proactive planning. Contractors should also recognize that the requirement for continuous compliance is ongoing: affirmations must be submitted regularly, UID changes must be reported, and assessments must remain current.

Next Steps for DoD and Industry

The final DFARS rule confirms DoD’s commitment to embedding CMMC into its acquisition framework, raising the bar for cybersecurity compliance across the defense industrial base. Contractors should act now to align compliance systems, train personnel on SPRS and POA&M requirements and strengthen subcontract oversight in anticipation of solicitations that will begin incorporating the new requirements in late 2025. Because compliance assessments must be accurate, continuously updated and subject to government scrutiny, many companies may find it prudent to evaluate their readiness through a privileged review overseen by in-house counsel or outside legal advisors. A legal-led process can help protect sensitive analyses while allowing companies to identify and remediate gaps before they lead to contractual or enforcement consequences.

This is especially important given the Department of Justice’s renewed focus on cybersecurity-related enforcement under the False Claims Act. Recent investigations and settlements underscore the risks for contractors who certify compliance without adequate internal controls or documentation. Taken together, the final DFARS rule and the government’s enforcement posture highlight the need for proactive, well-documented compliance strategies that can withstand both contracting officer review and potential investigative scrutiny.

White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.

This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.

© 2025 White & Case LLP

Contacts

Melissa Taylormoore
Melissa Taylormoore
Partner|Washington, DC
Services
US Government Contracts, Litigation, National Security, Employment, Compensation & Benefits
F. Paul Pittman
F. Paul Pittman
Partner|Washington, DC
Services
Data, Privacy & Cybersecurity, Fintech, Technology, Mergers & Acquisitions, Life Sciences and Healthcare, Privacy Advisory and Compliance
Todd Rouse
Todd Rouse
Counsel|Washington, DC
Services
Litigation, Employment, Compensation & Benefits, US Government Contracts

Service areas

Top