ARTICLE
27 October 2025

Are You CMMC Ready? DFARS Phase I Enforcement Begins November 10, 2025

TS
Taft Stettinius & Hollister

Contributor

Taft Stettinius & Hollister logo
Established in 1885, Taft is a nationally recognized law firm serving individuals and businesses worldwide, in both mature and emerging industries.
Explore Firm Details
The U.S. (DoD) has finalized a rule that amends the Defense Federal Acquisition Regulation Supplement (DFARS) to formally include Cybersecurity Maturity Model Certification (CMMC)...
United States Government, Public Sector
Shawn Cheadle
Your Author LinkedIn Connections
Taft Stettinius & Hollister are most popular:
  • within Strategy and Insurance topic(s)
  • with readers working within the Environment & Waste Management and Utilities industries

The U.S. (DoD) has finalized a rule that amends the Defense Federal Acquisition Regulation Supplement (DFARS) to formally include Cybersecurity Maturity Model Certification (CMMC) as a mandatory condition for many defense contracts. Starting in November 2025, contractors must undergo formal assessments, submit annual affirmations and ensure their supply chain is compliant. Noncompliance may jeopardize contract awards, extensions, or lead to False Claims Act liabilities. We previously discussed that even failure to comply with existing cybersecurity standards can result in significant penalties, and settlements in such cases are often quite costly for contractors facing lawsuits and investigations of their cybersecurity compliance.

Background: What is CMMC?

Over the past decade, the DoD has been targeted by cyber adversaries aiming to gain access to Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). Traditional self-attestation structures were deemed insufficient to enforce a baseline level of cybersecurity across the supply chain. For a comprehensive overview of the final rule and its specific requirements—including record-keeping obligations, Plans of Action and Milestones (POA&Ms), subcontractor flow-down requirements, and other key implementation details, see our previous analysis of the DoD's final CMMC rule.

The CMMC concept was first introduced in 2019 as a framework layering maturity practices over existing requirements imposed by common contract clauses such as FAR 52.204-21 and DFARS 252.204-7012 to drive measurable and enforceable cybersecurity structures across all DoD contractors and subcontractors.

What the Final Rule Does and Why It Matters:

Under the final rule, CMMC is now structured in Levels 1, 2 and 3 – with ascending risk and control obligations.

  • Level 1: Basic safeguarding for FCI. Contractors self-assess to ensure compliance with the 15 requirements stipulated in FAR 52.204-21 and post results in the Supplier Performance Risk System (SPRS).
  • Level 2: Covers CUI and will require either a self or third-party assessment (via a CMMC third-party assessment organization) to verify DFARS 252.204-7012 and NIST SP 800-171 practices are met.
  • Level 3: For higher risk CUI handling and defense-critical functions. Requires both a Level 2 certification and a government assessment conducted by the DoD. Level 3 contracts must adhere to the 24 enhanced security requirements from NIST SP 800-172 and the requirements of CMMC Level 2.

Contractors may obtain a conditional status for levels 2 and 3 if they have a Plan of Action & Milestones (POAM).

To receive contract award, extension, and renewal, contractors must continue to follow these steps:

  • Complete formal assessments of one of the three Levels outlined above.
  • Register and report results in the SPRS.
  • Obtain a CMMC Unique Identifier (UID) for each evaluated system.
  • File annual affirmations of continued compliance.
  • Report Cyber Incidents through the Defense Industrial Base Collaborative Information Sharing Environment (), described in DFARS 252.204-7012.

Contract Designations

The DoD, not the contracting officer, will designate the required CMMC level for each contract. Prime contractors will be responsible for ensuring that subcontractors meet the required CMMC level before awarding subcontracts and for ongoing oversight.

Contracts procuring commercially available-off-the-shelf (COTS) items remain excluded from CMMC requirements.

Phased Implementation and Timing

The rule launches a three-year phase-in period beginning November 10, 2025. During this period, contracting officers may include the new CMMC clause in solicitations. After three years, CMMC compliance will be mandatory for all applicable contracts involving CUI, FCI, and CDI.

Full mandatory applicability to all covered DoD contracts is expected by November 2028. Existing contracts may be modified over time to include the CMMC clauses, in the event of extensions.

Enforcement, Reporting and Liability

Contractors must maintain their CMMC status throughout the contract period, reaffirming annually, updating SPRS and ensuring that any changes or reassessments are reported.

The 72-hour cyber incident reporting requirement to DCISE under DFARS 252.204-7012 remains in effect.

Contractors who misrepresent their compliance may face exposure under the False Claims Act, contract termination, suspension, debarment, protested contract awards, or other actions.

What the Changes Mean for YOU

  • Eligibility Risk
    • Contractors will no longer be able to rely on past compliance or self-attestation if the contract requires a higher CMMC level.
  • Operational Demands
    • Prime contractors must become more vigilant about subcontractor CMMC standing and verify compliance at the required level before awarding subcontracts.
    • Organizations will need to create more detailed plans regarding the systems that process, store or transmit FCI/CUI. It is also recommended that a more streamlined process be implemented to help prepare for assessment and maintain continuous compliance.
    • Registration in SPRS, periodic assessments, submission of affirmations, tracking POAMs and reporting are now part of the contractor's expanded obligations.
  • Increased Liability
    • False affirmations or outdated status may expose an organization to False Claims Act liability, contract termination or disqualification from awards.

What YOU Can Do

Evaluate your cybersecurity measures to ensure compliance with the new CMMC clause. The measures include understanding the CMMC framework, conducting self-assessments, adopting robust cybersecurity practices, enhancing access controls and developing a System Security Plan. Your plan should also dovetail with a solid data protection plan, which may require a broader information governance review and overhaul to ensure your teams are managing sensitive information covered by the DFARS, International Traffic in Arms Regulation (ITAR) and proprietary information. If your measures are outdated and not up to standards, at least your DoD contract awards may be at risk.

Taking action now, to fix deficiencies before contract requirements are instituted, will mitigate the risk of liabilities under the False Claims Act or additional procurement sanctions.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Shawn Cheadle
Shawn Cheadle
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More