Skip to main content

The GovCon Bulletin™

09
Sep, 2025

CMMC Alert: DoD Issues Final DFARS Rule That Implements CMMC Into DoD Contracts

     Earlier today, the Department of Defense (DoD) posted a draft of its final rule under the Defense Federal Acquisition Supplement (DFARS) that implements the Cybersecurity Maturity Model Certification (CMMC) requirements into DoD solicitations and contracts.  This Final DFARS CMMC Rule, which includes DFARS CMMC clauses to be inserted into solicitations and contracts, is expected to be officially published tomorrow, September 10, 2025, and becomes effective on November 10, 2025.  Although first proposed in August 2024, the Final DFARS CMMC Rule conforms the CMMC regulations in DFARS to the CMMC Program regulations that DoD published in October 2024.    Below are highlights of DoD's Final CMMC Rule.

3-Year Phase-In

  • Until November 9, 2028, the DFARS CMMC clauses will be inserted into solicitations and contracts if DoD decides CMMC is required. 

  • After November 9, 2028, the DFARS CMMC clauses will be inserted if DoD determines that the contractor is expected to process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) in the contractor information system during performance. 

  • Contracts and solicitations for commercial products and commercial services, except those solely for commercially available off-the-shelf (COTS) items, are subject to CMMC compliance. 

     In sum, there may be a rare case in which a DoD contractor might not be expected to have at least FCI in its systems, so CMMC compliance would essentially be a requirement in nearly all non-COTS DoD solicitations and contracts after November 9, 2028.

 CMMC As A Condition of Award & Performance

  • Contractors must obtain the CMMC Level required under the contract by the time of contract award and by the time of any option extension.

  • Contractors must maintain a current CMMC status at the specified CMMC Level for the life of the contract.

Possible CMMC Statuses

  • Final Level 1 (Self-assessed)

  • Conditional Level 2 (Self-assessed)

  • Final Level 2 (Self-Assessed)

  • Conditional Level 2 (C3PAO-certified)

  • Final Level 2 (C3PAO-certified)

  • Conditional Level 3 (DIBCAC-assessed)

  • Final Level 3 (DIBCAC-assessed)

Conditional CMMC Levels At Time of Contract Award

  • CMMC Level 1:  There is no conditional Level 1 status under the CMMC program; a CMMC Level 1-designated contract requires a contractor to achieve final CMMC Level 1 status by contract award date.

  • CMMC Level 2’s and CMMC Level 3’s:  CMMC Level 2 and CMMC Level 3-designated contracts (including those requiring C3PAO certifications and DIBCAC assessments) can be awarded if a contractor’s CMMC Level status is conditional at time of award.

  • However, to remain current, the conditional status for any CMMC Level cannot go beyond 180 days.  So a contractor must achieve final CMMC Level status within 180 days to remain eligible to perform under CMMC Level 2 and CMMC Level 3-designated contracts.

Subcontracts

  • Before subcontract award, contractors must ensure that subcontractors and suppliers -

    • Have a current CMMC certificate or CMMC Level status at the level appropriate for information that will be flowed down.

    • Annually maintain an affirmation of continuous compliance with requirements of the CMMC Level required for the subcontract.

  • Contractors must flow down the DFARS CMMC clause into subcontracts when subcontractors will be required to process, store or transmit FCI or CUI.

     The Amadeo Law Firm's GovCon CMMC Hub provides additional information about DoD's CMMC Program and the firm will continue to cover CMMC in upcoming articles, webinars or video blogs.

Mark A. Amadeo
Principal

Recent GovCon Bulletins

See more