Privacy & Information Security Law Blog

On September 10, 2025, the U.S. Department of Defense (“DoD”) published its final rule amending the Defense Federal Acquisition Regulation Supplement (“DFARS”) to incorporate contractual requirements related to the Cybersecurity Maturity Model Certification (“CMMC”) program (the “CMMC DFARS Rule”).

The CMMC program is a DoD initiative that establishes tiered, enforceable cybersecurity requirements for contractors handling Federal Contract Information (“FCI”) and Controlled Unclassified Information (“CUI”), making verified protection of sensitive information a prerequisite for performing DoD contracts.

The CMMC DFARS Rule marks the next critical step in the rollout of the program. This rule follows the CMMC Policy Rule, published in October 2024, which established the program’s structure, assessment methodology, and governance framework. While the CMMC Policy Rule defined the program in principle, the CMMC DFARS Final Rule makes compliance with CMMC an enforceable condition of contract eligibility.

Overview of CMMC Levels and Certification Requirements

The CMMC framework includes three levels of cybersecurity maturity, each corresponding to different types of information and varying degrees of required protections:

• Level 1 focuses on basic cyber hygiene practices primarily aimed at protecting FCI. Contractors handling Level 1 information can perform a self-assessment to demonstrate compliance, rather than undergoing a formal third-party evaluation.
• Level 2 is an intermediate level intended to protect CUI. Level 2 incorporates a broader set of security practices and processes. Contractors are generally required to complete a self-assessment, although certain programs may require a third-party certification depending on the risk profile of the information or contracting officer direction.
• Level 3 represents a proactive and robust cybersecurity posture, with enhanced practices for sensitive CUI and other mission-critical data. Contractors seeking Level 3 certification must undergo a third-party assessment, which provides independent validation of cybersecurity controls and processes.

Under the CMMC DFARS Rule, contractors that process, store or transmit FCI or CUI must obtain and maintain a “current” CMMC level. Each covered information system will receive a unique identifier (“UID”) in the Supplier Performance Risk System (“SPRS”) or the Enterprise Mission Assurance Support Service (“eMASS”), which contractors must submit with proposals and maintain throughout contract performance. Contracting officers will verify CMMC status in SPRS before awarding contracts, task orders, or delivery orders.

A notable flexibility from its proposed version, the CMMC DFARS Rule distinguishes between conditional and final CMMC status. Conditional status may be granted for Level 2 and Level 3 certifications based on approved Plans of Action and Milestones (“POA&Ms”) allowing contractors to apply for covered contracts for up to 180 days, with final status contingent upon successful closeout of the POA&Ms.

Potential Concerns and Scope Issues

The CMMC DFARS Rule does not fully resolve concerns, particularly for entities outside the traditional defense industrial base, that the CMMC program’s systems-based approach may lead to over-implementation of security controls for information misidentified as CUI, because CUI designations are inherently data-specific.

Notably, the proposed rule establishing CUI safeguarding requirements in the Federal Acquisition Regulations (FAR)—applicable across the executive branch—would require agencies to list the specific information designated as CUI in the solicitation. While agencies could incorrectly categorize information as CUI under the FAR proposal, contractors can challenge errors directly. Under the CMMC DFARS Final Rule, contractors simply receive notice that DoD has determined that CUI is present and that all relevant systems must implement the required safeguards, creating uncertainty about the scope of compliance obligations.

DoD could have addressed these concerns through programmatic guidance clarifying what should be in scope for organizations implementing CMMC. It could have revised the definition of CUI to limit it to information for which a law explicitly imposes a duty on the private sector to safeguard the designated information. However, DoD rejected requests to revise the definition of CUI, noting that it falls under the National Archives and Records Administration and is therefore outside the scope of the CMMC DFARS Rule.

DoD could have also clarified that only information directly related to the performance of a DoD contract qualifies as CUI subject to CMMC—for example, excluding Proprietary Postal Information unrelated to DoD stored on a system supporting a DoD contract from triggering CMMC requirements. While the preamble suggests CMMC only covers DoD-funded acquisitions, the CMMC DFARS Rule’s regulatory requirements apply to “information systems that will process, store, or transmit FCI or CUI and that will be used in performance of the contract.” Because the qualifier “used in the performance of the contract” applies to systems, rather than the FCI or CUI itself, it remains unclear whether non-DoD CUI could fall under CMMC requirements.

Phased Implementation

While the CMMC DFARS Final Rule is effective November 10, 2025, DoD has announced a phased schedule to incorporate its provisions into contracts over the next three years. During the initial phase-in period, the new contract clause will only be used in solicitations where program managers or requiring activities specifically require CMMC, and it will not apply to contracts solely for commercially available off-the-shelf items. After the three-year phase-in, the clause will be applied more broadly to all contracts involving systems that process, store, or transmit FCI or CUI.

Conclusion

The CMMC DFARS Final Rule cements cybersecurity as a core contractual requirement for DoD contractors, reinforcing the importance of protecting FCI and CUI across the supply chain. While the tiered framework and assessment processes provide structure, uncertainties around scope and applicability—particularly for information not directly tied to DoD contracts—highlight the need for careful planning and proactive compliance. Contractors should use the phased implementation period to align their systems and processes with the CMMC requirements, address potential gaps, and understand the scope of their CUI to fully comply with requirements while seeking to avoid over-implementation or unnecessary controls.