Privacy & Information Security Law Blog

On September 10, 2025, the U.S. Department of Defense (“DoD”) published its final rule amending the Defense Federal Acquisition Regulation Supplement (“DFARS”) to incorporate contractual requirements related to the Cybersecurity Maturity Model Certification (“CMMC”) program (the “CMMC DFARS Rule”).

The CMMC program is a DoD initiative that establishes tiered validation that contractors handling Federal Contract Information (“FCI”) and Controlled Unclassified Information (“CUI”) are protecting that information consistent with their contractual requirements. This will be a prerequisite for performing DoD contracts.

The CMMC DFARS Rule marks the next critical step in the rollout of the program. This rule follows the CMMC Policy Rule, published in October 2024, which established the program’s structure, assessment methodology, and governance framework. While the CMMC Policy Rule defined the program in principle, the CMMC DFARS Final Rule makes compliance with CMMC an enforceable condition of contract eligibility.

Overview of CMMC Levels and Certification Requirements

The CMMC framework includes three levels of cybersecurity maturity, each corresponding to different types of information and varying degrees of required protections:

• Level 1 focuses on basic cyber hygiene practices primarily aimed at protecting FCI consistent with the security controls in Federal Acquisition Regulation (FAR) 52.204-21. Contractors handling Level 1 information can perform an annual self-assessment to demonstrate compliance, rather than undergoing a formal third-party evaluation.
• Level 2 is an intermediate level intended to protect CUI. Level 2 incorporates a broader set of security practices and processes consistent with National Institute Standards and Technology (“NIST”) Special Publication (SP) 800-171. DoD estimates that the vast majority of contractors will need a third-party assessment from a Certified Third-Party Assessment Organization (“C3PAO”) triennially, but for some select programs contractors will be able to self-certify (also once every three years) depending on the type of CUI.
• Level 3 represents a proactive and robust cybersecurity posture, with enhanced practices for sensitive CUI and other mission-critical data. Contractors seeking Level 3 certification must undergo an assessment by the Defense Industrial Base Cybersecurity Assessment Center (“DIBCAC”) following a successful C3PAO assessment. DIBCAC will provide validation that the contractor is meeting the relevant controls in NIST SP 800-172.

Under the CMMC DFARS Rule, contractors that process, store or transmit FCI or CUI must obtain and maintain a “current” CMMC level. Each covered information system will receive a unique identifier (“UID”) which will be available in the Supplier Performance Risk System (“SPRS”), which contractors must submit with proposals and maintain throughout contract performance. Contracting officers will verify CMMC status in SPRS before awarding contracts, task orders, or delivery orders.

Consistent with the proposed CMMC Policy Rule, conditional status may be granted for Level 2 and Level 3 certifications based on approved Plans of Action and Milestones (“POA&Ms”) allowing contractors to apply for covered contracts for up to 180 days, with final status contingent upon successful closeout of the POA&Ms.

Potential Concerns and Scope Issues

The CMMC DFARS Rule does not fully resolve concerns, particularly for entities outside the traditional defense industrial base (“DIB”), that the CMMC program’s systems-based approach may lead to over-implementation of security controls for information misidentified as CUI, because CUI designations are inherently data-specific.

Notably, the proposed rule establishing CUI safeguarding requirements in the Federal Acquisition Regulations (FAR)—applicable across the executive branch—would require agencies to list the specific information designated as CUI in the solicitation. While agencies could incorrectly categorize information as CUI under the FAR proposal, contractors can challenge errors directly. Under the CMMC DFARS Final Rule, contractors simply receive notice that DoD has determined that CUI is present and that all relevant systems must implement the required safeguards, creating uncertainty about the scope of compliance obligations. While DoD has been flexible about retracting documents improperly marked as CUI, some companies have faced challenges with CUI designations being generally misapplied to their privately generated information.

DoD could have addressed these concerns through programmatic guidance clarifying what should be in scope for organizations implementing CMMC. It could have revised the definition of CUI to be explicit that a “law, regulation, or government-policy” must authorize safeguarding requirements outside of the federal government before a designation can impose a duty on the private sector to safeguard the applicable information. However, DoD rejected requests to revise the definition of CUI, noting that it falls under the National Archives and Records Administration and is therefore outside the scope of the CMMC DFARS Rule.

DoD could have also clarified that only information directly related to the performance of a DoD contract qualifies as CUI subject to CMMC—for example, excluding a company’s information designated under a non-DoD CUI designation such as Proprietary Postal Information that is unrelated to DoD stored on a system supporting a DoD contract from triggering CMMC requirements. This could be a threshold issue for non-DIB companies that otherwise do not carry DoD CUI. While the preamble suggests CMMC only covers DoD-funded acquisitions, the CMMC DFARS Rule’s regulatory requirements apply to “information systems that will process, store, or transmit FCI or CUI and that will be used in performance of the contract.” Because the qualifier “used in the performance of the contract” applies to systems, rather than the FCI or CUI itself, it remains unclear whether non-DoD CUI could fall under CMMC requirements.

Phased Implementation

While the CMMC DFARS Final Rule is effective November 10, 2025, DoD has announced a phased schedule to incorporate its provisions into contracts over the next three years. During the initial phase-in period, the new contract clause will only be used in solicitations where program managers or requiring activities specifically require CMMC. After the three-year phase-in, the clause will be applied more broadly to all contracts involving systems that process, store, or transmit FCI or CUI.

Conclusion

The CMMC DFARS Final Rule cements cybersecurity as a core contractual requirement for DoD contractors, reinforcing the importance of protecting FCI and CUI across the supply chain. While the tiered framework and assessment processes provide structure, uncertainties around scope and applicability highlight the need for careful planning and proactive compliance. Contractors should use the phased implementation period to align their systems and processes with the controls which CMMC will validate, address potential gaps, and understand the scope of their FCI and CUI to fully comply with requirements.