Alert September 10, 2025

DOD Issues Final DFARS Rule for Cybersecurity Maturity Model Certification Program

September 10, 2025

WHAT: The U.S. Department of Defense (DOD) has published the final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to incorporate contractual requirements for the Cybersecurity Maturity Model Certification Program (CMMC). The final rule at long last sets a starting date for phasing in the CMMC program. 

WHEN: DOD issued the final rule on September 10, 2025, so it will take effect on November 10, 2025. That effective date will mark the first day of the three-year phase-in effort that DOD previously prescribed in the earlier final rule (which we summarized here) establishing the CMMC program requirements in Title 32 of the Code of Federal Regulations. See 32 CFR § 170.3(e). During the first year of the phase-in plan, the following will be applicable:

  • For new contracts, DOD intends to require at least a self-assessment as a condition of award. DOD retains the discretion to require a third-party certification (by a certified third-party assessment organization (C3PAO)).
  • For existing contracts, DOD retains the discretion to require a self-assessment or C3PAO assessment as a condition of exercising an option.

Notable Updates: The final rule incorporates changes to address industry comments and withdraws some of the more ambiguous requirements from the proposed rule, which we covered in a previous alert. Key updates include:

  • DOD removed the requirement to notify the contracting officer of “lapses” in information security or changes in compliance. DOD determined that the reporting requirements in DFARS 252.204-7012(c) for notification of information security incidents and an annual affirmation of continuing compliance would sufficiently protect DOD information.
  • DOD removed the term “data” and clarified that the rule would apply only to information that is Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
  • DOD incorporated definitions for FCI and Plan of Action and Milestones (PO&AM) from the FAR and Part 32 final rule on CMMC, respectively.
  • DOD clarified the timeline for phased implementation of CMMC requirements.
  • DOD confirmed that subcontractors also must submit affirmations of continuous compliance and the results of self-assessments in the Supplier Performance Risk System (SPRS). Prime contractors will not have access to subcontractor information in SPRS and will be responsible for ensuring that subcontractors meet the appropriate CMMC level for the information they will receive.

Stay tuned for our complete analysis of the final rule and compliance-related considerations. Wiley will also hold an upcoming webinar on CMMC.

Read Time: 2 min
Jump to top of page

Wiley Rein LLP Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek