Pentagon Finalizes CMMC Cybersecurity Requirements for Defense Contractors

The U.S. Department of Defense has issued its final rule implementing the Cybersecurity Maturity Model Certification (CMMC) program, set to take effect November 10, 2025. The long-awaited regulation establishes a comprehensive framework of cybersecurity requirements for federal contractors and subcontractors, introducing new compliance obligations that will be phased in over the next three years.

The CMMC requirements will be mandatory for Department of Defense contracts that involve the processing, storage, or transmission of Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). Civilian agencies will have discretion to include CMMC requirements in their contracts as well, potentially expanding the program’s reach across the federal contracting landscape.

“This development means companies doing business with the DOD or civilian agencies should ensure their cybersecurity systems are prepared to meet the CMMC audit and certification requirements,” said a defense contracting expert familiar with the rule. “The implications extend beyond traditional defense contractors to companies in healthcare, technology, energy, and manufacturing that may handle sensitive government information.”

The CMMC framework establishes three compliance levels with increasingly stringent requirements:

Level 1 applies to contractors handling FCI, which is information not intended for public release that is provided by or generated for the government. Contractors must implement 15 basic security controls specified in Federal Acquisition Regulation 52.204-21 and complete annual self-assessments.

Level 2 pertains to contractors handling CUI, which is information the government creates or possesses that requires safeguarding controls. These contractors must implement 110 security requirements from NIST 800-171, a standard already required under DFARS 252.204-7012. Depending on the contract, contractors may need either self-assessment or certification by a CMMC Third-Party Assessment Organization (C3PAO).

Level 3 applies to contractors handling CUI in support of critical government programs and technologies. These contractors must comply with NIST 800-171 plus 24 additional security requirements prescribed by NIST 800-172, and undergo review by the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center.

The Pentagon is implementing CMMC in four phases:

• Phase 1 (November 2025): Self-assessed Level 1 and 2 requirements begin
• Phase 2 (November 2026): C3PAO-assessed Level 2 requirements begin
• Phase 3 (November 2027): DIBCAC-assessed Level 3 requirements begin
• Phase 4 (November 2028): Full implementation across all applicable contracts

Industry analysts note the implementation timeline gives contractors time to prepare, but the compliance burden is substantial. “The framework significantly increases contractor accountability for cybersecurity requirements,” said a cybersecurity compliance expert. “Particularly challenging aspects include periodic certifications and managing subcontractor relationships.”

Prime contractors face additional responsibilities for verifying subcontractor compliance. The rule requires prime contractors to confirm that subcontractors meet appropriate CMMC levels based on the information they will handle. Self-assessed Level 1 status is required for subcontractors handling only FCI, while those processing CUI must meet Level 2 requirements.

The certification process introduces significant enforcement risks. Contractors must use a CMMC unique identifier for each information system handling sensitive information and periodically reaffirm their CMMC status. These certifications create potential liability under the False Claims Act if contractors misrepresent their compliance.

“The certification requirements significantly raise the compliance risk profile,” noted a government contracts attorney. “Noncompliance can lead to serious consequences, including contractual remedies, civil False Claims Act liability, and even criminal charges for false statements to the government.”

Industry stakeholders have long anticipated these requirements, as the underlying cybersecurity obligations date back to 2017. However, the new certification framework creates a more structured approach to verification and enforcement, reflecting the government’s growing emphasis on securing its supply chain against cyber threats.

Companies involved in federal contracting are advised to begin preparing immediately by conducting self-assessments, developing robust compliance systems, and ensuring subcontractors are ready to meet appropriate requirements when contract provisions begin to take effect this November.