US Finalizes CMMC Rule: Cybersecurity Verification Now Determines Contract Eligibility for Defense Contractors

The final rule implementing the cybersecurity maturity model certification (CMMC) program into the Defense Federal Acquisition Regulation Supplement (DFARS) took effect just over one month ago, on Nov. 10. The new rule requires contractors and subcontractors to undergo cybersecurity self-assessments or third-party certifications, post results in the Supplier Performance Risk System (SPRS) and provide annual affirmations of continuous compliance. 

The final rule is the most significant restructuring of cybersecurity obligations in the defense industrial base to date. Since the rule took effect, CMMC is now a binding contract requirement for virtually all companies that create, receive, process or store federal contract information (FCI) or controlled unclassified information (CUI). The new requirements do not, however, apply to awards that do not involve the handling or transmission of FCI or CUI.

Although it will be phased in over a three-year period, CMMC certification is now a prerequisite for contract eligibility. Contractors will need to meet these four obligations, including demonstrating compliance before award, maintaining it throughout performance and certifying its accuracy annually, among others.

• Reporting: Contractors must enter their current status for each CMMC unique identifier (UID) into the SPRS, unless that system has already been assessed by a CMMC third-party assessment organization (C3PAO) or defense industrial base cybersecurity assessment center (DIBCAC) at the required or higher level. This requirement applies to all systems used to process, store, or transmit FCI or CUI.
• Continuous compliance: Contractors must maintain the required CMMC level for the entire life of the contract. 
• Identification: Contractors must provide the contracting officer with the CMMC UID for each covered information system and update this information when changes occur.
• Affirmation: Contractors must maintain a current affirmation of continuous compliance for each CMMC UID.

The Department of War (DoW), until recently known as the Department of Defense, has repeatedly stated that the ability of contractors to protect sensitive unclassified information is critical to national security. As a result, cybersecurity is now directly tied to contracting rights, award eligibility and potential exposure under the False Claims Act. Cybersecurity assurance is no longer a best practice but a legal condition of participating in the defense marketplace.

The final rule

CMMC was originally developed to address challenges in how the DoW evaluated contractor cybersecurity. Under DFARS 252.204-7012 and National Institute of Standards and Technology (NIST) SP 800-171, contractors were responsible for implementing security controls and attesting to compliance. The CMMC program, codified in 2024 at 32 C.F.R. Part 170, was designed to create a uniform, enforceable framework for cybersecurity assessments across the defense industry.

The final DFARS rule operationalizes this framework by making CMMC a binding contractual requirement. The contracting officer will specify the required CMMC level in the solicitation.

Depending on the sensitivity of the information an offeror’s systems will handle, contractors must complete a CMMC Level 1 or Level 2 self-assessment or undergo a third-party assessment for certain acquisitions at Level 2 or DoW assessment for Level 3, with the technical requirements flowing from the underlying NIST frameworks:

• CMMC Level 1: Contractors must implement 15 cybersecurity practices derived from FAR 52.204-21, which are basic safeguarding requirements. Level 1 requires annual self-assessment with results entered into SPRS.
• CMMC Level 2: Incorporates the full set of 110 NIST SP 800-171 controls, which address issues like physical protection, access control and system integrity. Level 2 requires C3PAO assessment every three years to be entered into CMMC Enterprise Mission Assurance Support Service (eMASS) or self-assessment every three years for select programs to be entered into SPRS.
• CMMC Level 3: Applies to a smaller segment of contractors handling the most sensitive CUI, requiring implementation of 134 controls derived from both NIST SP 800-171 and NIST SP 800-172. Level 3 requires DIBCAC certification assessment every three years with results to be entered into CMMC eMASS.

Contractors must also upload assessment results into SPRS, maintain the required level throughout the life of the contract and submit annual affirmations of continuous compliance. An offeror will be ineligible for award — whether a contract, task order or delivery order — if it does not have a current CMMC status entered in SPRS at the required level and a current affirmation of continuous compliance in SPRS. Both requirements must be met for every contractor information system that will process, store or transmit FCI or CUI in performing the award.

A central feature of the rule is that CMMC compliance becomes a condition of contract eligibility. Contractors cannot receive new awards or continue performance on covered contracts unless their assessment results or certifications are current and properly posted in SPRS. This requirement extends to both prime contractors and subcontractors, and primes are responsible for ensuring subcontractor compliance at the appropriate level. Notably, subcontractors that do not process, store or transmit FCI or CUI on their own information systems during performance are not required to undergo a CMMC assessment.

The rule further requires an “affirming official” to submit an annual affirmation certifying continued compliance with the cybersecurity standards. This affirmation must be updated if the compliance status of any system changes. This requirement is particularly significant from a legal standpoint as it creates a formal, annual representation to the government that can trigger FCA liability if inaccurate.

Three-year phased rollout

The US government anticipates a three-year phased rollout during which CMMC requirements will appear in an increasing number of solicitations. During the first year, only a small number of procurements selected by the CMMC program office will include the requirement. DoW estimates about 1,100 small businesses will be affected in Year One. In the second and third years, agencies will expand CMMC coverage across more contracts, increasing the number of affected small businesses to over 18,000 by Year Three.

By Year Four, CMMC will reach full implementation. Every new solicitation involving FCI or CUI will require at a minimum a Level 1 self-assessment. Contracts involving CUI will require Level 2, and those involving the most sensitive CUI will require Level 3 certification.

Ultimately, the rule will apply to an estimated 338,000 contractors, nearly 230,000 of which are small businesses. Although the rule exempts procurements involving only commercially available off-the-shelf (COTS) items, most contractors will be subject to new annual reporting obligations.

Cybersecurity

CMMC 2.0 Creates New Compliance Calculus for Defense Contractors

by Shrav Mehta

July 3, 2025

Simplified framework still poses significant challenges for smaller defense industrial base participants

Read moreDetails

Legal & compliance risks

A significant legal risk created by the final rule arises under the FCA. Because contractors must post assessment results in SPRS, maintain certification throughout performance and submit annual affirmations, they will be making frequent and explicit representations to the government about their cybersecurity policies. If these representations are false, incomplete or misleading, they may be actionable under the FCA, particularly under the DOJ’s Civil Cyber-Fraud Initiative, which has already targeted contractors that misrepresented compliance.

Several aspects of the rule heighten FCA exposure. First, SPRS postings are affirmative claims, not passive compliance activities. Submitting inaccurate documentation may constitute a false statement. Second, annual affirmations by an affirming official creates an easy connection for the DOJ to argue that a false certification was made knowingly or with reckless disregard.

To mitigate these risks, contractors should maintain detailed documentation, subcontractor oversight measures and internal monitoring procedures.

Contractors should not wait for the phased rollout to accelerate before acting. Preparation should begin now by determining the appropriate CMMC level for the information their systems handle, particularly where that information qualifies as CUI. Contractors expecting to handle CUI should consider early engagement with a C3PAO, as demand for third-party assessors may rise in later phases of the rollout. Contractors should map systems accurately and document how information flows through their organization and to subcontractors.

Contractors should also develop a documentation system to house policies. Internal audits should be built around annual affirmations. For primes that rely heavily on subcontractors, internal procedures should include verification of subcontractor CMMC status and ongoing monitoring throughout performance.

Contractors will only be able to access their own CMMC certificate or CMMC self-assessment information. DoW does not have a tool that would allow sharing of subcontractor information with prime contractors electronically. Prime contractors are expected to work with their suppliers to conduct verifications as they would for any other clause requirement that flows down to subcontractors. The rule states that prior to awarding a subcontract or other contractual instrument, the prime contractor should ensure that the subcontractor has a current CMMC status at the CMMC level that is appropriate for the information to be flowed down. SPRS will allow subcontractors to print or take a screen shot of their own CMMC status and affirmation information in SPRS, which they can share as they determine appropriate.

Finally, contractors should educate their affirming officials about their new responsibilities. Affirming officials will need clear visibility into how the organization maintains continuous compliance, how incidents are handled and how systems evolve.

Looking ahead

The final CMMC rule represents a decisive shift in how the DoW manages cybersecurity risk across the defense industrial base. By making cybersecurity verification a condition of award eligibility and requiring annual affirmations, the department has transformed cybersecurity from a technical concern to a core compliance and legal obligation. While the phased rollout offers contractors time to prepare, the scope of these requirements demands early attention. Contractors that begin assessing their systems now, document their controls carefully and integrate CMMC into their governance will be better positioned to compete and to avoid the liability risks the rule introduces.

Further CMMC program resources are available on DoW’s chief information officer website.