Department of Defense Issues Final Rule on Cybersecurity Standards for Contractors

By Edwin O. Childs, Andrew Konia, Abram J. Pafford, Todd R. Steggerda, Jack White, James Dougherty, Jason M. Vespoli, Marua Naehr, John Sullivan & Sophie Marsh on September 10, 2025

After years of waiting, the U.S. Department of Defense (DoD) posted to the Federal Register for public inspection on September 9, 2025, a final rule implementing the Cybersecurity Maturity Model Certification 2.0 (CMMC 2.0) standards into the Defense Federal Acquisition Regulation Supplement (DFARS) (the Final Rule), which was formally published a day later on September 10, 2025. The Final Rule’s requirements will become effective in the DFARS as of November 10, 2025, and pertain to all DoD contractors and subcontractors. Defense contractors should ensure their compliance with the standards as soon as possible in order to maintain eligibility to compete for DoD contracts and perform DoD subcontracts, as well as to avoid bid protests and/or civil False Claims Act allegations.

CMMC 2.0 is a fundamental shift in how DoD approaches and implements cybersecurity requirements for controlled defense information (CDI), with this effort representing the final step of the nearly five-year process. This Final Rule follows DoD’s establishment of the CMMC 2.0 program by providing the basis for the implementation of the CMMC program in all DoD solicitations and contracts.

DoD primarily relies on contractor self-representations and affirmations that comply with cybersecurity controls described in NIST SP 800-171 v.2. This approach has been subject to governmental criticism for contractor non-compliance, increasing enforcement scrutiny, and concerns that it may not support sufficient protection of CDI. CMMC 2.0 responds to these criticisms through the use of, in some cases, third-party verification by third-party assessment organizations (C3PAOs) and additional assessment requirements as a condition of contract award. To that end, the Final Rule implements a verification framework related to the existing cybersecurity requirements described in both NIST SP 800-171, rev. 2 and NIST SP 800-172.

As described in an October 23, 2024 alert, the CMMC program is based on three levels:

Level 1, where the contract will not require an entity to process, store, or transmit CDI;
Level 2, where the contract requires the entity to process, store, or transmit CDI; and
Level 3, where the contract requires the entity to maintain sensitive types of CDI.

The CMMC program allows entities to self-certify under Level 1 and certain Level 2 contracts but requires C3PAO certification for other Level 2 contracts and Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) certification for all Level 3 contracts.

The Final Rule provides that DoD will implement the CMMC program progressively across four phases over the next three years. In each phase, DoD will require contracting officers to include corresponding CMMC requirements as proscribed under two new clauses, DFARS 252.204-7021 and 252.204-7024. This process will begin on November 10, 2025, affecting solicitations subject to CMMC 2.0 Level 1 and Level 2 self-assessment requirements. Beginning November 10, 2026, DoD will require contracting officers to include CMMC requirements in solicitations that require a third party (C3PAO) assessment under CMMC Level 2. Starting on November 10, 2027, DoD will include CMMC requirements in all contracts requiring CMMC Level 3 DIBCAC assessments. Finally, DoD intends to incorporate the two new DFARS clauses into all DoD contracts, including long-term contracts, no later than November 10, 2028.

Government contractors and subcontractors should take note that the Final Rule mandates compliance with the CMMC standards as pertaining to the protection of CDI at the time of contract, task order, or delivery order award. Contractors and subcontractors are required to maintain status at the relevant CMMC level (or higher) throughout the period of performance of the relevant contract, task order, or delivery order. To that end, the Final Rule requires entities to affirm annually that they are in compliance with these requirements in DoD’s Supplier Performance Risk System (SPRS).

Contractors are permitted to remediate “temporary” vulnerabilities and deficiencies pursuant to an operational plan of action (OPA). The Final Rule makes clear that an OPA includes a timeline for remediation and is not the same as a plan of action and milestones (POA&M). While functionally, OPAs and POA&Ms are similar mechanisms for documenting and remediating temporary vulnerabilities and deficiencies without the contractor losing certification status, DoD continues to note that only “temporary” vulnerabilities and deficiencies may be remediated through an OPA. Under the Final Rule, all OPAs must be closed in 180 days in order for a contractor to be able to affirm continuous compliance with the CMMC requirements. While the CMMC program does allow some POA&Ms in connection with conditional CMMC certifications under Levels 2 and 3, even those POA&Ms must be closed within 180 days, and cannot be used after final certification has been achieved.

Failure to comply with the CMMC 2.0 requirements or maintain compliance with the applicable controls can result in revocation of the CMMC certification and, correspondingly, render the contractor ineligible to bid on DoD contracts. CMMC compliance failures can also give rise to valid bid protest grounds, and/or potential liability under the civil False Claims Act. and raise compliance-related concerns. Contractors that have not managed cybersecurity compliance under current FAR and DFARS requirements and/or have not been working towards compliance with the NIST SP 800-171 rev. 2 controls will not be granted additional time to achieve compliance and may not pass along the costs of becoming compliant to the DoD. The DoD has been clear throughout the rulemaking process that the CMMC requirements reflect and are aligned with information security requirements that have been mandatory since at least December 2017.

Given the cost, time, and risk of complying with these requirements, many contractors and subcontractors have expressed concerns over compliance with the CMMC 2.0 rules. Certain DoD components have taken steps to alleviate these concerns, although the viability, appropriateness, and effectiveness of such steps remain yet unseen. To that end, other DoD components suggest that costs related to the maintenance of CMMC compliance may be recoverable under certain contracts (notwithstanding the comments noted above), although, again, specific proposals to that effect are yet to be seen.

Contractors and subcontractors should ensure they are ready to comply with the CMMC program and CMMC DFARS contract clauses once fully implemented. For questions related to this Final Rule, the new DFARS contract clauses, other CMMC issues, or government contracts generally, contact any of the authors or another member of the McGuireWoods government contracting team.