Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates

DoD Finalizes DFARS Cybersecurity Certification Rule: What Contractors Need To Know

Skadden Publication

Michael E. Leiter William E. Ridgway David A. Simon Joshua Silverstein Tatiana O. Sullivan Melissa Muse Lisa Marie Rechden

Executive Summary

  • What’s new: The Department of Defense finalized its rule introducing mandatory cybersecurity compliance requirements for defense contractors. Its requirements, which will be phased in over three years, begin to take effect on November 15, 2025. Among other things, the rule formalizes third-party assessments, annual affirmations and clarifies subcontractor compliance responsibilities.
  • Why it matters: Compliance with the Cybersecurity Maturity Model Certification Program will be a condition for contract awards, extensions and renewals. Prime contractors are also responsible for verifying subcontractor compliance, and false affirmations could result in penalties under the False Claims Act.
  • What to do next: To comply, contractors can begin by mapping systems handling Federal Contract Information or Controlled Unclassified Information, conducting self-assessments and registering in the Supplier Performance Risk System (SPRS). Prime contractors can review the status of key subcontractors’ compliance for applicable CMMC Levels.

__________

On September 10, 2025, the U.S. Department of Defense (DoD) published its final rule implementing the contractual requirements under the Cybersecurity Maturity Model Certification (CMMC) Program.

The rule (CMMC DFARS Rule), which establishes compliance standards and annual affirmation requirements as a condition of contract award for applicable contracts, is effective November 10, 2025, to certain defense contracts and will be phased in over three years. See our August 12, 2024, client alert, “How Defense Contractors Can Prepare Now for CMMC Implementation.”

The rule amends Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7021 and introduces solicitation provision DFARS 252.204-7025 (collectively, CMMC DFARS Updates).

Key Points for Contractors and Subcontractors

Verification of CMMC compliance. The final rule formalizes the verification of contractor cybersecurity compliance as a condition of contract award and performance. Unlike previous frameworks that relied primarily on self-attestation, the CMMC DFARS Updates require contractors to demonstrate and maintain their CMMC status through documented assessments and annual affirmations, and to post results in the Supplier Performance Risk System (SPRS).

CMMC level determination. The final rule clarifies that it is the DoD program office or requiring activity, not the contracting officer, that determines the appropriate CMMC Level for each contract. For new contractors, in order to establish eligibility for award, it will be critical to assess ahead of time whether contracts are likely to involve Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) so they can ensure appropriate compliance once requests for proposals or bid submissions are due.

Incorporation of FCI definition. The rule formally incorporates the definition of FCI directly from FAR 52.204-21. This provides greater clarity and alignment across DoD and federal acquisition regulations, ensuring that contractors have a consistent understanding of what constitutes FCI for purposes of CMMC compliance.

Subcontractor compliance and flowdown. Prime contractors must verify subcontractor CMMC status before awarding a subcontract and ensure ongoing compliance. Subcontractors must submit self-assessment results and annual affirmations in SPRS, and prime contractors are responsible for ensuring that CUI or FCI is not flowed down to non-compliant entities.

Incident reporting procedures and monitor changes. While the 72-hour incident notification requirement under DFARS 252.204-7012 remains unchanged, the final rule emphasizes the importance of maintaining current CMMC status and annual affirmations in SPRS. Contractors must be vigilant in updating their compliance status, as lapses or outdated affirmations can result in ineligibility for contract awards or extensions. The focus is on continuous verification and lifecycle compliance, rather than introducing new or expanded incident reporting obligations.

Three-year phased implementation and COTS exclusion. The CMMC DFARS Updates will be phased in over three years, with program offices having discretion to include the requirements in new solicitations during this period. After the phase-in, CMMC compliance will be mandatory for all applicable contracts. However, contracts solely for commercially available off-the-shelf (COTS) items remain excluded from CMMC requirements.

CMMC Program Rule in Brief

CMMC establishes a tiered system of cybersecurity requirements that government contractors must meet to be eligible for DoD contract awards. Each applicable defense contract will be designated one of three CMMC levels of control (Levels). Although many government contractors are already subject to cybersecurity obligations (e.g., DFARS 252.204-7012, 252.204-7019, and 252.204-7020, and FAR 52.204-21), the CMMC Program expands those obligations by formalizing assessments, introducing CMMC “unique identifiers” (UIDs) for covered contractor information systems, and tying award eligibility and continued performance to maintaining CMMC status.

Contractors will need to identify the information systems that will be used to “process, store, or transmit FCI or CUI” in performance of a DoD contract. These are the only contractor information systems covered by the CMMC DFARS Rule. Depending on the CMMC Level, certain contractor systems must undergo a CMMC assessment, after which a unique ten-character CMMC UID is generated in SPRS. To obtain a CMMC UID, contractors must register in SPRS, complete the required self-assessment or third-party assessment based on the CMMC Level, and enter the results in SPRS.

To achieve CMMC compliance, contractors may accredit their own internal systems or rely on third-party cloud service providers, provided those environments are included in the CMMC assessment and meet the required controls. For CMMC Levels 2 and 3, contractors may obtain a conditional CMMC status if a plan of action and milestones (POAM) is in place, but this status may last no longer than 180 days and final CMMC status requires closing out all POAM items.

Prime contractors will be required to identify all of the CMMC UIDs that will be involved in a particular contract award and government contracting officers are required to ensure that all CMMC UIDs are in good standing as a condition of award for applicable contracts. Prime contractors in turn are required to ensure subcontractors are in good standing as a condition of subcontract award.

Effective Dates and Applicability

The CMMC DFARS Rule launches a three-year phased implementation period, beginning November 10, 2025. During this period, contracting officers may include the new CMMC clause at their discretion if a program office determines that a contract requires a specific CMMC Level (excluding COTS-only awards). This discretionary phase-in period will last three years. In November 2028, CMMC will apply more broadly to any contract that requires a contractor to process, store or transmit FCI or CUI, and compliance will be mandatory at the time of award.

Key points to note:

  • New defense contracts issued after the effective date may require a CMMC certification or self-assessment.
  • Existing contracts may be modified to add the CMMC DFARS clauses, at the discretion of the contracting officer. Option years and extensions may also trigger compliance obligations.
  • Contracts solely for COTS items are exempt from CMMC Program requirements, consistent with the carve-outs found in other DoD cybersecurity clauses. Other commercial products and services contracts are not automatically excluded and may still require compliance.

CMMC Levels and Contract Designations

CMMC Levels are determined by DoD program offices based on the sensitivity and type of information that will be processed, stored, or transmitted during contract performance. This ensures that the cybersecurity requirements are appropriately matched to the level of risk associated with the contract.

  • Level 1 – Basic safeguarding for FCI. Contractors must conduct and post a self-assessment in DoD’s SPRS. Annual affirmation of compliance with FAR 52.204-21. Most contracts are expected to fall here.
  • Level 2 – Broad protection of CUI. A subset of Level 2 contracts will allow self-assessment, but most will require an independent third-party assessment (via a CMMC Third-Party Assessment Organization, or C3PAO) and certification. Annual affirmation to verify compliance with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171.
  • Level 3 – Higher level protection of CUI against advanced persistent threats. These contracts require both a Level 2 third-party certification and a government-led Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) assessment. In addition to the requirements under NIST SP 800-171, Level 3 annual affirmation must verify compliance with NIST SP 800-172, although DoD is still defining the assessment requirements.

Each contractor must designate an “affirming official”— a senior representative with authority to attest to the organization’s ongoing compliance with CMMC program requirements and applicable security obligations, who will be responsible for submitting the annual affirmation of compliance. This affirmation is required for every CMMC Level and must be maintained throughout the life of the contract to ensure ongoing eligibility and compliance. To support accurate attestations, contractors should begin mapping their covered systems and implementing internal compliance policies in preparation.

For defense subcontracts, the prime contractor is responsible for flowing down the applicable CMMC Level if the subcontract “will contain a requirement to process, store, or transmit FCI or CUI.” The final rules clarifies that, in addition to meeting the required CMMC Level, subcontractors must submit self-assessment results and annual affirmations in SPRS. Not every subcontract will require the same Level and if no CUI is flowed down, a subcontract may only require Level 1.

Under the DFARS CMMC Rule, prime contractors are now expressly responsible for verifying that subcontractors hold a current CMMC status at the Level required for the information they will handle before awarding any subcontract.

Pre-Award Requirements

To be eligible for a contract award, contractors must meet certain pre-award conditions:

  • CMMC UIDs. Contractors must obtain and provide CMMC UIDs for each covered system used to process, store or transmit FCI or CUI. UIDs are 10 alpha-numeric characters assigned to each contractor CMMC assessment and reflected in SPRS for each system.
  • SPRS posting. Self-assessment results (for Level 1 and some Level 2 contracts) and third-party or DIBCAC certifications (for certain Level 2 and Level 3 contracts) must be uploaded to SPRS. Offerors and contractors must post self-assessment results in SPRS before receiving an applicable award, exercising an option or extending performance under an existing contract.
  • Conditional vs. final status. As previously mentioned, for Levels 2 and 3, contractors may receive a conditional CMMC status if they have a POAM in place. This status lasts up to 180 days. Full “final” status requires closing all POAM items.
  • Prime contractors and subcontractors. Prime contractors must ensure their subcontractors meet the appropriate CMMC Level before award. If a subcontractor uses the prime contractor’s systems (rather than its own) to handle CUI and FCI, the subcontractor may not need a separate assessment.
  • Third-party cloud providers. Use of cloud services does not exempt contractors from CMMC. Covered data hosted in third-party environments must still meet the applicable CMMC controls, in addition to any other cloud-service provider security requirements under FedRAMP.

Post-Award Compliance, Reporting and Enforcement

CMMC compliance is not a one-time exercise. Contractors must maintain compliance throughout the contract lifecycle, including:

  • Annual affirmations. The designated affirming official must file an annual affirmation of continuous compliance in SPRS.
  • Lifecycle compliance. Contractors must keep their CMMC status current for the full duration of the contract, including option years. Contracting officers are required to validate compliance before extending or renewing performance.
  • SPRS updates. Contractors must keep their CMMC status current in SPRS. This includes posting initial self-assessments or certifications, filing annual affirmations and updating records if a reassessment changes the CMMC Level, or when a conditional status is closed out.
  • Subcontractor oversight. Prime defense contractors must ensure subcontractors maintain current CMMC status before flowing down CUI or FCI. Subcontractors may provide SPRS screenshots or certifications to prime contractors for verification.
  • Incident reporting. Contractors remain subject to the 72-hour cyber incident reporting requirement under DFARS 252.204-7012. This includes reporting incidents that impact contractor information systems or CUI, submitting malicious code to DoD and preserving affected system images and logs.
  • False Claims Act (FCA) liability. The Department of Justice has pursued cybersecurity misrepresentation cases under its Civil Cyber-Fraud Initiative. Inaccurate SPRS reporting or false affirmations could expose contractors to civil and criminal penalties under the FCA or suspension or debarment proceedings or other procurement-related consequences. See our prior client alerts: Government Contractor Settles FCA Case Over Cybersecurity Maturity Model Certification Violations” (April 4, 2025); “DOJ Enters First Intervention in Cybersecurity Qui Tam” (September 6, 2024); “Contractors Settle Cyber Fraud Claims Alleging Ignored Security Measures” (July 2, 2024); and “Cyber Fraud Alleged by Former CIO for Purported Noncompliance With DoD Cyber Requirements” (October 30, 2023).

This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.

BACK TO TOP