DFARS Publishes Final Rule on CMMC Effective November 10

September 11, 2025

If your organization has Department of Defense (DoD) contracts as either a prime contractor or a subcontractor, you are now required to meet and prove compliance with the Cybersecurity Maturity Model Certification (CMMC) program. The final rule (48 CFR Parts 204, 212, 217, and 252) published September 10, 2025, by the DoD Defense Acquisition Regulations System, is the final hurdle to bring CMMC across the finish line and into Phase 1. Enforceable on November 10, 2025, the new rule stems from an effort mandated by the FY 2020 National Defense Authorization Act to strengthen cybersecurity across the defense supply chain. 

Key changes in the final rule 

  1. Cybersecurity Status
    Contracting officers cannot award you a contract if your current CMMC status in the Supplier Performance Risk System (SPRS) does not match at least the CMMC level required by the solicitation.
  2. Systems Listing
    P    roposals must include CMMC Unique Identifiers (UIDs) that are registered in SPRS for each of your systems handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).
  3. Gradual Rollout
    For the first three years, the contract clause is used only when program managers decide to apply CMMC requirements. After three years, the requirement expands to apply more generally when contractors use systems handling FCI or CUI. (Please see more on the phased approach below.)
  4. Formalizing Contract Language
    The new rule updates contract language to let contracting officers fill in the required CMMC level directly. Subcontractors must also confirm continuous compliance (annually) in SPRS and post self-assessment results for the relevant CMMC UIDs. 

CMMC Phased Approach 

The DoD developed a three-year phased rollout which was intended to minimize impacts the impact to the industrial base and the DoD supply chain. The phases add CMMC Level requirements incrementally, starting with self-assessments in Phase 1 and ending with full implementation of program requirements in Phase 4 shown below. 

The CMMC phased implementation plan above focuses on DoD prime contractors and subcontractors who handle FCI and CUI.  

Below is the breakdown of the distinct levels of CMMC and the associated requirements. 

CMMC Status Source & Number of Security Reqts. Assessment Reqts. Plan of Action & Milestones (POA&M) Reqts. Affirmation Reqts.
Level 1
(Self)		 – 15 required by FAR clause 52.204-21 – Conducted by Organization Seeking Assessment (OSA) annually
– Results entered into the Supplier Performance Risk System (SPRS)		 – Not permitted – After each assessment
– Entered into SPRS
Level 2
(Self)		 – 110 NIST SP 800-171 R2 required by DFARS clause 252.204-7012 – Conducted by OSA every 3 years
– Results entered into SPRS
– CMMC Status will be valid for three years from the CMMC Status Date as defined in § 170.4		 – Permitted as defined in § 170.21(a)(2) and must be closed out within 180 days
– Final CMMC Status will be valid for three years from the Conditional CMMC Status Date		 – After each assessment and annually thereafter
– Assessment will lapse upon failure to annually affirm
– Entered into SPRS
Level 2
(C3PAO)		 – 110 NIST SP 800-171 R2 required by DFARS clause 252.204-7012 – Conducted by C3PAO every 3 years
– Results entered into CMMC Enterprise Mission Assurance Support Service (eMASS)
– CMMC Status will be valid for three years from the CMMC Status Date as defined in § 170.4		 – Permitted as defined in § 170.21(a)(2) and must be -closed out within 180 days
– Final CMMC Status will be valid for three years from the Conditional CMMC Status Date		 – After each assessment and annually thereafter
– Assessment will lapse upon failure to annually affirm
– Entered into SPRS
Level 3
(DIBCAC)		 – 110 NIST SP 800-171 R2 required by DFARS clause 252.204-7012
– 24 selected from NIST SP 800-172 Feb2021, as detailed in table 1 to § 170.14(c)(4)		 – Pre-requisite CMMC Status of Level 2 (C3PAO) for the same CMMC Assessment Scope, for each Level 3 certification assessment
– Conducted by DIBCAC every 3 years
– Results entered into CMMC eMASS
– CMMC Status will be valid for three years from the CMMC Status Date as defined in § 170.4		 – Permitted as defined in § 170.21(a)(3) and must be closed out within 180 days
– Final CMMC Status will be valid for three years from the Conditional CMMC Status Date		 – After each assessment and annually thereafter
– Assessment will lapse upon failure to annually affirm
– Level 2 (C3PAO) affirmation must also continue to be completed annually
– Entered into SPRS

Next steps 

  1. Identify whether your organization has contracts with DoD as a prime or subcontractor, or whether your organization plans to contract with the DoD in the future.
  2. Determine whether your organization handles FCI or CUI as part of these identified contracts.
  3. If your organization only handles FCI as part of the identified DoD contracts, review and implement the 15 cybersecurity controls from FAR 52.204-21 which break out into 17 practices across six security domains.
  4. If your organization handles CUI as part of the identified DoD contracts, review and implement the 110 controls from NIST SP 800-171 R2 to comply across 320 assessment objectives. 

Contact 

For more information on CMMC, contact GRF’s Risk & Advisory Services team. 

Darren Hulem, CISA, CEH, Security +, CMMC CCA/CCP

Senior Manager, Risk & Advisory Services

Melissa Musser, CPA, CIA, CITP, CISA

Partner and Director, Risk & Advisory Services

Keep Reading

Previous
Common Findings in Single Audits
next
Tax Planning Strategies For Foreign Nationals Moving to the U.S.