After years of starts and stops, the United States Department of Defense (DoD)1 has finished its roll-out of the Cybersecurity Maturity Model Certification (CMMC) program with the release of its implementing regulations. This program, first proposed about seven years ago, requires contractors to verify compliance with existing cybersecurity requirements through self-assessments, third-party certifications, or DoD-led reviews. According to DoD, the program is expected to impact more than 337,000 prime contractors and subcontractors in the DoD supply chain, and those contractors that fail to comply will be ineligible for award (or from performing on subcontract agreements). Notably, CMMC will be required for small businesses, subcontractors, foreign entities, and businesses supplying commercial products and services to DoD. The type of assessment required will be dependent on the type of information possessed by the firm.
In October 2024, DoD released regulations under Part 32 of the Code of Federal Regulations (CFR). The Part 32 regulations established the structure of the CMMC program and established a three-level verification program:
- Level 1 is an annual self-certification with 15 controls (from FAR 52.204-21) that must be met.
- Level 2 is a split level that requires a third-party certification or self-certification of compliance with the controls in NIST Special Publication (SP) 800-171. Whether a third-party assessment is required is dependent on the kinds of information involved in the contract. This assessment is required every three years.
- Level 3 is an assessment by the DoD Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) to determine compliance with a subset of the controls in NIST SP 800-172. This assessment can only occur following a successful third-party Level 2 assessment of the same information system and is required every three years.
The level of assessment needed will be determined by the kinds of information that the company will use in the performance of the contract. Levels 2 and 3 will be applicable when contractors are expected to handle Controlled Unclassified Information and Level 1 will be applicable when a contractor is only expected to handle Federal Contract Information.
The newly-released regulations under Part 48 of the CFR will be effective on November 10, 2025, and DoD will insert this requirement into DoD contracts beginning at that time. A company is not eligible for award if a solicitation contains this requirement and a company has not achieved the required CMMC level by the time of award.
From the effective date until November 9, 2028, the program office will determine which DoD opportunities will be required to include the CMMC assessment requirements, and beginning on November 10, 2028, the program office will include the requirement if the contractor will “use contractor information systems in the performance of the contract, task order, or delivery order to process, store, or transmit FCI or CUI.” DoD has not publicly identified which opportunities will be the first to include CMMC.
DoD is no longer relying on the self-affirmations of its contracting base when determining whether companies are compliant with contractual cybersecurity requirements. With the launch of the CMMC program, companies should expect that, if they hold non-public information, they may be required to self-assess or have a third-party assessment of their relevant information system. Further, subcontractors may be subject to the requirements sooner if their prime contractors seek to include the requirement in forthcoming contracts.
1 Despite recent efforts to rename the Department of Defense the Department of War, this rule refers to the agency as the Department of Defense.