DoD Publishes Final Cybersecurity Maturity Model Certification Rule

On September 10, 2025, the Department of Defense (DoD) published its long-awaited final DFARS rule on the Cybersecurity Maturity Model Certification (CMMC) Program. Here’s what government contractors need to know.

What Does the Final CMMC Rule Require?

In short, defense contractors will need to be CMMC-certified at the appropriate level to win new DoD contracts. While there is a runway to comply, contractors who wait to come into compliance risk missing valuable opportunities.

The Final CMMC Rule requires DoD to begin including DFARS clause 252.204-7021 in all applicable solicitations, contracts, task orders, and delivery order (except for commercial off-the-shelf items). DFARS 252.204-7021 requires defense contractors to maintain a CMMC certification at a certain level, which will be specified in the solicitation. There are three levels of CMMC certification.

• Level 1: Applies when a contractor’s information systems store, process, or transmit Federal Contract Information (FCI).
  • Requires an annual self-assessment against 17 security controls in NIST SP 800-171 (including the 15 security controls listed in FAR 54.204-21).
• Level 2: Applies when a contractor’s information systems store, process, or transmit Controlled Unclassified Information (CUI).
  • For prioritized acquisitions (most contracts), Level 2 requires a tri-annual, independent third-party assessment against all 110 security controls in NIST SP 800-171. The third-party assessment must be undertaken by a licensed CMMC Third-Party Assessment Organization (C3PAO).
  • For non-prioritized acquisitions (a minority of contracts), Level 2 requires an annual self-assessment against all 110 security controls in NIST SP 800-171.
• Level 3: Applies when a contractor’s information systems store, process, or transmit CUI in a particularly high-priority program. The specific conditions that trigger a Level 3 assessment are still being determined by DoD.
  • Requires at least a Level 2 CMMC certification and a triannual government-led assessment against additional security controls in NIST SP 800-172.

Under the Final Rule, the consequences of not having the right CMMC certification are severe. If a defense contractor doesn’t have the requisite CMMC certification, it is not eligible to be awarded or maintain a contract. Additionally, false certifications of self-assessments can result in exposure to False Claims Act liability, damages and penalties.

For contractors who have been tracking CMMC, the Final CMMC Rule has three major changes from the Proposed Rule:

1. Requires DoD to issue a Notice of CMMC Level Requirements in solicitations that include DFARS 252.204-7021, by inclusion of DFARS 252.204-7025.
2. Clarifies that a conditional CMMC status is sufficient to permit a contract award (although a final CMMC certification still must be secured).
3. Removed a requirement to notify the contracting officer of lapses in information security or changes in CMMC certificate/self-assessment status—although this does not remove a contractor’s obligation to annually attest to continuous compliance.

What Is the Compliance Timeline?

The Final CMMC Rule sets forth a phased rollout, starting on November 2025, of DFARS 252.204-7021 as follows:

Key Takeaways:

• Now is the time for contractors to analyze whether they will be required to comply with the CMMC and at what particular level, and determine who within the organization is authorized to make attestations of CMMC compliance on behalf of the company.
• Delaying CMMC certification may put your organization at risk of losing valuable or even essential business opportunities as the number of solicitations without DFARS 252.204-7021 quickly decreases to zero over the next three years. Delaying could even risk current business if a contracting officer decides to immediately incorporate DFARS 252.204-7021.
• False CMMC certifications or self-assessments can result in costly False Claims Act liability, damages and penalties.   

If you have questions regarding the final CMMC rule, please contact a member of the Winston Government Contract and Grants team.