DoD’s Phased Implementation of CMMC Begins: What You Need to Know

Article

On November 10, 2025, the Department of Defense’s (“DoD”) final rule amending the Defense Federal Acquisition Regulation Supplement (“DFARS”) to incorporate contract requirements related to its Cybersecurity Maturity Model Certification (“CMMC”) Program became effective, kicking off DoD’s phased implementation of the Program.  Here is what you need to know:   

What is CMMC?

CMMC is DoD’s mechanism for verifying that defense contractors and subcontractors have implemented mandatory cybersecurity requirements and are maintaining these requirements during performance, including:

  • FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems (requiring contractors to apply certain “basic” safeguarding requirements (15 cybersecurity controls, listed in the clause) to protect covered contractor information systems (e., information systems that process, store, or transmit federal contract information or “FCI”)).
  • DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting (requiring contractors to provide “adequate security” (e., comply with the 110 cybersecurity requirements in National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171)[1] on all covered contractor information systems (i.e., information systems that process, store, or transmit covered defense information or controlled unclassified information or “CUI”)).

If these FAR / DFARS clauses sound familiar, they should: these clauses—and their underlying security requirements—are not new.  What is new, however, is DoD’s plan to verify contractor compliance with these requirements.  The CMMC Program is DoD’s way of doing that. 

Starting November 10, 2025, DoD contracting officers are required to include CMMC—at a Level dictated by the DoD program office or requiring activity—in solicitations and contracts.  Defense contractors and subcontractors must have a current CMMC status posted in the Supplier Performance Risk System (“SPRS”) at the CMMC Level required by the solicitation to be eligible for award.  No CMMC status in SPRS, no award. 

The same is true for the exercise of option periods: contractors s must have a current CMMC status posted in SPRS at the CMMC Level required by the contract before the contracting officer can exercise an option or extend the period of performance.  No CMMC status in SPRS, no options or contract extensions. 

What does this all mean?  If your organization does work for the DoD, whether as a prime contractor, subcontractor, or supplier—at any tier in the supply chain—your organization must be CMMC certified.  Failure to do so will result in loss of this revenue stream.

Now, let’s review key aspects of the Program:

CMMC Levels

The CMMC Program is designed to protect Federal Contract Information (“FCI”) and Controlled Unclassified Information (“CUI”) shared with or developed by contractors and subcontractors during contract performance.  The Program consists of three, progressively advanced levels based on the type and sensitivity of the information: 

  • CMMC Level 1: Basic Safeguarding of FCI
    • Annual self-assessment to secure FCI processed, stored, or transmitted on contractor information systems during contract performance
    • Requires annual affirmation of compliance with the 15 security requirements in FAR 52.204-21
  • CMMC Level 2: Broad Protection of CUI
    • Either a self-assessment or a third-party assessment (conducted by a Certified Third-Party Assessment Organization (“C3PAO”)) every three years to secure CUI processed, stored, or transmitted on contractor information systems during contract performance
    • Requires annual affirmation of compliance with the 110 security requirements listed in NIST SP 800-171 rev. 2 (per DFARS 252.204-7012)
  • CMMC Level 3: Higher-level Protection of CUI against Advanced Persistent Threats
    • Requires, as a prerequisite, achievement of CMMC Level 2 (C3PAO)
    • Government assessment (conducted by the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (“DIBCAC”)) every three years to ensure enhanced protection of CUI from Advanced Persistent Threats
    • Requires annual affirmation of compliance with 24 identified requirements from NIST SP 800-172[2]

Contractor self-assessment results (Level 1 (Self) and Level 2 (Self)) must be posted in the Supplier Performance Risk System (“SPRS”).  C3PAO and DIBCAC assessment results (Level 2 (C3PAO) and Level 3 (DIBCAC)) will be entered into the CMMC Enterprise Mission Assurance Support Service (“eMASS”).  Compliance affirmations, for all CMMC Levels, must be entered by the contractor / subcontractor in SPRS.

Who selects the CMMC Level for inclusion in the solicitation or contract?  That decision is at the discretion of the DoD program office or requiring activity based on the type of information (FCI or CUI) that will be processed, stored, or transmitted through a contractor information system.[3]

Flowdown Obligations

CMMC requirements apply not only to prime contractors, but also to a prime’s subcontractors and suppliers—if the subcontractor / supplier will process, store, or transmit any FCI or CUI on their information systems during performance.[4]  Prime contractors are responsible for ensuring that their subcontractors further flowdown CMMC requirements throughout the supply chain, at all tiers, with the applicable CMMC Level and assessment type for each subcontract as follows: 

  • If a subcontractor will only process, store, or transmit FCI (not CUI) in performance of the subcontract, then CMMC Level 1 (Self) is required for the subcontractor.
  • If the subcontractor will process, store, or transmit CUI in performance of the subcontract, then CMMC Level 2 (Self) is the minimum requirement for the subcontractor.
  • If the subcontractor will process, store, or transmit CUI in performance of the subcontract and the associated prime contract has a requirement for CMMC Level 2 (C3PAO), then CMMC Level 2 (C3PAO) is the minimum requirement for the subcontractor.
  • If a subcontractor will process, store, or transmit CUI in performance of the subcontract and the associated prime contract has a requirement for CMMC Level 3 (DIBCAC), then CMMC Level 2 (C3PAO) is the minimum requirement for the subcontractor.

How do I know if my subcontractor will process, store, or transmit FCI or CUI?  That is up to the prime contractor:  It is on the prime contractor to determine the information that needs to be shared with a subcontractor (i.e., FCI, CUI, or neither) for performance of the subcontract.  If a subcontractor can perform the subcontract without FCI or CUI, then it is in the prime’s best interest not to share such information. 

It is also on the prime contractor to verify—prior to subcontract award, and prior to disseminating any FCI or CUI—that the subcontractor has a current CMMC status at the Level appropriate for the information being flowed down.

How do I do that?  Can I check my subcontractor’s assessments in SPRS?  Unfortunately, no.  Contractors are only able to access their own CMMC assessment information in SPRS—not that of another entity.  Thus, prime contractors cannot access their subcontractors’ information in SPRS and are expected to work with their subcontractors / suppliers to conduct verifications (just like any other flowdown requirement).[5]  SPRS will allow subcontractors to print or take a screen shot of their own CMMC status and affirmation information in SPRS, which they can share with their prime contractor. 

Phased Implementation

DoD is implementing CMMC in four phases, designed to address CMMC assessment ramp-up issues, provide time to train assessors, and to allow contractors to understand and implement the Program.  For Phase 1 (Nov. 10, 2025 through Nov. 9, 2026), expect to see self-assessment requirements (CMMC Level 1 (Self) or Level 2 (Self)) in DoD solicitations and resulting contracts.    

Generally, a contractor will need to have the required CMMC status either at the time of contract award or prior to the exercise of an option period:

Phase

Start Date

DoD intends to:

DoD may, at its discretion:

Phase 1 (Self Assessments)

Nov. 10, 2025

Include the requirement for CMMC Level 1 (Self) or Level 2 (Self) in applicable DoD solicitations / contracts as a condition of award
  • Include the requirement for CMMC Level 1 (Self) or Level 2 (Self) as a condition to exercise an option period on a contract awarded prior to Nov. 10, 2025
  • Include the requirement for CMMC Level 2 (C3PAO) in place of Level 2 (Self) for applicable DoD solicitations / contracts

Phase 2

Nov. 10, 2026 (one year following the start of Phase 1)

Include the requirement for CMMC Level 2 (C3PAO) in applicable DoD solicitations / contracts as a condition of award
  • Delay inclusion of requirement for CMMC Level 2 (C3PAO) to an option period instead of as a condition of contract award
  • Include the requirement for CMMC Level 3 (DIBCAC) for applicable DoD solicitations / contracts

Phase 3

Nov. 10, 2027 (one year following the start of Phase 2)
  • Include the requirement for CMMC Level 2 (C3PAO) in applicable DoD solicitations / contracts as a condition of award and as a condition to exercise an option period on a contract awarded after the effective date of Phase 3
  • Include the requirement for CMMC Level 3 (DIBCAC) for all applicable DoD solicitations / contracts as a condition of contract award

Delay the inclusion of requirement for CMMC Level 3 (DIBCAC) to an option period instead of as a condition of contract award

Phase 4 (Full Implementation)

Nov. 10, 2028 (one year following the start of Phase 3)

DoD will include CMMC Program requirements in all applicable DoD solicitations / contracts, including option periods on contracts awarded prior to the beginning of Phase 4

Conclusion

Implementation of DoD’s CMMC Program has been a long time coming.  Contractors should take advantage of DoD’s phased implementation approach and get smart on CMMC requirements as soon as possible.  Please do not hesitate to contact the authors with questions.   

[1] NIST SP 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” Rev. 2 (Feb. 2020, with Jan. 2021 updates).  Note that while NIST published SP 800-171 Rev. 3 in May 2024, Rev. 2 is currently the controlling version for CMMC and DFARS 252.205-7012.  See 32 C.F.R. § 170.2 & DoD Class Deviation 2024-O0013, Safeguarding Covered Defense Information and Cyber Incident Reporting (May 2, 2024).    

[2] NIST SP 800-172, “Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171,” (Feb. 2021). 

[3] See 32 C.F.R. § 170.5(b) for a list of factors to be used by DoD program managers and requiring activities in selecting the applicable CMMC Level. 

[4] See 32 C.F.R. § 170.23. 

[5] For more on the importance of prime contractor flowdown obligations and subcontractor oversight, see Prime Contractor False Claims Act Liability for Subcontractor Misconduct, Turning Square Corners: Fed. Bar Assoc. Qui Tam Section Newsletter (Summer 2025) at 9.

Related Professionals

Burr
Jump to Page
Arrow icon Top

Contact Us

Cookie Preference Center

Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.