Oct 2 / IT CPE Team

CMMC: What the New DFARS Rule Means for Cybersecurity Pros


If you're a cybersecurity professional in the defense industrial base (DIB), the Cybersecurity Maturity Model Certification (CMMC) just became a lot more real. On September 10, 2025, the Department of Defense (DoD) finalized a rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to integrate CMMC into federal contracting. Effective November 10, 2025, this rule, building on 32 CFR part 170 (effective December 16, 2024) and Section 1648 of the FY2020 NDAA, shifts compliance from self-reported to verified, auditable standards. For those protecting Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), this is a pivotal moment. Here’s what it means, who’s most affected, and how to prepare.CMMC Recap: A Tiered Cybersecurity FrameworkCMMC verifies that contractors implement cybersecurity controls to safeguard unclassified DoD data. The new DFARS rule (Case 2019-D041) embeds CMMC into contracts via DFARS subpart 204.75, defines terms like “CMMC Unique Identifier” (UID), and updates clauses like 252.204-7021. Contracting officers must now check CMMC status in the Supplier Performance Risk System (SPRS) before awards, option exercises, or extensions. No compliance, no contract.Certification Levels: From Basic to AdvancedCMMC scales with data sensitivity:
  • Level 1 (Self-Assessment): For FCI (e.g., contract details). Requires annual self-assessments against 15 FAR 52.204-21 safeguards, posted in SPRS with senior official affirmations. Valid: 1 year.
  • Level 2 (Self or Third-Party): For CUI (e.g., technical specs). Aligns with 110 NIST SP 800-171 controls. Options: self-assessment (Level 2 Self) or Certified Third-Party Assessment Organization (C3PAO) audit (Level 2 C3PAO). Conditional status allows 180 days for Plan of Action and Milestones (POA&M) fixes. Self-assessments go to SPRS; third-party gets a UID. Valid: 3 years (Final status), with annual affirmations.
  • Level 3 (Government-Led): For high-risk CUI. Adds 24 NIST SP 800-172 controls, assessed by DIBCAC. Same conditional/Final mechanics. Valid: 3 years.
“Current” status now means no unreported changes since the last assessment or affirmation. Higher-than-required levels can boost competitiveness.Phased Rollout: Time to PrepThe DoD’s phased approach eases the transition:
  • Years 1-3 (Nov 10, 2025 – Nov 9, 2028): CMMC applies only to flagged contracts (not COTS-only). Scoping and assessments get breathing room.
  • Year 4+ (Nov 10, 2028 onward): Mandatory for all DoD solicitations, contracts, and orders above the micro-purchase threshold involving FCI/CUI. Impacts ~28,000 primes and 300,000+ subcontractors.
New bidders comply at award; existing contracts may face bilateral mods. Reassessments occur every 3 years or on major changes, with annual affirmations. Exemptions include COTS-only contracts and select waivers (32 CFR 170.5(d)).Who’s Most Affected?This rule hits hardest in the DIB:
  • Prime Contractors: Must verify subcontractor compliance via SPRS or certifications before awards, flowing down 252.204-7021.
  • Subcontractors: Need UIDs and SPRS affirmations for FCI/CUI systems. Primes can’t access full SPRS profiles, so proactive sharing is critical.
  • Small Businesses/Startups: 68% of affected entities. Compliance costs ($329M) sting, but phased rollout helps. Level 1 is key for FCI-only firms.
  • Broader Industry: C3PAOs, DIBCAC consultants, and tool vendors will see demand surge. Non-DIB firms may face similar NIST-based standards soon.
What It Means for Cybersecurity ProsThis is more than an audit—it’s a mandate for continuous maturity:
  • Operational Impact: More time on scoping (32 CFR 170.14-170.19), POA&M remediation, and SPRS updates. Annual affirmations add workload. Invest in automation tools.
  • Risks and Rewards: Non-compliance kills bids, risking billions (DoD cyber losses: $57-109B/year). Certified firms gain trust and faster awards. Levels 2/3 pros can consult on flowdowns.
  • Challenges: Subcontractor verification is tricky without full SPRS access. Small teams may struggle with 3-year cycles; budget for training.
  • Big Picture: You’re now central to national security, protecting warfighter tech from threats like IP theft.
Government verification costs: ~$16M. The payoff? Stronger DIB security.Your Action Plan
  1. Scope Systems: Identify FCI/CUI assets (use 32 CFR 170.14-170.19).
  2. Choose Assessment: Start with Level 1/2 self-assessments; book C3PAOs for audits.
  3. Prep for SPRS: Secure UIDs, post results, automate affirmations.
  4. Manage Flowdowns: Update subcontracts; verify sub compliance.
  5. Stay Updated: Follow DoD’s CMMC page, SPRS, and DIBCAC webinars.
The phased rollout buys time—use it to make compliance a strength. Got thoughts? Prepping for assessments or navigating C3PAOs? Share below. Read the full rule at the Federal Register.

Share this page: