The Department of Defense (DOD) issued a final rule (the Rule) amending the Defense Federal Acquisition Regulation Supplement (DFARS) subparts 204.75, 212.301, 217.207, and 252.204-7021 as of September 10, 2025. The Rule incorporates new solicitation and contractual requirements related to the final Cybersecurity Maturity Model Certification (CMMC) program. The CMMC program is a framework that the government uses to assess a contractor’s cybersecurity security protections.

The Rule will take effect November 10, 2025 (60 days from the date of publication). Companies that want to do business with DOD, or are already doing business with DOD and wish to pursue further contracting opportunities, should be aware of the Rule’s implications for award eligibility and post-award CMMC status requirements.

Here are 5 key takeaways from the Rule and DOD’s commentary in the Federal Register:

CMMC Status may be Tied to Contractor Eligibility to Receive Awards, Option Periods, and Extensions of the Period of Performance.

  • Pursuant to the phased implementation process described below, the Rule clarifies that contracting officials are prohibited from awarding any contract, task order, or delivery order, or exercising any option periods or extension periods, when the bidder or contractor does not have the solicitation-provided minimum CMMC status.
  • The CMMC status requirement will eventually be imposed in most federal contracting opportunities, including those using FAR part 12 procedures for the acquisition of commercial products and commercial services, except those that are solely for the acquisition of commercially available off-the-shelf (COTS) items. Additionally, in very limited circumstances, waiver of inclusion of the CMMC status requirements may be given.

Offerors and Contractors Must Post Their Respective CMMC Self-Assessments in the Supplier Performance Risk System (SPRS) before Securing an Award or the Exercise of an Option Year or Extension Period Under an Existing Contract.

  • Contracting officials are prohibited from awarding any contract, task order, or delivery order to a bidder or contractor that does not have a current CMMC status posted in SPRS. Likewise, contracting officials are precluded from exercising options or period of performance extensions if the contractor has not posted a current CMMC status in SPRS. Moreover, the “currentness” of a CMMC status will depend on the CMMC status level, and, whether the status is “final” or “conditional.”

DOD will Adopt a Phased Implementation Process.

  • Beginning on November 10, 2025 and continuing until November 9, 2028, contracting officials will insert the relevant CMMC status provision into solicitations and contracts if the CMMC program office or requiring activity determines that the contractor is required to have a specific CMMC level. In publishing the Rule, the DOD noted that its intent is for contracting officials to only include CMMC requirements in certain contracts and at the direction of the CMMC program office during this first phase.
  • Beginning on November 10, 2028, contracting officials will insert those provisions if the program office or requiring activity determines that the contractor is required to use contractor information systems in the performance of the contract, task order, or delivery order to process, store, or transmit federal contract information (FCI) or controlled unclassified information (CUI).
  • Via this phased rollout process, DOD aims to gradually increase the number of entities to which the CMMC requirements will apply and mitigate across-the-board cybersecurity risks, while minimizing the financial impact to the industrial base and disruption to the existing supply chain.

Contractors Must Flow Down CMMC Requirements to Subcontractors and Suppliers and Ensure Compliance.

  • Pursuant to the Rule, DFARS 252.204-7021 now requires that contractors not only flow down the substance of said clause in subcontracts that contain a requirement to process, store, or transmit FCI or CUI, but also ensure that all subcontractors and suppliers complete and annually maintain an affirmation of continuous compliance with the CMMC requirements associated with each subcontract or other contract.
  • Notably, DOD’s commentary highlighted that DFARS 252.204-7021 is to work in tandem with 32 CFR 170.23, which requires subcontractors to flow down CMMC requirements to their own suppliers and lower-tier subcontractors. Altogether, contractors should be aware of DOD’s intention to use the Rule in further mitigating cybersecurity risks throughout the entire supply chain.

CMMC Status Requirements will also Apply to Small Business Entities.

  • The Rule includes new reporting, recordkeeping, or other compliance requirements for small entities. For example, the Rule requires an entity to provide an entity-specific CMMC unique identifier (also known as the “UID,” which is comprised of 10 alpha-numeric characters and is assigned to each CMMC assessment for each contractor information system) and for  an entity’s affirming official to complete the affirmation in SPRS. The requirement to provide CMMC UIDs and for the affirming official to complete the affirmation in SRS will apply to all small entities that are offerors for a solicitation or contractors awarded a contract that includes a requirement for CMMC.

Considerations for Contractors

DOD’s new Rule has significant implications for companies that want to do business with the government, or, want to continue doing business with the government. Contractors should familiarize themselves with the ins and outs of these new CMMC assessment and reporting requirements to maintain their ability to receive new awards and to comply with post-award contract requirements.

Fluet’s Government Contracts Practice routinely supports contractors in managing regulatory exposure, engaging in contract negotiations with the federal government, and confronting post-award challenges. Contact the team today for more information on compliance assistance for your company.