Understanding the DoD’s Latest Cybersecurity Rules

On September 10, 2025, the U.S. Department of Defense (DoD) published its final rule for the Cybersecurity Maturity Model Certification (CMMC) program, amending the Defense Federal Acquisition Regulation Supplement (DFARS). The CMMC is the DoD’s framework for ensuring that sensitive governmental data is protected throughout the defense industrial base (DIB) supply chain. The program officially began its phased rollout on November 10, 2025, confirming the enforcement era has commenced.

Before CMMC, existing rules (like those based on DFARS 252.204-7012) told defense companies what cybersecurity steps to take, but the rules did not require the DoD to verify that those measures were actually implemented before a contract was awarded. The final rule implementing CMMC fundamentally changes how cybersecurity requirements are incorporated into DoD contracts and subcontracts, making CMMC compliance a mandatory, enforceable element of these agreements. This shift provides the DoD with greater assurance that sensitive data is safeguarded against malicious cyber activity, which costs the U.S. economy billions annually. Notably, the CMMC also strengthens supply chain security by ensuring that these requirements flow down to subcontractors, creating a more resilient and trusted defense ecosystem. Nevertheless, the DoD expects contractors to have already implemented everything required in existing DFARS 252.204-7012, such as logging, Multifactor Authentication (MFA), encryption, and incident reporting. This reframes compliance as expected maintenance rather than a new investment.

What are the Main Changes in the Latest Version of CMMC?

The latest CMMC framework, implemented by the final DFARS Procurement Rule, focuses on streamlining implementation, enhancing verification, and ensuring continuous compliance, simplifying the structure and emphasizing continuous security:

• Fewer Levels: The framework now uses three distinct CMMC levels instead of the five levels used in earlier drafts. Companies now only need to worry about three security levels (basic, medium, high) depending on the type of information they handle.

• Mandatory Checks & Affirmation of Continuous Compliance: CMMC requires continuous compliance, not just a one-time audit. Contractors must provide an annual affirmation of continuous compliance completed by an "affirming official" (a designated senior official) for each CMMC Unique Identifiers (UIDs) in the Supplier Performance Risk System (SPRS).

• Fix-It Time (Conditional Status): For the higher security levels (Levels 2 and 3), if a company has minor security gaps, they can get a temporary ("conditional") status for up to 180 days while they actively fix the issues identified in a Plan of Action and Milestones (POA&M) document.

• System Tracking: Contractors must use CMMC UIDs, a 10-character code to track and verify the compliance of each specific information system handling sensitive data.

• Targeted Applicability: CMMC requirements are only limited to contractor information systems that process, store, or transmit FCI or CUI, not a company’s entire IT environment.

• Reduced Reporting Burden: The final rule removed certain rule-specific notification requirements, such as notifying contracting officers of lapses in information security or changes in CMMC certification status. Now, contractors don’t need to over-report. Instead, they rely on Incident reporting rules already in place under DFARS 252.204–7012, and the Annual affirmations of compliance, which provide DoD with assurance without overwhelming contractors.

Information Types, CMMC Levels, and Requirements

The CMCC framework directly ties the sensitivity of information handled by a contractor to the security requirements and certification level they must achieve. At its core, the model distinguishes between two categories of information:

• Federal Contract Information (FCI): Basic, non-public contract data. This forms the baseline for Level 1 compliance. Contractors handling only FCI must meet the safeguarding requirements in FAR 52.204-21.

• Controlled Unclassified Information (CUI): Sensitive but unclassified defense-related data. Contractors handling CUI must meet Level 2 requirements under NIST SP 800-171. the DoD confirmed that all current assessments will still be based on Revision 2 of NIST SP 800-171 until rulemaking for Revision 3 is complete. Contractors are warned that implementing Revision 3 controls too early or incorrectly, even if technically stronger, could lead to failure under the current Revision 2 scoring rules.

• High-Value CUI / Critical National Security Information: Data requiring the highest protections. Contractors handling this must meet Level 3 requirements, which build on NIST SP 800-171 with enhanced protections under NIST SP 800-172. A new FAQ explicitly clarifies that encrypted CUI is still considered CUI. This means that data must still reside within FedRAMP Moderate-equivalent systems, follow all NIST 800-171 requirements, and be handled by assessed service providers. This requirement severely limits the use of 90% of off-the-shelf software for CUI handling.

The CMMC framework is structured into three distinct levels, each tied to the sensitivity of information a contractor handles and the rigor of cybersecurity requirements they must meet.

• Level 1 (Basic): Applicability: For contractors that handle FCI, i.e. basic, non-public contract data. Requirements: Compliance with the 15 basic safeguarding practices outlined in FAR 52.204-21, such as limiting access, using antivirus software, and keeping systems patched. Assessment Type: Contractors conduct an annual self-assessment and post results in the SPRS. Validity: One year (must be renewed annually).

• Level 2 (Advanced): Applicability: For contractors working with CUI, which requires stronger protection. Requirements: Compliance with the 110 security controls in NIST SP 800-171, covering areas like access controls, incident response, and encryption. Assessment Type: Can be either a self-assessment (for lower-risk CUI, as specified in the contract) or a third-party assessment by a Certified Third-Party Assessment Organization (C3PAO) for higher-risk environments. Results must be posted in SPRS. Validity: Three years (with annual affirmations of continuous compliance).

• Level 3 (Expert): Applicability: For the most sensitive defense environments involving critical national security information. Requirements: Compliance with NIST SP 800-171, plus additional enhanced security requirements from NIST SP 800-172, such as stronger encryption, monitoring for insider threats, and advanced threat detection. Assessment Type: Must be assessed directly by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). Validity: Three years (with annual affirmations of continuous compliance).

Timeline and Implementation of CMMC

The DOD’s final rule implementing the CMMC has taken effect on November 10, 2025, marking the start of a three-year four-phased rollout. To minimize disruption, especially for small businesses, the DoD is rolling out CMMC in stages:

• Years 1-3 (Nov. 10, 2025 - Nov. 10, 2028): CMMC will appear in select contracts only, as determined by program offices. Some contracts may require third-party assessments (for Levels 2 or 3), but inclusion will not be automatic.

• Year 4 and Beyond (Nov. 11, 2028 onward): CMMC will be mandatory in all applicable contracts involving FCI or CUI. Any contractor information system that processes, stores, or transmits this data will fall under CMMC requirements.

• COTS Exemption: Contracts exclusively for Commercially Available Off-the-Shelf (COTS) products remain permanently exempt from CMMC requirements.

This gradual approach ensures the defense industrial base, particularly small and midsize businesses, has time to prepare, implement required controls, and adapt to the verification process before the requirements become universal.

Who Needs to Comply with CMMC?

CMMC applies broadly across the Defense Industrial Base to ensure every organization handling sensitive DoD information maintains adequate cybersecurity protections. Compliance is not limited to prime contractors; it flows throughout the supply chain.

• Prime Contractors: Any company bidding on or performing a DoD contract that involves FCI or CUI must meet the CMMC level specified in the solicitation. Compliance is a mandatory contract requirement.

• Subcontractors and Suppliers: CMMC requirements extend to all tiers of the supply chain. Prime contractors must flow down the applicable CMMC requirements to subcontractors whose systems process, store, or transmit FCI or CUI. Subcontractors must perform the same assessments, post results in the SPRS, and submit affirmations of continuous compliance just like primes.

• External Service Providers (MSPs/MSSPs): The new FAQs explicitly state that Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs) are in the spotlight and will be evaluated as part of the contractor's assessment. If these external providers touch the contractor's systems, manage security tools, hold admin credentials, or manage the Microsoft tenant, they must be able to prove compliance with the contractor’s controls, even if they do not require their own CMMC certification.

• Small Businesses: The rule significantly impacts small entities. By Year 4 of implementation (2028), the DoD estimates that about 229,818 small businesses out of 337,968 total impacted entities will fall under CMMC requirements. The phased rollout is specifically designed to give these smaller companies more time to adapt, but they remain fully responsible for compliance.

Risks Contractors Face if They Fail to Comply

Failure to comply with CMMC requirements poses significant operational, legal, and reputational risks for contractors in the DIB.

• Contract Ineligibility: Contractors that do not hold a current CMMC status at the required level in the SPRS are automatically ineligible for contract award, option exercise, or period of performance extension. SPRS submission errors, specifically marking the System Security Plan (SSP) as “Not Met,” are cited as the number one roadblock for contractors, leading to an automatic failure.

• Loss of Conditional Status: For Levels 2 and 3, contractors granted a conditional certification must close out their POA&M deficiencies within 180 days. Failure to do so results in losing conditional status and, consequently, contract eligibility.

• False Claims Act (FCA) Exposure: Misrepresentation of compliance, either in affirmations or reporting, can trigger False Claims Act liability, especially under the Department of Justice’s Cyber Fraud Initiative. This exposes contractors to potential investigations, fines, and litigation.

• Reputational and Financial Damage: Beyond contractual and legal penalties, a contractor’s failure to protect FCI or CUI may lead to theft of intellectual property, loss of sensitive data, and lasting reputational harm, damaging both market trust and long-term viability.

How Can Contractors Cope with the New CMMC Rules?

CMMC compliance is now a mandatory requirement for DoD contracts, making early preparation and proactive management essential. Contractors should treat compliance as an ongoing business investment rather than a one-time certification. Key steps include conducting a gap analysis against NIST SP 800-171 requirements, documenting policies and procedures, training employees on data protection responsibilities, and implementing technical safeguards such as access controls, multifactor authentication, encryption, and continuous monitoring.

Using an ERP like SumX can streamline compliance by centralizing documentation, tracking security controls across systems, automating audit trails, and providing dashboards to monitor adherence to CMMC requirements. This allows contractors to manage continuous compliance efficiently, reduce administrative burden, and maintain visibility across their supply chain.

The final DFARS rule will go on full implementation by November 10, 2028. Contractors who act early will not only remain eligible for DoD contracts but also gain a competitive advantage as trusted, secure partners in the defense supply chain.