CMMC Is Here—What It Means for Defense Contractors

The Cybersecurity Maturity Model Certification (CMMC) Program is finally here. A final rule establishing the CMMC Program at Title 32 of the Code of Federal Regulations (CFR), Part 170 went live on December 16, 2024. Now, the Department of Defense (DOD) issued a final rule (Final Rule) codifying the CMMC Program in the Defense Federal Acquisition Regulation Supplement (DFARS). Contractors that process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) need to understand what key changes were made in the Final Rule to ensure they are, or remain, eligible for certain upcoming DOD contracts.

Timeline

DOD procuring activities will assign solicitations and contracts a CMMC Level, either Level 1 (Self), Level 2 (Self), Level 2 (C3PAO), or Level 3 (DIBCAC), depending on the type and sensitivity of the information being shared with or developed by the contractor. CMMC is to be rolled out in different phases to provide the DOD contracting community sufficient time for training and compliance. Phase 1 starts on November 10, 2025.

Until November 9, 2028, contracting officers will insert DFARS 252.204-7021 in solicitations and contracts if the program office or requiring activity determines that the contract is required to have a specific CMMC Level (excluding contracts solely for the acquisition of commercially available off-the-shelf (COTS) items).

Starting on November 10, 2028, contracting officers must insert DFARS 252.204-7021 in solicitations and contracts if the program office or requiring activity determines that the contractor is required to use contractor information systems during performance to process, store, or transmit FCI or CUI (excluding contracts solely for COTS items).[1]

CMMC Clauses

Two companion clauses flow from the Final Rule: (1) a revised DFARS 252.204-7021, Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirements, and (2) a new DFARS 252.204–7025, Notice of Cybersecurity Maturity Model Certification Level Requirements.

To be eligible for contract awards with these clauses, the offeror must, among other things, have and maintain (for the duration of the contract) a current CMMC status at the applicable CMMC Level (or higher) for all information systems used in performance of the contract or order that process, store, or transmit FCI or CUI, and complete (and maintain as current) annual affirmations of continuous compliance with the associated CMMC Level requirements in the Supplier Performance Risk System (SPRS) for each CMMC unique identifier (UID) applicable to each of the contractor information systems that process, store, or transmit FCI or CUI and that are used during performance. DFARS 252.204–7025, which will be included in all solicitations containing DFARS 252.204-7021, generally requires offerors to provide, in their proposal, the CMMC UIDs issued by SPRS for each contractor information system that will process, store, or transmit FCI or CUI during performance of a contract or order resulting from the solicitation, as well as update that list when new CMMC UIDs are generated in SPRS.

What’s New in the Final Rule

While certainly not exhaustive, below are some notable changes to the DFARS that were made in the Final Rule in response to public comment.

• The definition of “current” was clarified for the purposes of “Conditional CMMC Status,” “Final CMMC Status,” and “affirmation of continuous compliance,” given that offerors’ CMMC status and affirmations must be “current” in order to be eligible for contract award.
• The term “CMMC status” was added to explain what contracting officers will need to review in SPRS and that they must check SPRS and not award a contract or order to an offeror that does not have a current CMMC status posted at the CMMC Level required by the solicitation (or higher) for each CMMC UID provided by the offeror applicable to each contractor information system that will process, store, or transmit FCI or CUI and be used during contract performance.
• The Final Rule clarifies that for CMMC Levels 2 and 3 only, a conditional CMMC status is permitted for a period not to exceed 180 days from the conditional CMMC date, and that an award can occur with a CMMC conditional status. The Final Rule also clarifies that a final CMMC is achieved upon successful closeout of a valid POA&M.
• DFARS 252.204-7021 was updated to identify that all subcontractors for which CMMC applies must submit affirmations of continued compliance and the results of self-assessments in SPRS.
• The Final Rule adds a definition of “Federal contract information” from Federal Acquisition Regulation (FAR) 52.204-21.
• The Final Rule adds a definition for “plan of action and milestones” (POA&M), which is based on the definition found in 32 C.F.R. Part 170.
• The Final Rule removed the requirement to notify the contracting officer of lapses in information security or changes in the status of the CMMC certificate or CMMC-self-assessment levels during contract performance.
• The Final Rule removes the term “data” and clarifies that the Final Rule only applies to information that is FCI and CUI.
• The Final Rule replaces the term “senior company official” with “affirming official” consistent with 32 C.F.R. Part 170.
• The Final Rule makes clear that subcontractors that do not process, store, or transmit FCI or CUI on their information systems during performance of the subcontract would not have a requirement for a CMMC assessment.

Major Takeaways

1. Application to Contracts. CMMC Level 1 and Level 2 (Self) requirements will start appearing in DOD solicitations and contracts on November 10, 2025. At that time, contracting officers will have the discretion to (i) require Level 2 (C3PAO) in place of the Level 2 (Self), and (ii) bilaterally incorporate the clause into contracts that were in effect prior to the clause’s effective date, provided appropriate consideration is given. It would be prudent to stay ahead of the phased approach to ensure eligibility for new DOD contracts that may contain a higher CMMC Level requirement than dictated by the phased approach.
2. Exercise of Options. Contracting officers may only exercise an option on a contract or order with a CMMC Level requirement only after verifying in SPRS that the contractor has a current CMMC status at the required CMMC Level (or higher) for each CMMC UID applicable to each of the contractor information systems that process, store, or transmit FCI or CUI. Compliance with CMMC, ensuring your affirmations are accurate and current, and updating SPRS as necessary, is critical not only for contract award but throughout the entire period of performance.
3. Flow-downs to Subcontractors. Contractors must flow down CMMC requirements to applicable subcontractors. Prior to awarding a subcontract, prime contractors must ensure that the subcontractor has a current CMMC status at the CMMC Level that is appropriate for the information being flowed down. Prime contractors do not have automatic access to their subcontractors’ SPRS profiles. When acting as the prime contractor, it will be key to bake language into your subcontracts that permits you to view the results of any relevant subcontractor CMMC assessments, upon request.
4. False Claims Act (FCA). The CMMC Program is ripe for claims to be made against contractors under the FCA based on representations made with respect to Level 1 (Self) and Level 2 (Self) assessments, as well as the annual affirmations made in SPRS. “Knowing” misrepresentations—which include actual knowledge, deliberate indifference, or reckless disregard for the truth or falsity of the representation—may form the basis for FCA liability. If a DOD contractor performs a CMMC self-assessment in a haphazard fashion and then attests that it meets the applicable CMMC requirements, they inevitably open themselves up to a potential FCA claim by the Department of Justice.

If you have questions regarding the Final Rule or cybersecurity generally, please contact Cy Alba, Daniel Figuenick, Joseph Loman, or another member of PilieroMazza’s Cybersecurity & Data Privacy or Government Contracts practice groups. 

________________

If you’re seeking practical insights to gain a competitive edge by understanding the government’s compliance requirements, tune into PilieroMazza’s podcasts: GovCon Live!, Clocking in with PilieroMazza, and Ex Rel. Radio.

[1] Further discussion of the CMMC Program can be found in our last blog.