The Final DFARS Rule Brings CMMC Compliance Into Contracts: What It Means for Defense Contractors

Overview

On September 10, 2025, the Department of Defense released the final DFARS rule on cybersecurity. This rule amends the Defense Federal Acquisition Regulation Supplement (DFARS) to align with the Cybersecurity Maturity Model Certification (CMMC) program, which was codified at 32 CFR part 170 in late 2024.

It finalizes the framework for ensuring defense contractors protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), and it partially implements Section 1648 of the FY 2020 National Defense Authorization Act. For contractors across the Defense Industrial Base (DIB), this is the long anticipated moment when CMMC compliance officially moves from policy guidance to contractual requirement.

Effective Date and Rollout Timeline

The rule takes effect November 9, 2025. From that date, a three-year phased rollout begins.

• 2025 to 2028 (Phase-in Period): CMMC compliance will only be required on contracts where a DoD program office specifically includes it. COTS-only awards are excluded.

  
  

• November 10, 2028 (Full Implementation): Every DoD contract involving contractor systems that process, store, or transmit FCI or CUI will require compliance. This includes commercial products and services and contracts below the Simplified Acquisition Threshold, but not COTS-only awards.

What the Final Rule Requires

CMMC Compliance Status at Award:

Contractors must have the required CMMC status, posted in the Supplier Performance Risk System (SPRS), at the time of contract award, option exercise, or extension. This applies to all systems handling FCI or CUI.

Conditional Certifications:

Level 2 and Level 3 contractors can win work with a conditional status for up to 180 days, provided there is a valid Plan of Action and Milestones (POA&M). Level 1 contractors must have a final status at award.

Flowdown to Subcontractors:

Requirements apply to subcontractors only if they handle FCI or CUI. Subcontractors must also post their results in SPRS and complete annual affirmations.

Definitions and Clarifications:

The rule provides clearer definitions for terms like current, CMMC status, CMMC UID, FCI, and POA&M, ensuring consistency with the CMMC rule at 32 CFR 170.

New DFARS Clauses:

• 252.204-7021 (Contractor Compliance with CMMC Level Requirements)

• 252.204-7025 (Notice of CMMC Requirements)

Contracting officers must verify a contractor’s CMMC status in SPRS before making an award or extending a contract.

Why This Matters

Until now, DFARS 252.204-7012 required safeguarding covered defense information but did not provide a way for DoD to verify compliance before award. The new DFARS language closes that gap. Contracting officers are now prohibited from awarding contracts to companies that do not have the required CMMC status in SPRS.

For contractors, this means CMMC compliance is no longer optional or something that can be addressed later. It is now a condition of doing business with the Department of Defense.

The Scale of Impact

By year four, when the rollout is complete, an estimated 338,000 entities will be subject to the rule, including about 230,000 small businesses. Expected compliance statuses are projected as:

• 62% Level 1 self-assessment

• 2% Level 2 self-assessment

• 35% Level 2 certification (third-party assessment)

• 1% Level 3 certification (DIBCAC assessment)

DoD estimates the total cost to industry over 10 years at $255–$329 million, with government costs of about $11–$16 million. The annualized cost is roughly $38–$40 million.

Strategic Importance

The purpose of this rule is not simply regulatory. It provides DoD with the ability to verify cybersecurity compliance across its supply chain. This verification closes a long-standing gap that left sensitive defense information exposed.

The rule is also designed to strengthen national security. By enforcing CMMC compliance, DoD aims to reduce the risk of espionage, ransomware, and intellectual property theft. Malicious cyber activity has cost the U.S. economy hundreds of billions of dollars over the past decade. This rule is intended to reduce those losses while building greater resilience into the defense supply chain.

What Contractors Should Do Now

1. Identify Your Level: If you handle only FCI, you will need CMMC Level 1. If you handle CUI, you will need Level 2 or possibly Level 3.

2. Register in SPRS: Make sure your self-assessment scores and affirmations are posted and kept current.

3. Engage Your Subcontractors: Confirm that subcontractors handling FCI or CUI also meet CMMC requirements.

4. Use POA&Ms Carefully: Conditional status can buy time, but only for 180 days, and only with a valid plan in place.

Bottom Line

Starting November 9, 2025, defense contractors will begin transitioning into DFARS-based CMMC compliance. By November 10, 2028, every contract involving FCI or CUI will require proof of current compliance.

For contractors across the Defense Industrial Base, this is not just another regulation. It is now a fundamental condition of winning and keeping DoD business. Those who act early will be better positioned to compete, protect sensitive information, and support the mission.