%20Program.png?width=1000&name=RGCI%20-%20DFARS%20Final%20Rule%20for%20Cybersecurity%20Maturity%20Model%20Certification%20(CMMC)%20Program.png)
Department of Defense (DoD) issued a final rule on September 10, 2025, amending Defense Federal Acquisition Regulation Supplement (DFARS), incorporating contractual requirements under the Cybersecurity Maturity Model Certification (CMMC) program as part of the National Defense Authorization Act for FY 2020 to enhance cybersecurity for the US defense industrial base. The final rule is effective November 10, 2025.
What Are the Changes to the CMMC Program?
The final rule was issued to align with the CMMC program rule in 32 CFR 170 (see our article on the Final Rule on the CMMC Program). A new DFARS provision 252.204-7025 Notice of Cybersecurity Maturity Model Certification Level Requirements was added. DFARS clause 252.204-7021 Cybersecurity Maturity Model Certification Requirements was updated as discussed below.
CMMC Levels
There are three levels, with Level 1 applicable to contractors that handle Federal Contract Information (FCI). Level 2 and Level 3 are required for government contractors and subcontractors who handle FCI and Controlled Unclassified Information (CUI). The three levels and types of assessment required are as follows:
- Level 1 – Self-assessment on the 15 requirements in FAR 52.204-21
- Level 2 – Self-assessment or Certified Third Party Assessment Organization (C3PAO) assessment on the 110 requirements in NIST SP 800-171A
- Level 3 – Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) assessment – requires a Level 2 assessment and 24 selected requirements from NIST SP 800-172.
CMMC will be implemented in phases over the next three years. Contracting Officers will begin including the requirements for CMMC in solicitations beginning November 10, 2025. Contracting Officers are required to review the Supplier Performance Risk System (SPRS) to ensure the proper CMMC level is in place prior to awarding a contract, task order or delivery order.
What Do Government Contractors Need to Do?
Government contractors are required to have a System Security Plan (SSP) in place, conduct a self-assessment for Level 1 and 2 and upload the scores into SPRS for each information system that will be used in the performance of the contract to process, store, or transmit FCI or CUI, respectively. Level 2 C3PAO and Level 3 DIBCAC certifiers will enter contractor scores into the Enterprise Mission Assurance Support Service (eMASS), which transfers the CMMC scores to SPRS. While the scores must be updated every three years, government contractors must also complete and upload to SPRS an annual affirmation completed by an “affirming official” indicating continuing compliance.
What if We Can’t Get the Required CMMC Level Completed Before the Award?
Contracting Officers can award a contract to a contractor that has a conditional status for CMMC Level 2 self-assessments, Level 2 C3PAO assessments and Level 3 DIBCAC assessments. The conditional status is contingent on contractors having a documented plan of action and milestones (POA&M) that will be closed within 180 days.
What About Subcontracts?
The DFARS provisions and clauses DFARS 252.204-7025 and DFARS 252.204-7021, respectively, are required flowdowns for subcontracts. Contractors must ensure the subcontractor has a current CMMC status at the appropriate level before awarding a subcontract. Contractors will need to obtain a certification or request that the subcontractor provide a screenshot of the SPRS score and an annual affirmation indicating that the subcontractor meets the required CMMC level. Subcontract awards for commercially available off-the-shelf (COTS) items are exempt from CMMC requirements.
Key Takeaways
Government contractors should review their contracts to determine the appropriate CMMC level that is required. At a minimum, contractors need to complete their CMMC Level 1 and 2 self-assessments and perform an annual affirmation if they are going to process, store, or transmit FCI or CUI information through their systems. If you are aware of contracts that will require CMMC Level 2 C3PAO, we recommend you start this assessment as soon as possible. C3PAO assessments can take several months, and there is a backlog of C3PAO assessors to perform the review. It is unclear when the Contracting Officers will include CMMC Level 2 C3PAO or Level 3 in the DFARS provision.
Government contractors should evaluate their subcontracts to ensure they have or will obtain the required level of CMMC status before award of the subcontract. Some subcontractors may decide that they cannot meet the requirements, and you may need to find alternate sources.
Government contractors also need to be aware of any mergers, acquisitions, or the establishment of new divisions that will process, store, or transmit FCI or CUI, as they will need to prepare a CMMC level assessment if they will be handling FCI or CUI information.
Support for Cybersecurity Readiness and Compliance
Redstone GCI assists government contractors in understanding and applying the cybersecurity requirements associated with CMMC and DFARS. We work with experienced partners who provide penetration testing, incident response support, security assessments, and POA&M development and resolution. Redstone GCI’s team of experts also helps contractors address cybersecurity policy requirements, subcontractor flow-down considerations, and purchasing system expectations related to safeguarding FCI and CUI. Our compliance professionals provide guidance on DFARS and NIST requirements, internal controls, and policy and procedure development to help contractors maintain a compliant and well-structured cybersecurity framework.
Lynne is a Director with Redstone Government Consulting, Inc. providing government contract consulting services to our clients primarily related to Commercial Item Determinations and support, Cost Accounting Standards, DFARS Business System Audits, Proposals, and Incurred Cost. Prior to joining Redstone Government Consulting, Lynne served in several capacities with DCAA and DCMA for over 35 years. Professional Experience Lynne began her career working with DCAA in the Honeywell Resident Office, Clearwater, FL in 1984. Lynne’s experience included various positions which involved conducting or reviewing forward proposals or rate audits, financial capability audits, progress payments, accounting and estimating systems, cost accounting standards, claims and disclosure statement reviews. She is an expert in FAR, DFARS, CAS and testified as an expert witness. Lynne assisted in drafting the commercial item guidance for DCAA Headquarters. Lynne was assigned as a Regional Technical Specialist where she provided guidance to 20 field offices on highly complex or technical issues relative to forward pricing, financial capability or progress payment issues. As an Assistant for Quality, she was involved in reviewing and ensuring audit reports were in compliance with policy and GAGAS as well as made NASBA certified presentations to the staff including but not limited to billing reviews, CAS, unallowable cost and progress payments. To enhance her experience in government contracting, Lynne accepted a position with DCMA in 2015 as part of the newly organized DCMA Cadre of Experts in the Commercial Item Group. This included performing reviews of prime contractor’s assertions and/or commercial item determinations as well as performing price analyses. Lynne was a project lead and later became a lead analyst where she engaged with the buying commands on requests and reviewed price analysis reviews performed by a team of 5 analysts. She also assisted the DCMA CPSR team relative to commercial items and co-instructed the Commercial Item Training presented to DCMA. Education Lynne earned a Bachelor of Science Degree in Accounting from the University of Central Florida. Certifications State of Florida Certified Public Accountant State of Alabama Certified Public Accountant Defense Acquisition Workforce Improvement Act (DAWIA) Level III- Auditing DAWIA Level III – Contracting