DFARS Final Rule on CMMC: What It Means for Federal Contractors

The Defense Acquisition Regulations System has issued a final DFARS rule integrating the Cybersecurity Maturity Model Certification (CMMC) program into DoD contracting, effective November 10, 2025. The rule formally ties contract eligibility to verifiable CMMC status recorded in the Supplier Performance Risk System (SPRS) and partially implements Congress’s 2020 directive for a consistent, comprehensive cybersecurity framework across the defense industrial base.

At a high level, the rule makes CMMC a condition of award rather than a scored evaluation factor. Offerors will be ineligible for award if they lack a current CMMC status in SPRS at the level required by the solicitation, along with a current affirmation of continuous compliance for each information system that will process, store, or transmit federal contract information (FCI) or controlled unclassified information (CUI) in performance. Offerors must also submit the CMMC unique identifiers (UIDs) for those systems with their proposals and keep them current.

The rule clarifies key definitions and data elements that operationalize compliance. DFARS now defines “CMMC status,” aligns the “CMMC unique identifier (UID)” with SPRS conventions, and imports the FAR 52.204-21 definition of FCI to provide consistent scoping across clauses. These definitional clarifications matter because contracting officers must check SPRS and cannot make award if the required, current status is not posted for each UID covering systems used on the contract.

Two policy features are especially consequential for planning. First, the rule recognizes a limited “conditional CMMC status” for Levels 2 and 3 that allows award for up to 180 days after the conditional date, providing a structured pathway to finalize requirements while work begins. Final CMMC status is reached upon successful closeout of a valid plan of action and milestones (POA&M). Second, it codifies a phased roll-out. For the first three years after the effective date, program offices may choose whether to apply CMMC to a given contract (excluding COTS buys). After three years and one day, CMMC will be prescribed whenever contractor information systems used in performance will process, store, or transmit FCI or CUI, again excluding COTS. This both sets a firm horizon for universal applicability and preserves near-term discretion to manage readiness.

The solicitation provision and clause now explicitly incorporate CMMC level terminology—Level 1 (Self), Level 2 (Self), Level 2 (C3PAO), and Level 3 (DIBCAC)—and add a clause fill-in for the required level. Importantly, program offices (not contracting officers) determine the level consistent with 32 C.F.R. part 170 and DoD policy. This aligns decision-making with mission risk and keeps acquisition procedures consistent across buying activities.

For supply chains, the final rule narrows and clarifies flowdown. CMMC is required at all tiers only when a subcontract or other instrument requires the subcontractor to process, store, or transmit FCI or CUI; the clause no longer excludes the subcontractor’s obligation to post affirmations of continuous compliance and self-assessment results in SPRS. In practice, primes must assess what information actually flows to each subcontractor and apply the appropriate CMMC level and documentation expectations accordingly.

The compliance architecture emphasizes ongoing accountability. Beyond achieving an initial status, contractors must maintain annual affirmations by an “affirming official” in SPRS for each CMMC UID and update postings whenever status changes. Contracting officers must verify current status before award, and the rule anticipates similar checks at other lifecycle points, reinforcing that compliance persists for the life of the contract.

From a market-impact perspective, DoD estimates the rule will touch roughly 338,000 unique entities—including primes and an assumed five subcontractors per offer—with about 68 percent being small entities. By year four, DoD expects most entities to sit at Level 1 self-assessment, with a significant share at Level 2 certificate, reflecting the distribution of CUI risk across programs. These projections underscore the breadth of the forthcoming compliance lift and the need for early investment in controls, documentation, and SPRS hygiene.

For federal government contractors, the significance is clear. CMMC is moving from policy promise to contractual gatekeeper, and eligibility will turn on what is posted—accurately and continuously—in SPRS for every system used on a contract. While a short conditional window can de-risk award timing, the three-year phase-in and clarified flowdown rules give organizations a runway to right-size levels by scope, align primes and subs on UIDs and affirmations, and institutionalize compliance as an enduring performance obligation rather than a one-time box check.

Disclaimer: This summary is for general information only and is not legal advice. It is based solely on the Federal Register final rule text and may omit nuances relevant to specific contracts; readers should review the rule and consult counsel for guidance on particular circumstances.