Menu

Pentagon Announces Final Rule Implementing CMMC, Effective November 10, 2025

Category: ArticlesCybersecurity & Data Privacy Update Tags: cybersecurityCybersecurity Maturity Model CertificationData ProtectionDepartment of Defense
Client Alert CMMC
September 18, 2025

On September 9, 2025, the Department of Defense (DoD) released its long-anticipated final rule implementing the Cybersecurity Maturity Model Certification (CMMC) program. After several years of proposals, public comments, and interim measures, the DoD has now solidified the framework for its revamped CMMC program. The goal: ensure contractors in the Defense Industrial Base (DIB) properly protect sensitive information, particularly Controlled Unclassified Information (CUI) and Federal Contract Information (FCI), while clarifying legal obligations, streamlining processes, and providing a phased implementation.

The final rule introduces a phased, three-year implementation period that begins on November 10, 2025. At a basic level, the CMMC program changes the current self-assessment model for certifying cybersecurity readiness to a third-party verification model that will require most defense contractors handling CUI to pass a cybersecurity assessment by a “third party assessment organization” (C3PAO).

Key Takeaways for DoD Contractors:

  • Phased Implementation – Contracting officers can begin including CMMC requirements in solicitations and contracts beginning November 10, 2025, but this will be a phased rollout and not all contracts and solicitations will contain CMMC clauses as of this date. The majority of solicitations and contracts will not initially require third-party assessments. So when should contractors complete their third-party assessment and certification?
    • This depends on your business’s perspective on risk and opportunity cost. Prime contractors will apply pressure on their subcontractors to become certified, regardless of the immediate presence of CMMC clauses early on in the phased implementation of the rule. Becoming certified may not be immediately required for compliance during the first year of implementation, but it will provide a competitive advantage.
  • Subcontractor Management – Higher-tier contractors must confirm that their subcontractor has a “current CMMC status” at the level “appropriate for the information that is being flowed down to the subcontractor” prior to subcontract award. Prime contractors will be responsible for the compliance of subcontractors.
  • Affirming Official– The final rule uses the term “affirming official” to describe the individual who the contractor designates to provide the annual attestation of CMMC compliance. This is consistent with the Title 32 CMMC Program rule, and replaces the previous term “senior company official.” Contractors should contemplate which employee will serve in this role, which carries a risk of liability in the event of a false or misleading compliance affirmation.
  • False Claims Act Risk – Contractors will be required to certify that there have been no “changes in compliance” following formal certification, which will likely be one of the most perilous traps for inattentive contractors that fail to appropriately monitor their CMMC compliance following certification. The DOJ’s Cyber Fraud Initiative will likely gain momentum as CMMC requirements increasingly show up in contracts.

Recommendations for Competitiveness and Compliance:

  • Level of Certification – Contractors should determine the level of certification they should obtain to remain competitive for contracts based on the awards for which they wish to compete. Contractors should review their current contracts with legal counsel to determine the level of certification that will likely apply to them.
  • Subcontractor Scoping – Contractors should also review subcontractor agreements to determine if their subcontractors will be in compliance with CMMC requirements. Again, prime contractors will be responsible for the compliance of subcontractors.
  • Schedule C3PAO Certification Assessment – Contractors should schedule their CMMC C3PAO assessment as soon as possible if they have not already done so, as availability of C3PAOs is limited due to demand for these assessments. As CMMC requirements begin to appear in contracts, uncertified contractors will lose opportunities and jeopardize relationships with primes.
  • Engage Counsel for Data Protection and Compliance Assessment – Engage legal counsel to conduct a privileged data protection assessment to determine the contractor’s ability to meet CMMC requirements, while shielding the findings of the assessment from disclosure during an investigation or litigation. Contractors that do not require a Level 2 C3PAO assessment should be sure to schedule this self-assessment through counsel to ensure accurate self-assessment scores are submitted to the Government.
  • Incident Reporting – Do not ignore the other cybersecurity requirements found in the DFARS, including the cyber-incident reporting requirements of DFARS 252.205-7012. Cyber-incidents must be reported by defense contractors within 72 hours of discovery and images of affected systems must be preserved to be in compliance with DFARS 7012. Notably, the CMMC proposed rule incorporated this 72 hour reporting requirement, but the final rule dispensed with the reporting requirement, noting reliance on the requirements found in DFARS 7012.

Additional Resources

Similar Articles

These articles are provided for general informational purposes only and are marketing publications of Gentry Locke. They do not constitute legal advice or a legal opinion on any specific facts or circumstances. You are urged to consult your own lawyer concerning your situation and specific legal questions you may have.
FacebookTwitterLinkedIn
Gentry Locke Attorneys
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.