Department of Defense Releases Long-Awaited DFARS Cybersecurity Final Rule for Government Contractors and Subcontractors

By Brett W. Johnson, Tony Caldwell, James P. Melendres, CJ Utter, Carrie Schaffer, and Emily Statham

On September 10, 2025, the Department of Defense (DoD) published its long-awaited final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to implement the Cybersecurity Maturity Model Certification (CMMC) program (the DFARS CMMC Final Rule). The DFARS CMMC Final Rule, which becomes effective on November 10, 2025, requires defense contractors and subcontractors to adhere to specific cybersecurity requirements based on the sensitivity of the information they handle. It also introduces a tiered compliance framework, including both self-assessments and third-party certifications, and requires contractors to maintain and affirm ongoing compliance to remain eligible for DoD contract awards.  

With a phased rollout over three years, the DFARS CMMC Final Rule marks a significant shift in defense procurement — transforming CMMC compliance from a policy ideal to a binding contractual obligation for defense contractors and their supply chains. Although there is uncertainty about other socio-economic DFARs that are a part of an ongoing review to make government contracting more vendor-friendly to encourage more supplier competition (and potentially bring down contracting costs), the CMMC is a critical national security requirement. As such, any company that is acting as a government contractor at any tier should understand the Final Rule, evaluate the impact on existing operations, and contemplate updates to their cybersecurity programs to ensure compliance.

Background and History of CMMC

DoD developed the first iteration of its CMMC program in 2019. Before then, DoD contractors handling sensitive government information operated under an honor system, self-attesting to compliance with cybersecurity standards like NIST SP 800-171 and DFARS 252.204-7012. But widespread noncompliance and increasing cyber incidents led DoD to seek a more robust, verifiable approach to cybersecurity. 

In September 2020, DoD published an interim rule formally introducing CMMC requirements and assessment mechanisms. The interim rule represented DoD’s initial vision for the CMMC program (CMMC 1.0) and outlined basic features of the framework: (1) a tiered model where requirements increase with the sensitivity of the data involved; (2) requirements for third-party assessments; and (3) a process for implementation through federal contracts and subcontracts. In response to industry feedback about the cost, complexity, and scalability of CMMC 1.0, DoD announced an updated CMMC program (CMMC 2.0) in November 2021. 

Shortly thereafter, in December 2023, DoD introduced a proposed rule establishing CMMC 2.0’s structure, assessment levels, and scoping requirements. DoD finalized the CMMC 2.0 rule in October 2024 (the CMMC Final Rule). The CMMC Final Rule, which became effective on December 16, 2024, has been incorporated into regulation at 32 C.F.R. Part 170.  

Under the CMMC Final Rule, DoD may confirm that a defense contractor or subcontractor has implemented and maintains security requirements for a specified CMMC level (Level 1, Level 2, or Level 3) and assessment type (self-assessment, third party assessment, or government assessment) during the contract period. Snell & Wilmer previously discussed the contents of the CMMC Final Rule in an October 22, 2024 legal alert.

In August 2024, DoD published a proposed rule amending DFARS to incorporate requirements from the CMMC Final Rule into defense contracts. On September 10, 2025, DoD completed the process of amending DFARS by publishing its long-awaited DFARS CMMC Final Rule. The DFARS CMMC Final Rule creates the mechanism for CMMC 2.0 to be formally included in solicitations and contracts over a three-year period, with full applicability to all covered contracts by November 2028.

Applicability of the DFARS CMMC Final Rule

The DFARS CMMC Final Rule applies to all DoD contracts and subcontracts that involve the handling, processing, storage, or transmission of Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) by contractor information systems. This includes most DoD prime contracts and subcontracts, regardless of whether the acquisition is for commercial products or services. Importantly, the DFARS CMMC Final Rule does not affect contracts solely for the acquisition of commercially available off-the-shelf items.

Key Provisions of the DFARS CMMC Final Rule

The DFARS CMMC Final Rule introduces several notable changes and clarifications to the contract clauses set forth in the August 2024 proposed rule. These amendments reflect DoD’s effort to streamline compliance, reduce duplicative requirements, and provide greater clarity for both contractors and contracting officers.

1. Clarification of Key Definitions

The DFARS CMMC Final Rule revises and expands several definitions to align with the CMMC program and the Supplier Performance Risk System (SPRS). For example, the term “current” is now explicitly tied to ongoing compliance with 32 C.F.R. Part 170, clarifying that a CMMC status is only “current” if there have been no changes affecting compliance, including for conditional or final status and annual affirmations. The DFARS CMMC Final Rule also replaces “DoD unique identifier” with “CMMC Unique Identifier (UID),” a ten-character code assigned to each assessed system. It also adds formal definitions for FCI, “Plan of Action and Milestones (POA&M),” and “CMMC status.”

2. Conditional Certification

The DFARS CMMC Final Rule explicitly allows contractors to receive contract awards at CMMC Level 2 (C3PAO Assessment) and CMMC Level 3 (DIBAC) with a “conditional” status for up to 180 days, provided they are actively closing out any outstanding items identified in their Plan of Action and Milestones (POA&M). This adjustment enables DoD programs to proceed with awards while setting a firm expectation for timely remediation.

3. Streamlined Reporting and Notification Requirements

The DFARS CMMC Final Rule removes several proposed requirements for contractors to notify contracting officers of “lapses in information security” or changes in CMMC certification status during contract performance. Instead, contractors must report only those cyber incidents specified in DFARS 252.204-7012. This change eliminates duplicative and potentially confusing reporting obligations, reducing administrative burden and aligning with existing DoD cyber incident reporting protocols.

4. Enhanced Procedures for Contracting Officers

The DFARS CMMC Final Rule introduces new procedural requirements for contracting officers, including the use of CMMC UIDs in the SPRS to verify contractor compliance for each information system that will process, store, or transmit FCI or CUI. Under the DFARS CMMC Final Rule, contracting officers must ensure the currentness of UIDs throughout the contract lifecycle.

5. Subcontractor Flow-down and Affirmation Requirements

The DFARS CMMC Final Rule strengthens and clarifies the flow-down requirements for subcontractors. Like prime contractors, subcontractors that process, store, or transmit FCI or CUI must now submit their own affirmations of continuous compliance and self-assessment results in the SPRS. The rule also updates terminology, replacing “senior company official” with “affirming official” to match the CMMC program’s structure. The biggest impact here is in regard to the acquisition of commercial or commercial-off-the-shelf goods and services either directly or indirectly in support of a government contract. It is expected that a significant portion of the government supply chain will not be in compliance with the CMMC requirements and may need exceptions, waivers, or determinations of non-applicability based on the actual scope of work of the contract. 

To limit liability, prime government contractors will likely blanket the CMMC requirements into lower-tier contracts regardless of applicability and it will be the subcontractors who either need to comply with the contract provision or push back on its applicability. However, staying silent on the flow down requirement due to a subjective belief about applicability will not excuse non-performance as to the CMMC, which is likely to be considered a material contract term. As such, companies should consider ensuring review of all contracts in support of the government to determine applicability and negotiate accordingly.

6. Updated Solicitation Requirements

Under the DFARS CMMC Final Rule, contracting officers must specify the required CMMC level (Level 1 (Self-Assessment), Level 2 (Self-Assessment), Level 2 (C3PAO Assessment), or Level 3 (DIBCAC)) in each contract clause. This ensures that contractors are clearly notified of the applicable CMMC level and assessment type for each solicitation and contract.

7. Phased Implementation

The DFARS CMMC Final Rule clarified the multi-year, phased implementation approach set forth in the proposed rule. From November 10, 2025, to November 10, 2028, solicitations and contracts will include the contract clause (DFARS 204.7504) whenever CMMC program managers or requiring activities decide to apply a CMMC requirement to contracts. Beginning on November 11, 2028, solicitations and contracts will include the contract clause if CMMC program managers or requiring activities determine that the contractor will be required to use contractor information systems in the performance of the contract, task order, or delivery order to process, store, or transmit FCI or CUI. Additional details of this phased implementation appear below.

Implications for Government Contractors and Subcontractors

The DFARS CMMC Final Rule represents a fundamental shift in how cybersecurity requirements are imposed, verified, and enforced across the DoD supply chain. Its impact on government contractors and subcontractors is broad, affecting eligibility for contract awards, day-to-day operations, and long-term business strategies. 

Though the DFARS CMMC Final Rule’s phased implementation provides some time to adapt, DoD’s message is clear: robust, verifiable cybersecurity is now a non-negotiable requirement for doing business with DoD. To stay ahead of shifting requirements, government contractors and subcontractors may consider conducting self-assessments against the CMMC Level 1 and CMMC Level 2 assessment controls. They may also wish to review existing contracts and future solicitations carefully to ensure they understand their obligations, including affirmation and SPRS reporting requirements. If the contract scope of work does not meet the needs of the CMMC flowdowns because the agency or the prime contractor just flowed all terms down, contractors at any tier should evaluate its negotiating position to either eliminate or minimize the inapplicable requirements to the narrower scope of work. Contractors may consider mapping their supply chains to ensure visibility into all subcontractors’ and vendors’ CMMC statuses and SPRS reporting histories. Contractors should also develop applicable policies and procedures (to include necessary) training as the CMMC applicability to government contract performance.