CMMC Final Rule Published: What It Means for the Defense Industrial Base

• What happened: The U.S. Department of Defense (DoD) has officially published the long-awaited final rule integrating the Cybersecurity Maturity Model Certification (CMMC) framework into the Defense Federal Acquisition Regulation Supplement (DFARS) under 48 CFR Parts 204, 212, 217 and 252 in the Federal Register. The rule was published on September 10, 2025, and comes into effect on November 10, 2025.
• Why it matters: This marks a pivotal moment in the evolution of cybersecurity compliance across the Defense Industrial Base (DIB). CMMC is no longer just a framework – it’s a contractual requirement for any company currently working or planning to work with the DoD.
• What DoD contractors should do now: We recommend an immediate assessment of cybersecurity practices for compliance with the CMMC’s level that is most appropriate for the type of data handled, and a strategic road map for achieving and maintaining the necessary level.

Learn More:

The CMMC framework was first introduced in 2017 amid concerns that cyber threats pose significant risks to national security and the U.S. economy. The intent behind it is to provide a verified cybersecurity baseline for DoD contractors and subcontractors,[i] ensuring that Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) is protected across the government supply chain.

The new rule resolves this long CMMC evolution with the following actions:

• Codifies CMMC into DFARS: DFARS Clause 252.204-7021 is now mandatory, formalizing cybersecurity in applicable contracts.
• Authorizes Enforcement: Contracting officers are expected to include and enforce CMMC certification requirements for all solicitations and awards.
• Mandates Annual Affirmation: Contractors must affirm their compliance with the framework annually in the Supplier Performance Risk System (SPRS).
• Mandates self-assessment or third-party certification depending upon the contract: CMMC Level 2 now requires either self-assessment or third-party certification via an accredited certified third-party assessment organization (C3PAO), and Level 3 requires a government-led assessment.

• Reinforces accountability at all tiers: The rule also supports compliance with the False Claims Act, Supplier Performance Risk System (SPRS) reporting, and subcontractor flowdown requirements, reinforcing accountability at all tiers.

Three Levels of Certification

The rule defines three levels of cybersecurity that companies must achieve if they want to contract with the DoD, each building upon the previous one.

Level 1: Foundational

This level is for contractors that handle FCI only, not classified or sensitive information. It requires compliance with 17 specific security controls, which include ensuring that only authorized users have access to systems and limiting access to necessary functions only. Companies can self-assess at this level and provide an affirmation by a company executive.

Level 2: Advanced

This level is for contractors that handle CUI and encompasses 110 controls from NIST SP 800-171. Among the more robust security measures it requires are regular risk assessments and incident response planning. Companies at this level must also develop and maintain a system security plan (SSP) that outlines how they will meet the necessary security requirements. Certifying at this level is through a triennial third-party assessment for critical national security information and annual self-assessment for non-critical programs.

Level 3: Expert

The highest level of security, Level 3, focuses on protecting CUI from advanced persistent threats (APTs). Organizations at this level must comply with all Level 1 and Level 2 requirements, and they must also have advanced security measures, including continuous monitoring, vulnerability scanning and employing a formal risk management strategy. Certification at this level is through government-led assessments (i.e., by the Defense Industrial Base Cybersecurity Assessment Center).

A 60-Day Countdown Starts Now

The effective date of the rule is 60 days from the September 10 publication date, or November 10, 2025, after which a phased rollout will begin for all new contracts. Companies unable to meet the requirements will not be awarded new contracts or renewal of existing contracts.

Phase 1: Year One (Starting November 10, 2025)

In the first year the rule will apply selectively to certain contracts where the program office or requiring activity determines it’s necessary. The focus is on high-risk contractors likely to handle Controlled Unclassified Information (CUI) or Federal Contract Information (FCI). Approximately 1,100 small entities are estimated to be affected in Year One, with much discretion given to the DoD contracting officer.

Phase 2: Year Two (starting November 10, 2026)

More contracts will begin to include CMMC requirements in Year Two, especially those involving sensitive data. Contractors will face increased readiness expectations and will need to demonstrate compliance earlier in the acquisition lifecycle. The estimated Impact is for approximately 5,500 entities.

Phase 3: Year Three (starting November 10, 2027)

CMMC will see broad adoption and will be a requirement for a wide range of contracts, including those using FAR Part 12 procedures for commercial products and services (excluding commercial off-the-shelf, or COTS). Contractors must affirm compliance annually and submit CMMC Unique Identifiers (UIDs) for each system handling CUI/FCI. The estimated impact is on approximately 18,500 entities.

Post-Rollout: Year Four and Beyond (Starting November 10, 2028)

Following the three-year rollout, full enforcement is expected: CMMC requirements will apply to all contracts where contractor systems process, store or transmit CUI or FCI. The only exceptions for contractors who provide purely commercial services: Unless the contract is for COTS items purchased under Commercial Terms, CMMC applies. The estimated impact is on approximately 337,000 entities, including 230,000 small businesses.

What Contractors Must Do Now

We urge chief compliance officers (CCOs), chief information security officers (CISOs) and other relevant stakeholders to convene on the new rule immediately and focus on the following:

1. Assess Data Exposure
   Determine if your organization handles Controlled Unclassified Information (CUI), Federal Contract Information (FCI), or Covered Defense Information (CDI) to identify your required CMMC level. This classification directly influences whether you need Level 1, 2 or 3 certification. Be sure to document where and how this data is stored, transmitted and processed.
2. Conduct a Gap Analysis
   Evaluate your cybersecurity posture against NIST SP 800-171 (for CUI) or FAR 52.204-21 (for FCI) to identify any deficiencies. Use a structured approach—such as a control-by-control checklist—to map current practices against required standards and flag areas needing remediation.
3. Remediate and Prepare
   Close gaps and prepare documentation for certification or self-assessment. This includes implementing missing controls, updating policies and procedures, and compiling evidence (e.g., system security plans and Plans of Action and Milestones (POA&Ms) to support your compliance claims.
4. Affirm Compliance in SPRS
   Ensure your affirming official submits the required attestation annually in the Supplier Performance Risk System (SPRS). Keep your SPRS score current and accurate, as it is used by DoD contracting officers to evaluate your eligibility for contract awards.
5. Continuous Improvement
   Moving forward, set up processes and a strategic road map to periodically review, enhance and mature the security practices of the organization, including its security culture, to ensure continued eligibility for DoD participation.

Final Thoughts

The arrival of the CMMC rule should not be a surprise for companies in the defense industrial base given the rule’s long evolution over at least two administrations. The very short 60-day period before it comes into effect and the high level of discretion given to contracting officers on when to enforce it places it in a stark light and should prompt businesses to act immediately to achieve the appropriate level of certification or risk losing eligibility for future DoD contracts.

How Protiviti Can Help

Protiviti’s AI-Enabled CMMC Practice offers a comprehensive suite of services for clients in the Defense Industrial Base. We have a large, global Security & Privacy practice with over 1,000 practitioners covering a full suite of CMMC services, and AI-enabled accelerators and automated tools to power your CMMC readiness and help you pass third-party assessments. To learn more, visit our CMMC services page or contact us.

[i] According to 32 CFR Part 170 and the CMMC Final Rule, any entity that processes, stores or transmits Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) on unclassified information systems in the performance of a DoD contract or subcontract is considered a contractor or subcontractor subject to CMMC requirements. This includes prime contractors directly awarded DoD contracts, subcontractors at any tier who receive FCI or CUI from a prime contractor, and commercial item providers, except those supplying purely COTS (Commercial Off-The-Shelf) items.