top of page
Search

Deciphering DFARS: CMMC Clause Rule Finalized!

The CMMC Clause Rule has been finalized and assigned an effective date of November 10, 2025! This will begin the process of making CMMC a requirement for U.S. defense contractors. Join us as dig into the details of the final rule, identify the most significant implications for businesses, and review some of the sections we feel merit a callout!

A person buried under a stack of documents

TL;DR Version

  • CMMC requirements will begin appearing in contracts via selective implementation effective November 10, 2025.

  • The rule adds/modifies the following sections in DFARS:

    • DFARS 204.75 – Adds high-level policies and procedures for requiring CMMC in defense contracts

    • DFARS 212.301 – Includes DFARS 204.7504 specifying the implementation timeline for CMMC inclusion in contracts and specifies DFARS 252.204-7025 as required in solicitations to notify respondents of applicable CMMC requirements.

    • DFARS 217.207 – Specifies that, prior to exercise a contract option, the contractor must have a record in SAM, a CAGE code, and relevant information in SPRS (e.g., NIST SP 800-171 DoD Assessment result or CMMC status).

    • DFARS 252.204-7021 – Revised to include a fill-in specifying the CMMC Level required for the contract, as well as supplemental details regarding CMMC status designations and affirmation of continuous compliance.

    • DFARS 252.204-7025 – Inserts a new section entitled “Notification of Cybersecurity Maturity Model Certification Level Requirements (Nov 2025)” for inclusion in solicitations and contains a fill-in for specifying the required CMMC Level.

CMMC Clause Rule Finalized!

On September 10, 2025, the CMMC Clause Rule was finalized and published to the U.S. Federal Register as a Final Rule within the Defense Federal Acquisition Regulation Supplement (DFARS). This marks the culmination of nearly a decade of development and revision for the program.

The rule includes an effective date of November 10, 2025, officially kicking off implementation of the Cybersecurity Maturity Model Certification (CMMC) as a requirement for U.S. defense contractors.

Implications for Defense Contractors

Over the past several years—particularly over the last few months—businesses within the U.S. defense industrial base (DIB) have been wondering how they would be impacted by CMMC becoming a requirement for contractors and when it would go into effect.

It’s no wonder! While the underlying requirements have been in place for businesses handling Controlled Unclassified Information (CUI) on behalf of the Department of Defense (DoD) since 2017 (per DFARS 252.204-7012), the impending CMMC requirement means businesses will face extra scrutiny in terms of their cybersecurity practices.

This comes as an additional burden amidst a period of increased uncertainty—especially for small businesses—in the face of soaring material costs and global trade tensions. Therefore, it’s crucial for organizations in the DIB to understand what CMMC requirements mean for them and how to prepare.

Definitions

Before delving further, we have to begin with some definitions crucial for understanding how an organization’s compliance with CMMC is categorized and the legal basis for implementation.

CMMC Program Rule vs. CMMC Clause Rule

Within this article, we refer to both the CMMC Program Rule and the CMMC Clause Rule. We realize this can be confusing! For the sake of clarity, we use the terms in the following ways:

  • References to CMMC Program Rule relate to 32 CFR 170, which formally establishes the CMMC program and accreditation structure.

  • The CMMC Clause Rule refers to DFARS Case 2019-D041 and its modifications to 48 CFR Parts 204, 212, 217, and 252, which define the contractual mechanisms with which the DoD will require and enforce CMMC compliance.

CMMC Status Designations

When determining what being “compliant” means, it’s important to refer to the various CMMC Status designations (defined here in plain language for clarity).

Final Level 1 (Self): The organization is compliant with the 15 requirements of FAR 52.204-21 outlined in the CMMC Level 1 Self-Assessment Guide, has performed a self-assessment, and posted the results in SPRS.*

Final Level 2 (Self): The organization has achieved an assessment score of 110 out of the possible 110 through a self-assessment per the CMMC Level 2 Self-Assessment Guide and posted the results in SPRS.

Conditional Level 2 (Self): The organization has achieved assessment score of at least 88 out of 110** through a self-assessment, posted the results in SPRS, and defined a Plan of Action & Milestones (POA&Ms) to close compliance gaps within 180 days.

Final Level 2 (C3PAO): The organization has undergone an audit by a CMMC Third-Party Assessment Organization (C3PAO), achieved an assessment score of 110 out of the possible 110, and received verification of compliance via their CMMC unique identifier (UID).

Conditional Level 2 (C3PAO): The organization has undergone an audit by C3PAO, achieved an assessment score at least 88 out of the possible 110,** defined a Plan of Action & Milestones (POA&Ms), and will complete POA&M closeout with a C3PAO within 180 days.

Final Level 3 (DIBCAC): The organization has achieved Final Level 2 (C3PAO) status and undergone an assessment by the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) demonstrating full implementation of the 24 additional requirements outlined in 32 CFR 170.14(c)(4).

Conditional Level 3 (DIBCAC): The organization has achieved Final Level 2 (C3PAO) status and undergone an assessment by DIBCAC demonstrating acceptable implementation of at least 20 out of the 24** additional requirements outlined in 32 CFR 170.14(c)(4).

* There is no “Conditional” status option for Level 1. ** The practices listed as ineligible for POA&M in 32 CFR 170.21(a) may not be assessed as unmet and still confer “Conditional” status.

With definitions out of the way, we can dive into the details… Are you having fun yet?

Effective Date & Requirement Rollout

Per the published rule, CMMC requirements will begin appearing in defense contracts starting on November 10th and may be included in new contracts, extensions, and renewals. However, this does not mean it will immediately be a requirement for all defense contracts.

While the DoD Chief Information Officer (CIO) website outlines a phased implementation plan for CMMC, the final CMMC Program Rule reiterated the DoD’s intent to roll out CMMC requirements incrementally, but no longer includes distinct phases.

Instead, rollout of the requirements will occur via selective inclusion of CMMC requirements into contracts “if the program office or requiring activity determines that the contractor is required to have a specific CMMC level” until November 9, 2028 (48 CFR 204.7504). From November 10, 2028 onward, CMMC requirements must be specified in all contracts under which FCI or CUI will be stored, processed, or transmitted via contractor information systems.

Per 32 CFR 170, the “DoD intends to include the requirement for CMMC Statuses of Level 1 (Self) or Level 2 (Self) for all applicable DoD solicitations and contracts as a condition of contract award” beginning on the effective date of the CMMC Clause Rule (32 CFR 170.3(e)(1)). Put simply, this indicates self-assessments would be acceptable for CMMC Level 1 and Level 2 during initial rollout.

Certification Requirements Could Come Sooner than Later

The same section of the CMMC Program Rule also permits the DoD to, “at its discretion, include the requirement for CMMC Status of Level 2 (C3PAO) in place of the Level 2 (Self) CMMC Status…” and a memo from earlier this year states, “CMMC Level 2 (Certification) is the minimum assessment requirement when the planned contract will require the contractor (or subcontractors) to process, store, or transmit CUI categorized under the National Archives CUI Registry Defense Organizational Index Grouping” [emphasis & link added].

This appears to create a conflict with the intended incremental implementation. While the final CMMC Program Rule technically preserves the option for self-assessment, the implementation guidance memo does not explicitly carve out allowance for Level 2 self-assessment. This indicates defense contractors could be subject to Level 2 certification requirements from the beginning of implementation.

Practical Implications

Per the DoD’s impact assessment, nearly 120,000 organizations will need to achieve CMMC Level 2 certification by a C3PAO. However, as of this writing, there are only 81 authorized C3PAOs listed on the CyberAB Marketplace. As of the CyberAB Town Hall in August, less than 500 organizations had achieved Level 2 certification or were actively undergoing an assessment. In order to assess all organizations expected to require CMMC Level 2 certification, each C3PAO would have to complete at least 1,475 assessments before November 10th if the DoD were to assert the certification requirement from the memo.

From a practical perspective, performing that number of assessments in 50 working days is absurd, and it means the most likely outcome will be for the DoD to move forward with permitting Level 2 self-assessments. Nonetheless, taking into account the language of 32 CFR 170 and the aforementioned implementation memo, program managers may still elect to require Level 2 certification.

Regardless of whether a specific contract permits self-assessment or requires certification, companies must be prepared to demonstrate they’ve implemented the practices from NIST SP 800-171r2. Be ready to show compliance or, at the very least, active steps towards achieving compliance by November 10th.

Additional Callouts

During our in-depth review of the CMMC Clause Rule—which included pens, highlighters, vulgarities, and an obscene amount of coffee—we identified several other areas of interest which we believe merit recognition. They are broken down according to the sections of the final publication in which they appear.

Summary of Significant Changes from the Proposed Rule

  • §II.A.5 – Contractors will be required to provide their CMMC UID from SPRS along with proposals for solicitations with CMMC requirements (i.e., don’t wait for the contracting officer to ask).

  • §II.B.1(1–2) – The final rule removes the requirement for contractors to report system changes to a contracting officer unless a cybersecurity incident occurs. The DoD determined that existing mechanisms are sufficient (i.e., mandatory incident reporting per DFARS 252-204-7012 and annual self-attestation per the CMMC Program Rule).

  • §II.B.4 – Small businesses will not be exempt from CMMC requirements due to the disproportionate financial impact. Program managers/contracting officers are required to make a determination of CMMC requirement based on the contract, not the bidder.

  • §II.B.7 – CMMC flowdown requirements are only applicable if subcontractors will store, process, or transmit CUI data on the subcontractor’s systems. Primes may choose to allow subcontractors to utilize their systems, though they maintain responsibility for compliance of those systems and the individuals utilizing them.

  • §II.B.17 – The definition of “current” CMMC status was revised to clarify that “Conditional” status is acceptable for contract award where CMMC Level 2 or Level 3 is required.

  • §II.B.27 – The DoD clarified that “adding new users to an existing system does not necessarily change the scope of a CMMC assessment.” While the specific topic was related to organizational mergers and acquisitions, this clarifies that minor changes (such as new users and/or devices) do not change the assessment scope as long as the same policies and processes are applied.

Additions & Revisions to DFARS Clauses

  • 48 CFR 204.7504(a) – This subsection, titled “Solicitation provision and contract clause,” specifies the implementation plan for requiring CMMC in contracts, as discussed above.

  • 48 CFR 217.207(c)(2)(i) – As expected, the “summary level score” for assessments must not be more than 3 years old. However, solicitations are permitted to specify a shorter timeframe (i.e., a more recent assessment).

  • 48 CFR 252.204-7021(a) – In the definition for Plan of action and milestones, this section specifies POA&Ms must align with NIST SP 800-115, which includes specification that remediation and mitigation should be formally tracked via change management processes (testing, approval, implementation, and documentation).

  • 48 CFR 252.204-7021(d) – This section includes a fill-in area where contracting officers must specify the required CMMC Level for a contract. It also reinforces CMMC flowdown requirements.

  • 48 CFR 252.204-7025 – Similar to 252-204-7021, this new clause is defined for notifying bidders of CMMC requirements in solicitations and includes a fill-in area where the contracting officer must specify the required CMMC Level for the solicitation.

Just for Fun

We found a couple of other areas within the comments and responses that we felt needed translation because they exemplify the palpable exhaustion on both sides of this process.

  • §II.B.9 – A respondent insisted the regulatory impact analysis was too low “given the time to familiarize 889 pages of instructions.”

    • Translation: “Do you realize how long it will take me to read all this??”

  • §II.B.20 – Referring to a question about whether task/delivery orders under existing indefinite-delivery indefinite-quantity (IDIQ) contracts will include CMMC requirements, the DoD response stated that the rule specifies “solicitations and contracts, task orders, or delivery orders” as in-scope and that “task orders or delivery orders issued after this rule takes effect may include a requirement for CMMC.”

    • Translation: “Did you not even read it??”

  • §II.B.23 – Regarding comments suggesting the DoD provide relief from CMMC demands in in exceptional circumstances, the DoD response reiterated that the CMMC Clause Rule has no ability to implement such an exception which is not included in the CMMC Program Rule.

    • Translation: “B####, that is not my job.”

  • §II.B.25 – In response to a request for prime contractors to be indemnified from subcontractor noncompliance, the DoD pointed out that the government is not responsible for establishing the terms of relationships between prime contractors and their subs.

    • Translation: “Not my problem. Get a lawyer.”

  • §II.B.28 – Responding to a comment that the DoD should clarify whether CMMC applies to CUI from non-DoD agencies, the DoD pointed out that the rule amends DFARS, which only applies to the DoD.

    • Translation: “I— 😐😑 *exasperated sigh*

Next Steps for Defense Contractors

Now that we finally have an effective date for CMMC, defense contractors should make every effort to ensure they are compliant with CMMC at the level they anticipate being required to meet. While CMMC may not show up on your doorstep on November 10th, you don’t want to find yourself missing out on contract opportunities due to being unprepared.

As a CyberAB Registered Practitioner Organization (RPO), Triumvirate Cybersecurity works tirelessly to help our customers understand the CMMC requirements, implement the necessary controls, and demonstrate compliance with confidence. Contact us to schedule a free consultation and get on the road to compliance!


_edited.jpg

Sign up for our newsletter to get exclusive updates

By submitting this form, you are providing your consent for Triumvirate Cybersecurity to contact you about its products and services. We will not sell your information to third parties, per our Privacy Policy.

Recent Posts
Connect with Us

Contact    Subscribe to Our Newsletter

LinkedIn
CyberAB-RPO-Badge.png
Navigation

Home    About    Services    Pricing    Insights

Privacy Policy

info@triumviratecyber.org

31 S. Main Street, Suite 390, Dayton, OH 45402

(937) 203-8443    CAGE: 9ZW92

TRIUMVIRATE CYBERSECURITY CONSULTING LLC

© Triumvirate Cybersecurity 2026

bottom of page