The Department of Defense (DoD) recently published in the Federal Register its long-awaited final rule (the Rule) amending the Defense Federal Acquisition Regulation Supplement (DFARS) to formally implement the Cybersecurity Maturity Model Certification (CMMC) program. The Rule, effective November 10, 2025, will move CMMC from a policy framework into binding contractual obligations for most defense contractors.

The Rule makes CMMC a condition of eligibility for most contract awards and continued performance, reinforced by annual affirmations of continued compliance from senior officials within the contractors’ organizations and flowdown obligations that extend across the supply chain. DoD has also adopted a two-phase implementation approach: during the first three years, program offices

See Full Page