The Pentagon’s final DFARS rule implementing the Cybersecurity Maturity Model Certification (CMMC) takes effect on Nov. 10, 2025. Starting on that date, contracting officers can require a current CMMC status in solicitations and awards, making cybersecurity certification a condition of doing business with the Department of Defense.

DoD plans a phased rollout over three years. Early phases emphasize self-assessments, particularly for Level 1 and some Level 2 work – while later phases expand third‑party certifications at Level 2 and fully mature program requirements. The approach is intended to give small and midsize firms time to prepare and to scale assessor capacity.

At award time, contracting officers will check the Supplier Performance Risk System (SPRS). If a bidder does not have a c

See Full Page