Cybersecurity Maturity Model Certification Finalized: Key Compliance Obligations for Defense Contractors

The Department of Defense (DoD) has finalized its long-anticipated Cybersecurity Maturity Model Certification (CMMC) program, according to an article by Michael T. Borgia, Andrew M. Lewis, and Jonathan A. DeMella of Davis Wright Tremaine LLP. 

On September 9, 2025, the DoD issued the final Acquisition Rule incorporating CMMC into the Defense Federal Acquisition Regulation Supplement (DFARS). This follows the 2024 Program Rule, which sets out CMMC’s substantive requirements. Together, these rules require contractors to obtain formal certification of their compliance with cybersecurity standards, most notably NIST SP 800-171.

The final Acquisition Rule takes effect on November 10, 2025. From that point, the DoD will phase in Cybersecurity Maturity Model Certification requirements over a three-year period, with full implementation expected by November 10, 2028. Contractors and subcontractors that process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) must achieve one of three certification levels. 

Level 1 requires self-assessments of basic safeguarding practices. Level 2 aligns with NIST SP 800-171 and requires either self-assessments or accredited third-party reviews, depending on the information handled. Level 3 imposes the most stringent protections, including triennial assessments by the Defense Industrial Base Cybersecurity Assessment Center.

Failure to achieve certification will render contractors ineligible for DoD awards. The authors note that contractors must also ensure compliance across their supply chains and with external service providers, including cloud providers that meet FedRAMP or equivalent standards.

For compliance teams, although the underlying technical requirements are not new, the verification process is now mandatory. Contractors should baseline their systems against NIST standards, prepare for phased assessments, and confirm subcontractor readiness to avoid eligibility risks.