Research administrator’s user guide to internal controls

Article

The CMMC final rule – A turning point for cybersecurity and supply chain risk management

Oct. 15, 2025 · Authored by Matt Gilbert

The Department of Defense (DOD) has finalized its long-anticipated rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to implement the Cybersecurity Maturity Model Certification (CMMC) program. Effective Nov. 10, 2025, this rule marks a pivotal shift in how cybersecurity compliance is assessed and enforced across the defense industrial base (DIB). While the rule applies broadly to all DOD contractors handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), it also places a distinct burden on prime contractors to ensure their subcontractors meet the same standards.

What is CMMC?

CMMC is the DOD’s standardized framework for assessing and verifying the cybersecurity practices of contractors and subcontractors within the DIB. Its primary goal is to ensure that companies handling FCI or CUI have appropriate safeguards in place to protect sensitive data from cyber threats. CMMC introduces a tiered model — Levels 1 through 3 — each corresponding to increasing levels of cybersecurity maturity and rigor. Depending on the type of information a contractor handles, they may be required to undergo self-assessments, third-party audits, or government-led evaluations. CMMC transforms cybersecurity from a best practice into an expanded contractual obligation. Baker Tilly’s dedicated CMMC specialists are here to help you navigate this evolving landscape — offering guidance, tailored strategies and hands-on support to ensure your organization meets compliance with confidence and clarity.

How does this new rule finally implement CMMC?

The CMMC framework is governed by two distinct but interrelated rules: the Program Rule and the DFARS Rule. Together, they establish both the structure of the CMMC program and its integration into DOD contracts.

The Program Rule, codified at 32 C.F.R. Part 170, lays out the foundational requirements of the CMMC framework. It defines the certification levels (Level 1, 2 and 3), assessment types (self-assessments, third-party assessments and government-led assessments), and the roles of affirming officials and assessors. This rule also confirms the standards for protecting FCI and CUI, and sets expectations for continuous compliance, including annual affirmations and the use of the Supplier Performance Risk System (SPRS) to track assessment results. This rule became effective Dec. 16, 2024, but did not result in CMMC being fully operational because it was not a contractual requirement.

The DFARS Rule, published on Sept. 10, 2025, amends the Defense Federal Acquisition Regulation Supplement to implement the Program Rule within the DOD acquisition process. This Rule introduces mandatory contract clauses — most notably DFARS 252.204-7021 and 252.204-7025 — that require contractors and subcontractors to maintain current CMMC status and submit affirmations of compliance. This rule is what makes CMMC enforceable in solicitations and contracts, ensuring that cybersecurity standards are not just aspirational but contractual obligations for both the prime and the subcontractor.

What the CMMC final rule requires

The CMMC final rule codifies contractual obligations for CMMC compliance at various levels — Level 1 (Self), Level 2 (Self or Certified Third-Party Assessor Organization (C3PAO)), and Level 3 (Department of Defense Industrial Base Cybersecurity Assessment Center (DIBCAC)) — depending on the sensitivity of the information handled. Contractors must have a current CMMC status posted in the SPRS and submit affirmations of continuous compliance. These requirements apply not only at the time of award but throughout the life of the contract.

Compliance with CMMC requirements

When DFARS 252.204-7021 begins appearing in contracts it will require the following:

Achieving the required CMMC level at time of award
The contracting officer will have an obligation to identify the CMMC level required. The options that can be selected include:

CMMC level	When used	Contractor obligations
CMMC Level 1 (Self)	Intended for when a contractor only handles (stores, processes or transmits) FCI within their contractor information systems.	Implement the 15 requirements of FAR 52.204-21 also known as CMMC Level 1 Conduct a self-assessment and post the results to SPRS indicating compliance with CMMC Level 1 annually The affirming official makes an affirmation regarding continued compliance with CMMC Level 1.
CMMC Level 2 (Self)	Intended for when a contractor only handles CUI within their contractor information systems. If the nature of services is deemed lower risk by the contracting officer and/or during the first year or Phase 1 of the CMMC adoption timeline as prescribed by the DOD.	Implement the requirements of DFARS 252.204-7012 including the 130 practices from NIST 800-171 Rev. 2, also known as CMMC Level 2 Conduct a self-assessment and post the results to SPRS, indicating fully met status for all practices indicating “final” compliance with CMMC Level 2 every three years. Alternatively, if 300% met ratings are not achieved, but the Plan of Action and Milestone (POA&M) requirements of 32 CFR 170.21 have been satisfied, indicating “conditional” compliance and working to convert to “final” within 180 days The affirming official makes an affirmation regarding continued compliance with CMMC Level 2.
CMMC Level 2 (C3PAO)	Intended for when a contractor handles CUI within their contractor information systems. Except for a select few contractors as indicated by the contracting officer who are likely handling more sensitive information, this will not be required during the first phase (prior to Nov. 30, 2026) but is expected for the following phases (see phases below).	Implement the requirements of DFARS 252.204-7012 including the 130 practices from NIST 800-171 Rev. 2, also known as CMMC Level 2 Engage a C3PAO to conduct an assessment and post the results to SPRS (via eMASS, a system C3PAO’s will use to communicate assessment results to the DOD) indicating fully met status for all practices and “Final” compliance with CMMC Level 2 every three years. Alternatively, if 300% met ratings are not achieved, but the POA&M requirements of 32 CFR 170.21 have been satisfied, indicating “conditional” compliance and working to convert to “final” within 180 days The affirming official makes an affirmation regarding continued compliance with CMMC Level 2
CMMC Level 3 (DIBCAC)	Intended for when a contractor handles (stores, processes or transmits) CUI within their contractor information systems.	Implement the requirements of DFARS 252.204-7012 including the 130 practices from NIST 800-171 Rev. 2, also known as CMMC Level 2, as well as the 24 additional requirements known as CMMC Level 3, derived from NIST 800-172. Achieve a CMMC Level 2 (C3PAO) “Final” as noted above as a prerequisite Engage the DIBCAC to conduct the Level 3 assessment covering the 24 practices of Level 3, earning a status of met for all. Alternatively, if 300% met ratings are not achieved, but the POA&M requirements of 32 CFR 170.21 have been satisfied, indicating “conditional” compliance and working to convert to “final” within 180 days Affirming official makes an affirmation regarding continued compliance with CMMC Level 3

Maintain the required CMMC level for the period of performance
The contractor is obligated to maintain the CMMC level. If a contractor’s certification (Level 2 C3PAO or Level 3 DIBCAC) expires during the contract, it is required that the contractor renew it at or above the level required. Failure to renew could result in standard contractual remedies as assessed by the contracting officer.
Only store FCI or CUI in the systems subject to assessment
The contractor is obligated to ensure that the FCI and CUI are only stored in the systems that were defined as part of the scope for the assessment. Each assessment will have a CMMC Unique Identifier (UID).
Annual affirmation from the affirming official
The affirming official is a senior-level representative from the company who will complete an affirmation that indicates the company has implemented and will maintain implementation of all applicable CMMC security requirements to their CMMC status for all information systems within the relevant CMMC assessment scope.

When can we anticipate CMMC to impact us?

The DOD indicated that CMMC would be implemented using a phased approach. The phases were defined as such:

Phase 1 (Nov. 10, 2025 - Nov. 9, 2026)

Level 1 (Self) or Level 2 (Self) for all solicitations and contracts as a condition of award unless the DOD elects to require a Level 2 (C3PAO) instead. The DOD may also include Level 1 (Self) or Level 2 (Self) on option years for prior contracts. It seems that the C3PAO option is going to be rarer and would tend to be for contracts that the DOD views as more sensitive. For example, the Golden Dome for America since there was a memo from the Pentagon that explained the importance of supply chain risk management for this program. It is inferred that Level 3 (DIBCAC) will not be an option during Phase 1.

Phase 2 (Nov. 10, 2026 - Nov. 9, 2027)

The DOD will continue to include Level 1 (Self) for contracts handling FCI only. For contracts handling CUI the DOD intends to include Level 2 (C3PAO) as a condition of contract. However, the DOD may, at its discretion, delay the requirement of Level 2 (C3PAO) to an option year. It is assumed that if delayed, Level 2 (Self) requirement would apply. Alternatively, if the DOD elects, it may include Level 3 (DIBCAC) in certain contracts.

Phase 3 (Nov. 10, 2027 - Nov. 9, 2028)

The DOD will continue to include Level 1 (Self) for contracts handling FCI only. For contracts handling CUI the DOD intends to include Level 2 (C3PAO) as a condition of contract. Alternatively, if the DOD elects, it may include Level 3 (DIBCAC) in certain contracts or as a condition for option years.

Phase 4 (Nov. 10, 2028 and forward)

The DOD will continue to include Level 1 (Self) for contracts handling FCI only. For contracts handling CUI the DOD will include Level 2 (C3PAO) as a condition of contract and options. If the DOD elects based on the nature of the contract and sensitivity of CUI handled, it may include Level 3 (DIBCAC) as a requirement.

It is important to remember that Self versus C3PAO only indicates who does the assessment. This does not mean that the CMMC practices do not need to be fully implemented. Both Self and C3PAO assessments allow for POA&Ms but even those are only available for 180 days.

Subcontractor flow down and monitoring: A critical component

Many contractors believe CMMC is solely an IT or cybersecurity item to address. However, the CMMC requirements include a number of significant obligations that will impact contracting and subcontracting teams. One of the most consequential implications of the CMMC program for prime contractors is the flow down requirements from all subcontractors. CMMC will require the following from your contracting and subcontracting teams:

Determine the subcontractor requirements that apply

This begins by determining the appropriate CMMC level required from subcontractors. Unless the DOD directs otherwise, 32 CFR 170.23 allows prime contractors to determine the requirements that apply to their subcontractors. If a subcontractor will only handle (process, store or transmit) FCI the prime contractor can require them to be Level 1 instead of Level 2. If a subcontractor will handle CUI, the prime contractor must require the subcontractor to be at least CMMC Level 2 with either a Self or C3PAO assessment as matches the prime contractor’s obligation. If a prime contractor has a CMMC Level 3 obligation, they must require at least a CMMC Level 2 with C3PAO assessment.

Confirm subcontractor complies with the CMMC requirement at the time of award

The prime contractor is obligated to ensure that at the time of award, the subcontractor can demonstrate compliance with the CMMC level and assessment obligations. For instance, if a prime contractor determines that the subcontractor is handling CUI and must obtain a CMMC Level 2 self-assessment. Such level and assessments must be confirmed by the prime contractor in the form of confirmation or supporting documentation demonstrating the associated SPRS records in corroborate compliance with the subcontractor.

Ensure the subcontractors comply with the CMMC requirement for the period of performance

The prime contractor is also obligated to ensure their subcontractors and suppliers stay compliant with the CMMC requirements. If a contractor is obligated to obtain a CMMC Level 2 certification from a C3PAO, then the prime contractor is obligated to ensure that certification expires during the period of performance a subsequent certification is obtained. This would also include conditional certifications. If a subcontractor has achieved conditional Level 2, the prime contractor would be obligated to confirm that the conditional status was converted to final by satisfactorily addressing their POA&M items.

Ensure the subcontractors are current with affirmations

DFARS 252.7021 requires that prime contractors ensure that subcontractors and suppliers complete and maintain an annual affirmation issued by the affirming official. Again, this would likely come in the form of confirmation from the subcontractors but may also include requested supporting evidence.

The new CMMC rule is not just a compliance checkbox — it’s a strategic imperative. Prime contractors must now act as cybersecurity stewards for their systems as well as across their supply chains, ensuring that every link is secure. With the rule’s phased implementation and increasing scrutiny, proactive management of both your implementation status and associated subcontractor compliance is no longer optional — it’s mission-critical.

Connect with a CMMC specialist to guide you on your journey.

Connect with us

Matt Gilbert

Principal

Related sections

Article Tags

CMMC Cybersecurity Cybersecurity Maturity Model Certification (CMMC)