DoD Finalizes Cybersecurity Maturity Model Certification Rule: What Defense Contractors Need to Know
On September 10, 2025, the U.S. Department of Defense (DoD) published a final rule that will shake up cybersecurity compliance for DoD contractors. T he new rule formally incorporates the Cybersecurity Maturity Model Certification (CMMC) program into nearly all DoD contracts through the Defense Federal Acquisition Regulation Supplement (DFARS) . This move has far-reaching implications for employers across the defense industrial base. Quick Hits Beginning November 2025, the DoD will issue contracts requiring contractors to comply with CMMC cybersecurity standards and conduct third-party or self-assessments, depending on the sensitivity of the information they handle. In addition to achieving and maintaining the CMMC level specified in each solicitation or contract, the final rule will require contractors to flow down the appropriate requirements to subcontractors, and to document and publish the results of assessments. While the rule will be phased in over three years, emplo...