They’re Here! The Cybersecurity Maturity Model Certification Requirements for DoD Solicitations and Contracts Are Live. What Does This Mean for Your Organization?
This alert serves to remind contractors of the much-ballyhooed Cybersecurity Maturity Model Certification (CMMC) and updates our previous articles on the Department of Defense’s (DoD) proposed CMMC Program rule and DoD’s issuance of a new final rule , codified at Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7021 (contract clause) and 252.204-7025 (solicitation provision). The new DFARS rule implements the CMMC Program’s requirements into DoD contracts over the course of a three-year phase-in period. This week, as of November 10, 2025, Phase 1 of this rule’s rollout has finally become effective, with significant implications for defense contractors. As discussed in our prior articles, the new CMMC rule will apply to defense contracts involving contractor information systems handling federal contract information (FCI) or controlled unclassified information (CUI) only . There is a significant exception for contracts solely for the acquisiti...