This blog post discusses the Department of Defense’s (“DoD”) new cybersecurity rule that imposes certain cybersecurity requirements on relevant DoD contractors and subcontractors. The post will be of interest to all DoD contractors, subcontractors, and possibly affiliates of contractors that may be impacted by the new rule’s cybersecurity requirements.

On September 10, 2025, DoD published the final version of the Cybersecurity Maturity Model Certification (“CMMC”) Defense Federal Acquisition Regulation Supplement (“DFARS”) Procurement Rule (“Procurement Rule” or “Rule”) in the Federal Register.  This Rule imposes the contractual requirements associated with the CMMC Program Rule that was published in final form in October 2024.  The Procurement Rule will become effective sixty days after publication, on November 10, 2025 and will be implemented in a phased approach.  

The CMMC Program is expected to have significant impacts on the federal supply chain, imposing certification requirements on all contractors and subcontractors with DoD contracts that include the relevant DFARS clause (currently DFARS 252.204–7021) and under which Federal Contract Information (“FCI”) and/or Controlled Unclassified Information (“CUI”) is processed, stored, or transmitted on contractor information systems.

We wrote about the proposed Procurement Rule in a prior blog post.[1]  As described further below, the final Procurement Rule makes a number of notable updates.  Among other things, DoD has added and updated certain definitions; clarified when and how long conditional CMMC status can be maintained; noted the need to provide CMMC information for all unique identifiers that will store, process and/or transmit FCI or CUI; added language regarding requirements for contracting officers to confirm information is present in the Supplier Performance Risk System (“SPRS”) before awarding a contract; clarified the phased implementation approach in the prescription clause; added more guidance on subcontractor flow downs and affirmations; and removed certain rule-specific notification requirements. 

Overview of the CMMC Program and the Procurement Rule

Last year, DoD released the final CMMC Program Rule, which became effective December 16, 2024.  The Program Rule formally established the CMMC Program.  CMMC will provide DoD with a means to validate that contractors are in compliance with security measures necessary to safeguard FCI and/or CUI and will impose stricter requirements around implementation of required security controls.  The Program Rule authorizes DoD to confirm that a defense contractor or subcontractor has implemented and maintains security requirements for a specified CMMC level (Level 1, Level 2, or Level 3) and assessment type (self-assessment, third party assessment, or government assessment) across the contract period of performance.  The CMMC level required is based on the type of information that must be safeguarded during contract performance, and specific security requirements are specified for each level.  As noted, the Program Rule is one of two complementary sets of regulations that in combination govern operation of the Program and how contractors must comply with the Program.  

The final Procurement Rule, published today, outlines contract requirements for CMMC and implements CMMC in the DFARS.  Once it becomes effective on November 10, the Procurement Rule will require DoD to impose a specific CMMC level in a new solicitation or contract if the Program office or requiring activity determines that the contractor is required to have a specific CMMC level.  In response to a comment that the final Rule should add an explicit prohibition on including CMMC requirements in existing contracts, DoD noted in the preamble that such an add was not necessary because contracting officers already have the discretion to “bilaterally incorporate the clause in existing contracts.”  Contractors therefore may see contracting officers seeking to add the clause if the Program wants it added, especially when option exercise decisions are being made.  When CMMC requirements are applied to a solicitation through this Procurement Rule, contracting officers will not make award, exercise an option, or extend the period of performance on a contract, if the offeror or contractor does not have the passing results of a current certification assessment or self-assessment for the required CMMC level, and an affirmation of continuous compliance with the security requirements in SPRS for all information systems that process, store, or transmit FCI or CUI during contract performance. 

According to the DoD, a key benefit of the Procurement Rule is that it requires verification of a defense industrial base (“DIB”) contractor’s implementation of system security requirements for the protection of FCI and CUI, providing increased assurance to DoD that a DIB contractor can protect sensitive unclassified information at a level commensurate with the risk.  Additionally, DoD intends for the Procurement Rule to ensure that this security verification will occur, as appropriate, down the supply chain by, requiring flow down to covered subcontractors.  And DoD also touts as an additional benefit the increased protection of intellectual property and sensitive information, which DoD expects to have a significant impact on the U.S. economy and national security.  

Summary of Procurement Rule Updates

In response to the proposed rule, ninety-seven respondents submitted public comments.  The preamble to the final Rule highlights several changes and clarifications from the proposed rule. For example:

  • The Rule added definitions from related regulatory provisions to make the terms consistent across regulations.  For example, the Rule added definitions for FCI and Plan of Action and Milestones that are pulled from related regulations.  The Rule also clarified the definition of “current” to further address what current means when referring to CMMC conditional status, final CMMC status and affirmations of continuous compliance.
  • It clarified that conditional CMMC status for levels 2 and 3 may not exceed 180 days, and final CMMC is achieved upon successful closeout of a valid Plan of Action & Milestones. 
  • The Rule clarified that offerors will not be eligible for award of a contract, task order, or delivery order resulting from a relevant solicitation, if the offeror does not have the results of a current CMMC status entered in SPRS at the required CMMC level and a current affirmation of continuous compliance for each of the contractor information systems that will process, store, or transmit FCI or CUI and be used in performance of an award resulting from the solicitation. 
  • The Rule confirmed that contracting officers must check SPRS before awarding a contract to ensure all required information is present in SPRS.
  • It has also clarified the phased implementation approach, including that until November 10, 2028, the contract clause (DFARS 204.7504) will be prescribed for use if program managers and requiring activities make a determination to apply a CMMC requirement to contracts, excluding contracts solely for the commercially available off-the-shelf (“COTS”) items (unless a waiver applies); and, beginning November 11, 2028 (three years and one day after the Rule’s effective date), the clause will be prescribed for use if program managers and requiring activities determine that the contractor will be required to use contractor information systems in the performance of the contract, task order, or delivery order to process, store, or transmit FCI or CUI, excluding contracts solely for COTS items.
  • The final Rule clarified and enhanced flow down requirements, mandating that subcontractors also submit affirmations of continuous compliance and results of self-assessment in SPRS.  The Procurement Rule confirms, however that prime contractors will not be able to view subcontractors’ CMMC certificates or self-assessment information, and thus must independently verify that lower tier subcontractors have met CMMC requirements.  
  • It also removed certain rule-specific notification requirements in response to public comment, including reporting to contracting officer lapses in information security or changes in compliance.  The preamble to the Procurement Rule cites to the cyber incident reporting obligations under DFARS 252.204–7012 and the annual affirmation of continuing compliance as offering sufficient protection to DoD.

We are closely reviewing this Rule and will provide follow up resources for clients with additional details on the final Procurement Rule.

[1] For additional background on CMMC, we first wrote about CMMC in July 2019 and published additional blog posts addressing subsequent updates to the Program, including for Version 0.4Version 0.6Version 0.7, and Version 1.0.  For further background on Version 2.0, please reference our initial blog post when it was announced and subsequent updates (here and here).

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Susan B. Cassidy Susan B. Cassidy

Susan Cassidy co-chairs Covington’s Aerospace and Defense Industry Group, and has been advising government contractors for more than 35 years on the requirements imposed on companies contracting with the U.S. Government.

Susan’s practice focuses on the intersection of cybersecurity, national security, and supply…

Susan Cassidy co-chairs Covington’s Aerospace and Defense Industry Group, and has been advising government contractors for more than 35 years on the requirements imposed on companies contracting with the U.S. Government.

Susan’s practice focuses on the intersection of cybersecurity, national security, and supply chain risk management for companies that sell products and services to the U.S. Government. Susan advises contractors at all phases of the procurement cycle, and regularly:

advises clients on compliance obligations imposed by the FAR, DFARS, and other agency regulatory requirements;
leads internal and government False Claims Act (FCA) investigations addressing allegations of violations of government cybersecurity, national security, supply chain, quality, and MIL-SPEC requirements; and
advises clients who have suffered a cyber breach where U.S. government information may have been impacted.

In her work with global, national, and start-up contractors, Susan advises companies on all aspects of government supply chain issues including:

Government cybersecurity requirements, including the Cybersecurity Maturity Model Certification (CMMC), DFARS 252.204-7012, FedRAMP, controlled unclassified information (CUI), and NIST SP 800-171 requirements;
Evolving sourcing issues such as Section 889, counterfeit part requirements, Section 5949 semiconductor product and service restrictions, and limitations on sourcing a variety of products from China; and
Federal Acquisition Security Council (FASC) regulations and product exclusions.

 

Susan previously served as senior in-house counsel for two major defense contractors (Northrop Grumman Corporation and Motorola Incorporated) and is Chambers rated in both Government Contracts and Government Contracts Cybersecurity. Chambers USA has quoted sources stating that “Susan’s in-house experience coupled with her deep understanding of the regulatory requirements is the perfect balance to navigate legal and commercial matters.”

Susan is a former Public Contract Law Procurement Division Co-Chair, former Co-Chair and current Vice-Chair of the ABA PCL Cybersecurity, Privacy and Emerging Technology Committee.

Susan’s pro-bono work extends to assisting veterans in a variety of matters, as well as providing advice to elderly clients on their wills and other end-of-life planning documents.

Read more about Susan B. CassidyEmail
Show more Show less
Photo of Ashden Fein Ashden Fein

Ashden Fein is a vice chair of the firm’s global Cybersecurity practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Ashden counsels…

Ashden Fein is a vice chair of the firm’s global Cybersecurity practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Ashden counsels clients on preparing for and responding to cyber-based attacks, assessing security controls and practices for the protection of data and systems, developing and implementing cybersecurity risk management and governance programs, and complying with federal and state regulatory requirements. Ashden frequently supports clients as the lead investigator and crisis manager for global cyber and data security incidents, including data breaches involving personal data, advanced persistent threats targeting intellectual property across industries, state-sponsored theft of sensitive U.S. government information, extortion and ransomware, and destructive attacks.

Additionally, Ashden assists clients from across industries with leading internal investigations and responding to government inquiries related to the U.S. national security and insider risks. He also advises aerospace, defense, and intelligence contractors on security compliance under U.S. national security laws and regulations including, among others, the National Industrial Security Program (NISPOM), U.S. government cybersecurity regulations, FedRAMP, and requirements related to supply chain security.

Before joining Covington, Ashden served on active duty in the U.S. Army as a Military Intelligence officer and prosecutor specializing in cybercrime and national security investigations and prosecutions — to include serving as the lead trial lawyer in the prosecution of Private Chelsea (Bradley) Manning for the unlawful disclosure of classified information to Wikileaks. Ashden is a retired U.S. Army officer.

Read more about Ashden FeinEmail
Show more Show less
Photo of Robert Huffman Robert Huffman

Bob Huffman counsels government contractors on emerging technology issues, including artificial intelligence (AI), cybersecurity, and software supply chain security, that are currently affecting federal and state procurement. His areas of expertise include the Department of Defense (DOD) and other agency acquisition regulations governing…

Bob Huffman counsels government contractors on emerging technology issues, including artificial intelligence (AI), cybersecurity, and software supply chain security, that are currently affecting federal and state procurement. His areas of expertise include the Department of Defense (DOD) and other agency acquisition regulations governing information security and the reporting of cyber incidents, the Cybersecurity Maturity Model Certification (CMMC) program, the requirements for secure software development self-attestations and bills of materials (SBOMs) emanating from the May 2021 Executive Order on Cybersecurity, and the various requirements for responsible AI procurement, safety, and testing currently being implemented under President Trump’s AI Executive Order. 

Bob also represents contractors in False Claims Act (FCA) litigation and investigations involving cybersecurity and other technology compliance issues, as well more traditional government contracting costs, quality, and regulatory compliance issues. These investigations include significant parallel civil/criminal proceedings growing out of the Department of Justice’s Cyber Fraud Initiative. They also include investigations resulting from False Claims Act qui tam lawsuits and other enforcement proceedings. Bob has represented clients in over a dozen FCA qui tam suits.

Bob also regularly counsels clients on government contracting supply chain compliance issues, including those arising under the Buy American Act/Trade Agreements Act and Section 889 of the FY2019 National Defense Authorization Act. In addition, Bob advises government contractors on rules relating to IP, including government patent rights, technical data rights, rights in computer software, and the rules applicable to IP in the acquisition of commercial products, services, and software. He focuses this aspect of his practice on the overlap of these traditional government contracts IP rules with the IP issues associated with the acquisition of AI services and the data needed to train the large learning models on which those services are based. 

Bob is ranked by Chambers USA for his work in government contracts and he writes extensively in the areas of procurement-related AI, cybersecurity, software security, and supply chain regulation. He also teaches a course at Georgetown Law School that focuses on the technology, supply chain, and national security issues associated with energy and climate change.

Read more about Robert HuffmanEmail
Show more Show less
Photo of Ryan Burnette Ryan Burnette

Ryan Burnette is a government contracts and technology-focused lawyer that advises on federal contracting compliance requirements and on government and internal investigations that stem from these obligations. Ryan has particular experience with defense and intelligence contracting, as well as with cybersecurity, supply chain…

Ryan Burnette is a government contracts and technology-focused lawyer that advises on federal contracting compliance requirements and on government and internal investigations that stem from these obligations. Ryan has particular experience with defense and intelligence contracting, as well as with cybersecurity, supply chain, artificial intelligence, and software development requirements.

Ryan also advises on Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS) compliance, public policy matters, agency disputes, and government cost accounting, drawing on his prior experience in providing overall direction for the federal contracting system to offer insight on the practical implications of regulations. He has assisted industry clients with the resolution of complex civil and criminal investigations by the Department of Justice, and he regularly speaks and writes on government contracts, cybersecurity, national security, and emerging technology topics.

Ryan is especially experienced with:

Government cybersecurity standards, including the Federal Risk and Authorization Management Program (FedRAMP); DFARS 252.204-7012, DFARS 252.204-7020, and other agency cybersecurity requirements; National Institute of Standards and Technology (NIST) publications, such as NIST SP 800-171; and the Cybersecurity Maturity Model Certification (CMMC) program.
Software and artificial intelligence (AI) requirements, including federal secure software development frameworks and software security attestations; software bill of materials requirements; and current and forthcoming AI data disclosure, validation, and configuration requirements, including unique requirements that are applicable to the use of large language models (LLMs) and dual use foundation models.
Supply chain requirements, including Section 889 of the FY19 National Defense Authorization Act; restrictions on covered semiconductors and printed circuit boards; Information and Communications Technology and Services (ICTS) restrictions; and federal exclusionary authorities, such as matters relating to the Federal Acquisition Security Council (FASC).
Information handling, marking, and dissemination requirements, including those relating to Covered Defense Information (CDI) and Controlled Unclassified Information (CUI).
Federal Cost Accounting Standards and FAR Part 31 allocation and reimbursement requirements.

Prior to joining Covington, Ryan served in the Office of Federal Procurement Policy in the Executive Office of the President, where he focused on the development and implementation of government-wide contracting regulations and administrative actions affecting more than $400 billion dollars’ worth of goods and services each year.  While in government, Ryan helped develop several contracting-related Executive Orders, and worked with White House and agency officials on regulatory and policy matters affecting contractor disclosure and agency responsibility determinations, labor and employment issues, IT contracting, commercial item acquisitions, performance contracting, schedule contracting and interagency acquisitions, competition requirements, and suspension and debarment, among others.  Additionally, Ryan was selected to serve on a core team that led reform of security processes affecting federal background investigations for cleared federal employees and contractors in the wake of significant issues affecting the program.  These efforts resulted in the establishment of a semi-autonomous U.S. Government agency to conduct and manage background investigations.

Read more about Ryan BurnetteEmail
Show more Show less
Photo of Krissy Chapman Krissy Chapman

Kristen “Krissy” Chapman is an associate in the firm’s Washington, DC office. She represents and advises clients on a range of cybersecurity, data privacy, and government contracts issues, including cyber and data security incident response and preparedness, cross-border privacy law, government and internal…

Kristen “Krissy” Chapman is an associate in the firm’s Washington, DC office. She represents and advises clients on a range of cybersecurity, data privacy, and government contracts issues, including cyber and data security incident response and preparedness, cross-border privacy law, government and internal investigations, and regulatory compliance.

Prior to joining the firm, Krissy served as a consultant in both the private and public sectors, advising clients across a range of industries, including transportation and infrastructure, life sciences and healthcare, and national security.

Read more about Krissy ChapmanEmail
Show more Show less