At Long Last, the Department of Defense Issues the Highly Anticipated CMMC Final DFARS Rule

Background and Basics
As we have previously reported, CMMC is a program developed by the DoD to protect the Defense Industrial Base from cyber threats. Under this program, DoD contractors and subcontractors will be required to achieve certain levels of cybersecurity maturity. DoD first announced the CMMC program in 2019, then issued an initial version of the program in November 2020. In November of 2021, DoD announced that it would be overhauling the existing CMMC framework and replacing it with CMMC 2.0. The purpose of CMMC 2.0 was to restructure the CMMC program and to reduce the cost and administrative burden of achieving cybersecurity compliance. On December 26, 2023, DoD issued a proposed rule and related guidance implementing many aspects of the CMMC program. This rule was finalized on October 15, 2024, and went into effect on December 16, 2024 (the Final Program Rule). The rule specified, however, that CMMC requirements would not begin appearing in contracts and solicitations until the instant DFARS Rule was finalized. Thus, the release of the Final DFARS Rule marks an important development for DoD contractors and subcontractors.

The CMMC program is comprised of a tiered-certification model consisting of Levels 1 through 3. Contractors that achieve Level 1 will be permitted to process, store or handle Federal Contract Information (FCI). Contractors that achieve Level 2 will be permitted to process, store or handle Controlled Unclassified Information (CUI). Contractors that achieve Level 3 will be permitted to handle highly sensitive CUI, as designated by DoD. The following chart summarizes the requirements to achieve each CMMC level.

Timing and Implementation  
During the three-year roll out period, DoD program offices will have discretion to include CMMC requirements in solicitations and contracts. In this regard, the Final DFARS Rule states that “the clause will be prescribed for use if program managers and requiring activities make a determination to apply a CMMC requirement to contracts, excluding awards solely for the acquisition of commercially available off-the-shelf (COTS) items.” This is a change from earlier iterations of the rule, which suggested that CMMC requirements would apply to nearly all DoD contracts from day one. Notably, the Final DFARS Rule does not provide any insight into which contracts DoD initially plans to incorporate these requirements. Beginning November 10, 2028, DoD will be required to include CMMC requirements in all solicitations and contracts in which the contractor will be required to use contractor information systems to process, store, or transmit FCI or CUI.

Other Notable Provisions

• The Final DFARS Rule includes two DFARS clauses to implement CMMC: an updated version of DFARS 252.204-7021, which will be used in contracts and a new DFARS 252.204-7025, which will be used in solicitations.
• The rule also states that DoD may begin including DFARS 252.204-7015 in solicitations before November 10, 2025, if the resulting contract will be awarded on or after that date.
• Contracting officers also have discretion to include DFARS 252.204-7021 in contracts before November 10, 2025, via bilateral modification where appropriate.
• The rule provides that an “affirming official” must complete an annual affirmation in the Supplier Performance Risk System (SPRS) stating that the contractor remains in compliance with the specified security requirements for each identified contractor information system that will process, store, or transmit FCI or CUI in performance of the contract. This creates False Claims Act risk for contractors who do not maintain compliance.
• DFARS 252.204-7021 specifies that prime contractors must flow the clause down to subcontractors that will process, store or transmit FCI or CUI and that they must confirm that such subcontractors have a current CMMC assessment at the appropriate level.

Looking Ahead
With the passage of the Final DFARS Rule, contractors and subcontractors that have not fully implemented the relevant requirements should take steps to do so without delay. To remain eligible for new contract opportunities, contractors must also complete a self-assessment or obtain a third-party assessment and upload those results to SPRS. Contractors should also develop systems for ensuring continued compliance for the life of the contract and to confidently make the annual affirmation of compliance. Finally, prime contractors should continue engaging with their key subcontractors and suppliers to ensure that they will also remain eligible to perform new work subject to CMMC requirements.