Finally, the CMMC Final Rule: DoD Completes CMMC Rulemaking, Ushering in New Era in DoD Cybersecurity

On September 10, 2025, the Department of Defense (DoD) published a final rule (CMMC Clause Rule) that will apply its much-anticipated Cybersecurity Maturity Model Certification program (CMMC) to DoD contractors and subcontractors. Under the CMMC Clause Rule, starting on November 10, 2025, DoD can include CMMC requirements—potentially including third-party cybersecurity assessments—in contracts that require the handling of Controlled Unclassified Information (CUI) or Federal Contract Information (FCI).

What is CMMC? 

CMMC is a unified assessment model created by DoD in response to the growing threat of cyberattacks and data theft from the defense industrial base. CMMC is designed to ensure that DoD contractors and subcontractors adequately safeguard two categories of sensitive government information: CUI and FCI.

DoD contractors that handle CUI have historically been subject to the security requirements in DFARS clauses 252.204-7012, 252.204-7019, and 252.204-7020. Meanwhile, all government contractors that handle FCI are subject to FAR clause 52.204-21. CMMC builds on these existing DFARS and FAR clauses by requiring all DoD contractors and subcontractors who handle CUI and FCI during contract performance to certify their compliance with security controls via mandatory self-assessments, third-party assessments, and affirmations of compliance. The type of data (i.e., CUI or FCI) and the sensitivity of the contract being performed dictates the type of assessment and the security controls that apply. This framework is broken out into three levels:

• CMMC Level 1 will apply to contractors and subcontractors who store, process, or transmit FCI. CMMC Level 1 includes 17 of the NIST SP 800-171 security requirements, which are listed in the FAR 52.204-21 Basic Safeguarding clause, sections (b)(1)(i) through (b)(1)(xv). Level 1 will require a contractor self-assessment, conducted annually.
• CMMC Level 2 will apply broadly to contractors and subcontractors who store, process, or transmit CUI. CMMC Level 2 consists of 110 requirements that correspond with the requirements found in NIST SP 800-171A. Level 2 will require either a self-assessment (conducted annually) or an external assessment conducted by a certified third-party assessor (conducted every three years).
• CMMC Level 3 will apply to a select group of contractors that will store, process, or transmit high-value CUI, as determined by DoD. CMMC Level 3 includes all Level 2 requirements, as well as 24 selected requirements from NIST SP 800-172. All Level 3 certifications require a DoD-conducted assessment every three years.

One Program, Two Rules 

The CMMC Clause Rule is the second of two separate CMMC rules. The first rule, sometimes referred to as the CMMC Program Rule, was finalized in October 2024. The CMMC Program Rule formalized CMMC’s security controls, assessment procedures, and other requirements—establishing the mechanics behind a CMMC assessment and corresponding certification. The CMMC Clause Rule contains the DFARS clauses that will be included in contracts and begin mandating that DoD contractors and subcontractors undergo the process laid out in the Program Rule.

Key Takeaways from the CMMC Clause Rule 

The CMMC Clause Rule retains the overall structure and most language included in the proposed version from August 2024. But it also introduces new terms and definitions, clarifies existing language, and removes select requirements, as further summarized below.

• Two new DFARS clauses. The CMMC Clause Rule introduces two DFARS clauses: DFARS 252.204-7025, which will be included in solicitations as a notice provision, and an updated DFARS 252.204-7021, which contains the CMMC requirements that will be included in contracts. Contractors must maintain the “current CMMC status” specified in the contract “for all information systems used in performance of the contract, task order, or delivery order that process, store, or transmit FCI or CUI.”
• November 10 is only the beginning. When the CMMC Clause Rule takes effect on November 10, 2025, DoD can begin including CMMC requirements in solicitations and contracts, but this does not mean CMMC requirements will appear in all contracts and solicitations immediately.
  • • • The CMMC Clause Rule explains that, for the first three years following its effective date, DoD will include CMMC requirements in contracts at its discretion. The Rule does not explain how DoD will decide which contracts and solicitations will include CMMC requirements during the three-year rollout period.
      • It is not clear whether DoD will strictly adhere to the four-phase CMMC rollout plan set forth in the CMMC Program Rule.
      • Notably, contracting officers may include the -7025 “notice” clause in a solicitation issued prior to November 10, 2025, if any resulting contracts are expected to be awarded on or after that date. In addition, contracting offers may incorporate the -7021 clause in contracts awarded prior to the effective date via a bilateral contract modification “with appropriate consideration.”
• New Definitions. The CMMC Clause Rule introduces several new definitions, including for the terms current, DoD unique identifier, plan of action and milestones, and CMMC status. Notably, the definition of current (as used in the requirement to maintain “current CMMC status”) requires contractors to confirm that there have been “no changes in compliance” since the contractor achieved the applicable CMMC status, creating additional False Claims Act risk for failing to monitor CMMC compliance after a formal certification.
• The -7012 clause isn’t going anywhere (for now). As noted above, CMMC builds on existing DoD cybersecurity requirements set forth in the -7012 clause. The -7012 clause also includes cyber-incident reporting requirements that some posited would be updated or incorporated into the CMMC Clause Rule. However, DoD declined to include incident reporting requirements in the CMMC Clause Rule, explaining that the -7012 clause “will offer ongoing protection for DoD information.”
• COTS carveout remains in place. The CMMC Clause Rule confirms that CMMC requirements will not be included in contracts exclusively for the acquisition of commercially available off-the-shelf (COTS) items, aligning with similar exemptions under DoD’s other cyber contract clauses.
• Flowdowns are tied to subcontract language and information flows. The -7021 clause requires contractors to flow its requirements down to subcontractors if the subcontract “will contain a requirement to process, store, or transmit FCI or CUI.” The higher-tier contractor also must confirm that the subcontractor has a “current CMMC status” at the level “appropriate for the information that is being flowed down to the subcontractor” prior to subcontract award.

Recommendations

Review Active DoD Contracts and Solicitations for FCI and CUI Processing

• DoD contractors should review their current contracts and solicitations to determine the likely CMMC level. Because DoD contracting officers will have wide discretion to include CMMC requirements, potentially including third-party assessment requirements, in contracts and solicitations starting November 10, contractors that do not have the requisite CMMC status risk missing out on opportunities as CMMC requirements may be imposed with little warning.

Determine Subcontractor Flowdown Requirements and Readiness

• DoD contractors should review their subcontractor agreements to determine if they implicate FCI or CUI. Contractors should also confer with subcontractors to determine if they are prepared to comply with the corresponding CMMC requirements.

Ensure Corporate Policies are Current and Accurate

• While technical solutions are integral to meeting CMMC requirements, a contractor’s cybersecurity is only as effective as the policies governing the use of such technology and regulating data traversing it. Contractors should ensure robust internal cybersecurity policies are in place, current, and accurate, as these artifacts will be necessary to meet many CMMC requirements.

Review and Refine System Security Plan (SSP) for Currency and Accuracy

• Both self-assessments and third-party assessments will require a SSP describing the assessment scope, major system components, and how security controls are implemented. Contractors should ensure SSPs accurately represent their current network and compliance postures.

Conduct Privileged Readiness Assessments

• Contractors should consider conducting CMMC readiness assessments under attorney-client privilege in order to pressure test their ability to meet the CMMC requirements without exposing the company to risk if gaps are found. Engaging counsel with technical capabilities to conduct the assessment or to direct the assessments by third parties can benefit companies by mitigating the risk of having to disclose assessment findings in litigation or during an investigation.

Schedule CMMC-Certified Assessment or Conduct Self-Assessment

• Contractors who expect to be subject to CMMC Level 1 or Level 2 self-assessments should prepare to conduct those assessments and ensure they can accurately attest to their compliance.
• Contractors who expect to be subject to CMMC Level 2 third-party assessments should promptly engage Certified Third-Party Assessment Organizations (C3PAOs) to plan their assessments. Third-party CMMC assessments have been ongoing since the CMMC Program Rule was finalized last year, and C3PAOs continue to be in high demand.

*** Please be on the lookout for a Crowell Webinar on this topic Monday, September 15 at Noon Eastern Standard Time for further discussions. ***