The Cybersecurity Maturity Model Certification (“CMMC”) Program is a new cybersecurity requirements framework for Department of Defense (“DoD”) contractors, subcontractors, and certain other entities in the DoD supply chain that store, process, or transmit Federal Contract Information (“FCI”) and Controlled Unclassified Information (“CUI”) in performance of a DoD contract. CMMC will soon be the governing program for ensuring that safeguarding requirements imposed by DoD contracts to protect FCI and CUI used in performance of a DoD contract are fully implemented. Accordingly, CMMC imposes new cybersecurity assessment and affirmation processes for all contractors to be eligible for certain contracts with DoD and thus has anticipated significant impacts on the DoD supply chain, including on contractors, subcontractors, and possibly contractor affiliates and other relevant third parties.
The Final Rule
On September 10, 2025, DoD took the final step in finalizing the CMMC Program, which imposes safeguarding requirements on DoD contractors, subcontractors, and certain other entities in the DoD supply chain that store, process, or transmit FCI or CUI in performance of a DoD contract. Starting November 10, 2025, DoD will begin to apply CMMC requirements to certain contracts. Contractors, and in many cases their subcontractors, must be in compliance with relevant requirements in order to be eligible for award.
This toolkit provides resources for navigating this new cybersecurity regime, including a set of FAQs that may be helpful to counsel working with their in-house business teams, an overview of the newest procurement rule, and an in-depth analysis of the Program requirements.
Program Overview
The Program is governed by two rules: (1) the final CMMC Program Rule (“Program Rule”), which became effective December 16, 2024, and generally outlines the specific requirements of the CMMC Program, and (2) the Defense Federal Acquisition Regulation Supplement (“DFARS”) Procurement Rule (“Procurement Rule”), finalized September 10, 2025, which implements CMMC in the DFARS (together “the Rules”). The Rules establish three levels of CMMC status—each imposing certain security controls on relevant information systems and assessment requirements to verify compliance with those security controls (e.g., self-assessment, third party assessment, or government assessment).
Requirements under the CMMC Program will be phased in incrementally over four years. The assigned (and thus minimum) CMMC level required to be eligible for the DoD contract, task order, or delivery order, will be prescribed in the contract clause based on a determination of the agency program team (not the contracting officer) (currently DFARS 252.204–7021) and largely based on considerations related to the type and sensitivity of data stored, processed, or transmitted under the contract.
As we discuss further in the materials included in this toolkit, while security requirements track closely with existing National Institute of Standards and Technology, or NIST, standards and certain Federal Acquisition Regulation and DFARS requirements, the CMMC Program goes further in requiring that contractors (and subcontractors), among other things, obtain certain assessments of security controls, make certain affirmations, and close gaps on controls quickly with less flexibility on coming into compliance with the Rules.
Back
