On September 10, 2025, the U.S. Department of Defense (“DoD”) published a rule amending the Defense Federal Acquisition Regulation Supplement (“DFARS”), which allows for the formal incorporation of requirements of the Cybersecurity Maturity Model Certification Program 2.0 (“CMMC 2.0”) into DoD solicitations and contracts (a rule which we detailed in our January 3, 2025 article). The publication of this final rule signals the beginning of a phased rollout, effective as of November 10, 2025 (60 days after the rule’s publication), during which DoD solicitations and contracts will now require contractors to be certified under Levels 1, 2, or 3 of the CMMC 2.0, and comply with the requirements for each respective level.
DoD will implement CMMC 2.0 in its solicitations and contracts through a four-phase process, which will take the following form:
Phase 1
Begins November 10, 2025. DoD will begin to include Level 1 and Level 2 self-assessment requirements in DoD solicitations and contracts. At this stage, DoD has the discretion to include Level 2 Certified Third-Party Assessment Organization (“C3PAO”) requirements as well.
Phase 2
Begins November 10, 2026. DoD will require Level 2 C3PAO certification in all applicable contracts. DoD also has the discretion to delay the requirement for Level 2 C3PAO certification to an option period (instead of as a condition on award).
Phase 3
Begins November 10, 2027. DoD will include Level 2 C3PAO certification assessment requirements for applicable DoD solicitations and contracts as a condition of contract award. DoD may also include Level 3 certification assessment requirements in applicable solicitations and contracts as a condition of contract award, but DoD has the discretion to delay Level 3 certification assessment requirements to an option period.
Phase 4
Begins November 10, 2028. All DoD solicitations and contracts must include applicable CMMC 2.0 level requirements by this time.
Remember that CMMC requirements may also extend to subcontractors that are handling Federal Contract Information (“FCI”) and Controlled Unclassified Information (“CUI”), but contractors are responsible for this flow down. Contractors therefore should start revising their standard subcontract language for DoD contracts to contain the applicable language of DFARS, specifically that in DFARS 252.204-7021.
At this time, current and prospective DoD contractors and subcontractors should conduct internal reviews to determine (1) whether they are already CMMC 2.0 compliant for handling FCI and CUI and (2) if not yet compliant, what they must do to be eligible for DoD contracts with such CMMC 2.0 requirements.
Smith Currie Oles will be monitoring changes to, and impacts of, the implementation of CMMC 2.0 Program requirements into DoD solicitations and contracts and stands ready to provide guidance and assistance to contractors in meeting these complex requirements and safeguarding their interests.