Pentagon to officially implement CMMC requirements in contracts by Nov. 10
The Pentagon has posted the much-anticipated updated rule that will require contracts to implement Cybersecurity Maturity Model Certification 2.0 (CMMC 2.0) standards moving forward.
The final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) was posted to the Federal Register for public inspection on Tuesday and will officially take effect Nov. 10, according to the document. The mandate’s publication marks the near end of a years-long effort to enforce new cybersecurity standards set by the CMMC program for defense contractors.
“We expect our vendors to put U.S. national security at the top of their priority list,” Katie Arrington, who is performing the duties of Pentagon chief information officer, said in a statement. “By complying with cyber standards and achieving CMMC, this shows our vendors are doing exactly that.”
The CMMC program is a three-tiered cybersecurity framework that requires contractors working with controlled unclassified information (CUI) or federal contract information (FCI) to meet one of three levels of compliance based on how sensitive the info they’re handling is. The Department of Defense — which the Trump administration has rebranded as the Department of War — created the program to ensure contractors are safeguarding Pentagon data stored on their systems from adversaries.
The DFARS amendment follows the department’s final rule change for CMMC 2.0 that was published in October 2024 and went into effect a couple of months later in December. While that rule established the program into federal law, the new mandate will obligate Pentagon contracting officers to include cybersecurity requirements based on the framework’s tiers in program solicitations and contracts.
The rule emphasizes that vendors won’t be eligible for contract awards, task orders or delivery orders if they do not meet the required CMMC standards.
Getting CMMC across the finish line has been an arduous and controversial effort. The program was developed by the first Trump administration but immediately faced opposition from industry — which claimed the framework was overcomplicated and would put undue regulatory burdens on companies.
In response, the Pentagon restructured its original CMMC proposal into a pared-down framework known as CMMC 2.0, reducing the number of assessment levels from five to three as a way to simplify the compliance process for small- and medium-sized vendors.
The revised framework allows contractors to self-assess their cybersecurity compliance if they are handling less sensitive FCI categorized under CMMC Level 1 or CMMC Level 2. More sensitive CUI data denoted as CMMC Level 2 will require a verification check done by a certified third-party assessor organization (C3PAO), while CUI documents considered CMMC Level 3 will require certification from the Defense Industrial Base Cybersecurity Assessment Center (DIPAC).
CMMC 2.0 also introduces “plans of action and milestones” (POA&Ms), allowing vendors that do not meet all of the framework’s standards to receive a conditional certification for 180 days as they work to reach compliance. The amended DFARS rule clarified that a POA&M will only be given to vendors who must reach Level 2 or Level 3 standards.
Updated on Sept. 9, 2025, at 5:20 PM: A previous version of this story misstated the date when CMMC 2.0 implementation will begin. It will be effective Nov. 10.
