Skip to content

Menu

LexBlog, Inc. logo
NetworkSub-MenuBrowse by SubjectBrowse by PublisherJoin the NetworkGet StartedSubscribeSupport
Contact Us
Search
Close

Department of Defense Issues Final Rule on Cybersecurity Standards for Contractors

By Edwin O. Childs, Andrew Konia, Abram J. Pafford, Todd R. Steggerda, Jack White, James Dougherty, Jason M. Vespoli, John Sullivan, Sophie Marsh & McGuireWoods LLP on September 10, 2025
Email this postTweet this postLike this postShare this post on LinkedIn

After years of waiting, the U.S. Department of Defense (DoD) posted to the Federal Register for public inspection on September 9, 2025, a final rule implementing the Cybersecurity Maturity Model Certification 2.0 (CMMC 2.0) standards into the Defense Federal Acquisition Regulation Supplement (DFARS) (the Final Rule), which was formally published a day later on September 10, 2025. The Final Rule’s requirements will become effective in the DFARS as of November 10, 2025, and pertain to all DoD contractors and subcontractors.  Defense contractors should ensure their compliance with the standards as soon as possible in order to maintain eligibility to compete for DoD contracts and perform DoD subcontracts, as well as to avoid bid protests and/or civil False Claims Act allegations.

CMMC 2.0 is a fundamental shift in how DoD approaches and implements cybersecurity requirements for controlled defense information (CDI), with this effort representing the final step of the nearly five-year process.  This Final Rule follows DoD’s establishment of the CMMC 2.0 program by providing the basis for the implementation of the CMMC program in all DoD solicitations and contracts.

DoD primarily relies on contractor self-representations and affirmations that comply with cybersecurity controls described in NIST SP 800-171 v.2.  This approach has been subject to governmental criticism for contractor non-compliance, increasing enforcement scrutiny, and concerns that it may not support sufficient protection of CDI.  CMMC 2.0 responds to these criticisms through the use of, in some cases, third-party verification by third-party assessment organizations (C3PAOs) and additional assessment requirements as a condition of contract award.  To that end, the Final Rule implements a verification framework related to the existing cybersecurity requirements described in both NIST SP 800-171, rev. 2 and NIST SP 800-172.

As described in an October 23, 2024 alert, the CMMC program is based on three levels:

  • Level 1, where the contract will not require an entity to process, store, or transmit CDI;
  • Level 2, where the contract requires the entity to process, store, or transmit CDI; and
  • Level 3, where the contract requires the entity to maintain sensitive types of CDI. 

The CMMC program allows entities to self-certify under Level 1 and certain Level 2 contracts but requires C3PAO certification for other Level 2 contracts and Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) certification for all Level 3 contracts. 

The Final Rule provides that DoD will implement the CMMC program progressively across four phases over the next three years. In each phase, DoD will require contracting officers to include corresponding CMMC requirements as proscribed under two new clauses, DFARS 252.204-7021 and 252.204-7024. This process will begin on November 10, 2025, affecting solicitations subject to CMMC 2.0 Level 1 and Level 2 self-assessment requirements. Beginning November 10, 2026, DoD will require contracting officers to include CMMC requirements in solicitations that require a third party (C3PAO) assessment under CMMC Level 2.  Starting on November 10, 2027, DoD will include CMMC requirements in all contracts requiring CMMC Level 3 DIBCAC assessments.  Finally, DoD intends to incorporate the two new DFARS clauses into all DoD contracts, including long-term contracts, no later than November 10, 2028.   

Government contractors and subcontractors should take note that the Final Rule mandates compliance with the CMMC standards as pertaining to the protection of CDI at the time of contract, task order, or delivery order award. Contractors and subcontractors are required to maintain status at the relevant CMMC level (or higher) throughout the period of performance of the relevant contract, task order, or delivery order.  To that end, the Final Rule requires entities to affirm annually that they are in compliance with these requirements in DoD’s Supplier Performance Risk System (SPRS).  

Contractors are permitted to remediate “temporary” vulnerabilities and deficiencies pursuant to an operational plan of action (OPA). The Final Rule makes clear that an OPA includes a timeline for remediation and is not the same as a plan of action and milestones (POA&M).  While functionally, OPAs and POA&Ms are similar mechanisms for documenting and remediating temporary vulnerabilities and deficiencies without the contractor losing certification status, DoD continues to note that only “temporary” vulnerabilities and deficiencies may be remediated through an OPA. Under the Final Rule, all OPAs must be closed in 180 days in order for a contractor to be able to affirm continuous compliance with the CMMC requirements.  While the CMMC program does allow some POA&Ms in connection with conditional CMMC certifications under Levels 2 and 3, even those POA&Ms must be closed within 180 days, and cannot be used after final certification has been achieved.

Failure to comply with the CMMC 2.0 requirements or maintain compliance with the applicable controls can result in revocation of the CMMC certification and, correspondingly, render the contractor ineligible to bid on DoD contracts.  CMMC compliance failures can also give rise to valid bid protest grounds, and/or potential liability under the civil False Claims Act. and raise compliance-related concerns. Contractors that have not managed cybersecurity compliance under current FAR and DFARS requirements and/or have not been working towards compliance with the NIST SP 800-171 rev. 2 controls will not be granted additional time to achieve compliance and may not pass along the costs of becoming compliant to the DoD. The DoD has been clear throughout the rulemaking process that the CMMC requirements reflect and are aligned with information security requirements that have been mandatory since at least December 2017.

Given the cost, time, and risk of complying with these requirements, many contractors and subcontractors have expressed concerns over compliance with the CMMC 2.0 rules. Certain DoD components have taken steps to alleviate these concerns, although the viability, appropriateness, and effectiveness of such steps remain yet unseen. To that end, other DoD components suggest that costs related to the maintenance of CMMC compliance may be recoverable under certain contracts (notwithstanding the comments noted above), although, again, specific proposals to that effect are yet to be seen.

Contractors and subcontractors should ensure they are ready to comply with the CMMC program and CMMC DFARS contract clauses once fully implemented. For questions related to this Final Rule, the new DFARS contract clauses, other CMMC issues, or government contracts generally, contact any of the authors or another member of the McGuireWoods government contracting team.

Photo of Edwin O. Childs Edwin O. Childs

As a leader of the firm’s Defense, National Security and Government Contracting industry team, Ned Childs is a government contract and investigations and enforcement attorney who represents companies across a wide range of sectors, including the defense, services, technology, and aerospace industries. His…

As a leader of the firm’s Defense, National Security and Government Contracting industry team, Ned Childs is a government contract and investigations and enforcement attorney who represents companies across a wide range of sectors, including the defense, services, technology, and aerospace industries. His practice, spanning more than a decade in Washington, encompasses a broad array of legal services, including government contract investigations, disclosures, and regulatory enforcement actions; bid protests and government contract disputes; government contract counseling; export licensing and enforcement; prime contractor-subcontractor disputes; corporate ownership and acquisition issues; and election law investigations and enforcement matters.

Read more about Edwin O. ChildsEmail
Show more Show less
Photo of Andrew Konia Andrew Konia

Andrew’s practice is singularly focused on protecting clients’ businesses and data, anticipating disputes, and strengthening their competitive position in the marketplace. As chair of the firm’s data privacy and security team, Andrew leads a nationally recognized team of professionals dedicated to protecting clients’…

Andrew’s practice is singularly focused on protecting clients’ businesses and data, anticipating disputes, and strengthening their competitive position in the marketplace. As chair of the firm’s data privacy and security team, Andrew leads a nationally recognized team of professionals dedicated to protecting clients’ systems, networks and data, managing information, and responding to cyber incidents.

Read more about Andrew KoniaEmail
Show more Show less
Photo of Abram J. Pafford Abram J. Pafford

Abe focuses his practice on protecting the rights and interests of companies and individuals who face disputes or conflicts with the federal government in its role as purchaser, prosecutor, and chief regulator. For more than twenty years, Abe has represented government contractors, participants…

Abe focuses his practice on protecting the rights and interests of companies and individuals who face disputes or conflicts with the federal government in its role as purchaser, prosecutor, and chief regulator. For more than twenty years, Abe has represented government contractors, participants in regulated industries, and companies and individuals targeted for federal investigation or prosecution, consistently achieving successful results for clients confronting difficult odds.

Read more about Abram J. PaffordEmail
Show more Show less
Photo of Todd R. Steggerda Todd R. Steggerda

Todd Steggerda serves as McGuireWoods’ Deputy Managing Partner for Strategic Development, following service as the deputy managing partner for litigation where he oversaw and managed the firm’s litigation departments and roughly 500 litigators in the U.S. and the UK. He is the former…

Todd Steggerda serves as McGuireWoods’ Deputy Managing Partner for Strategic Development, following service as the deputy managing partner for litigation where he oversaw and managed the firm’s litigation departments and roughly 500 litigators in the U.S. and the UK. He is the former chair of the firm’s Government Investigations and White Collar Litigation Department, which Law360 recently selected for its prestigious “Practice Group of the Year” award. In a dynamic practice spanning nearly 25 years in Washington, Todd has resolved a diverse range of high-stakes government investigations, regulatory enforcement, and litigation matters, including dozens of matters investigated by the civil and criminal divisions of the Department of Justice, the Department of Defense, and numerous other federal and state agencies and investigative bodies.

Read more about Todd R. SteggerdaEmail
Show more Show less
Photo of Jack White Jack White

Jack is an accomplished trial lawyer and legal strategist who guides clients through complex challenges, including high-profile and sensitive litigation and government investigations. He focuses his practice on civil litigation, regulatory enforcement, and congressional investigations for clients in the defense, technology, federal contracting…

Jack is an accomplished trial lawyer and legal strategist who guides clients through complex challenges, including high-profile and sensitive litigation and government investigations. He focuses his practice on civil litigation, regulatory enforcement, and congressional investigations for clients in the defense, technology, federal contracting, higher and K-12 education, and other business sectors.

Read more about Jack WhiteEmail
Show more Show less
Photo of James Dougherty James Dougherty

James C. “Jim” Dougherty is an accomplished government contracts and technology lawyer, with decades of experience as an in-house lawyer and law firm counsel. His practice focuses on the intersection of government contracts, technology law, and corporate compliance. He advises technology companies and…

James C. “Jim” Dougherty is an accomplished government contracts and technology lawyer, with decades of experience as an in-house lawyer and law firm counsel. His practice focuses on the intersection of government contracts, technology law, and corporate compliance. He advises technology companies and government contractors on a broad array of legal issues, including regulatory compliance, complex transactions, intellectual property rights, and litigation—particularly matters involving qui tam actions, contract claims, and bid protests at both federal and state levels.

Read more about James DoughertyEmail
Show more Show less
Photo of Jason M. Vespoli Jason M. Vespoli

Jason focuses his practice on federal and state procurement, government technology, bid protests and government contract disputes, and regulatory compliance. He utilizes experience in state government, government technology, and complex procurement to solve problems in innovative and efficient ways.

Read more about Jason M. VespoliEmail
Photo of John Sullivan John Sullivan

John is an associate within the Government Investigations and White Collar Litigation group.

Read more about John SullivanEmail
Photo of Sophie Marsh Sophie Marsh

Sophie focuses her practice on government contracts and government investigations matters.

Read more about Sophie MarshEmail
McGuireWoods LLP

At McGuireWoods, we deliver quality work, personalized service and exceptional value. We use technology to provide efficient legal solutions and employ a diverse workforce to bring real-world and innovative perspectives to meeting our clients’ needs. With more than 1,000 lawyers and 21 strategically…

At McGuireWoods, we deliver quality work, personalized service and exceptional value. We use technology to provide efficient legal solutions and employ a diverse workforce to bring real-world and innovative perspectives to meeting our clients’ needs. With more than 1,000 lawyers and 21 strategically located offices worldwide, McGuireWoods uses client-focused teams to serve public, private, government and nonprofit clients from many industries, including automotive, energy resources, healthcare, technology and transportation.

Email
Show more Show less
  • Posted in:
    Government Contracts
  • Blog:
    Subject to Inquiry
  • Organization:
    McGuireWoods LLP
  • Article: View Original Source

Call us at 1-800-913-0988 or email sales@lexblog.com.

Facebook LinkedIn Twitter RSS
  • About LexBlog
  • The Field We Built
  • Our Beliefs
  • Our Team
  • Contact LexBlog
  • Disclaimer
  • Editorial Policy
  • Terms of Service
  • Get Started
  • Publishing Solutions
  • Compass
  • Submit a Request
  • Support Center
  • System Status
Copyright © 2026, LexBlog, Inc. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo