CMMC Phased Roll-Out Finally Begins

Article

The Cybersecurity Maturity Model Certification (CMMC) program is the Department of Defense’s (DoD) unified cybersecurity compliance framework for its defense industrial base (DIB). On November 10, 2025, takes effect the DoD’s CMMC Final Rule published on September 10, 2025, amending the Defense Federal Acquisition Regulation Supplement to implement the CMMC program.

CMMC applies to both prime contractors and subcontractors that process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) in connection with DoD contracts. Depending on the sensitivity of the information processed, contractors must meet one of three assessment levels:

  • Level 1: Basic safeguarding of FCI (self-assessment)
  • Level 2: Advanced protection of CUI (third-party or self-assessment depending on contract)
  • Level 3: Expert level, reserved for the most sensitive programs (government-led assessment)

Commercial-off-the-shelf (COTS) providers are generally exempt, but for everyone else in the defense supply chain, CMMC will become a condition of doing business with the DoD.

The CMMC program will be implemented in phases over a three-year period, as follows:

  • Phase 1 (November 10, 2025 – November 10, 2026): CMMC Program Office will have discretion in selecting contracts that require Level 1 or Level 2 self-assessments.
  • Phase 2 (November 10, 2026 – November 9, 2027): DoD solicitations and contracts may require where applicable Level 2 assessments with certificates issued by third party assessment organizations (C3PAOs).
  • Phase 3 (November 10, 2026 – November 9, 2027): DoD solicitations and contracts may require Level 2 C3PAO assessments and/or Level 3 assessments by the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) for higher sensitivity programs.
  • Phase 4 (beginning November 10, 2028): All DoD contracts (except those solely for COTS items) that require the processing, storage, or transmission of FCI or CUI must include the appropriate CMMC Level as a condition of award.

Brief Background: The Evolution of the CMMC Final Rule

The CMMC framework has been years in the making. The program originated in 2019, when DoD sought to standardize the patchwork of cybersecurity requirements already embedded in DFARS 252.204-7012, which references NIST SP 800-171 controls for protecting CUI. The first version of CMMC (1.0) was released in January 2020, requiring third-party audits at multiple levels. However, industry feedback was swift: small and mid-sized contractors raised concerns about cost, redundancy, and unclear implementation timelines.

In response, the DoD paused the program in 2021 to conduct a comprehensive review, culminating in the streamlined CMMC 2.0, announced in November 2021. This version reduced the number of levels from five to three and reintroduced self-assessments for certain lower-risk contractors.

In December 2024, the DoD issued the long awaited “program rule” (32 CFR Part 170) formally establishing the CMMC structure, assessment process, and enforcement mechanisms. Shortly thereafter, the “acquisition rule” under DFARS was proposed, which allows contracting officers to include CMMC clauses in solicitations and awards.

The acquisition rule was finalized with an effective date of November 10, 2025, marking the point when CMMC requirements will begin appearing in new contracts. The phase-in period allows DoD to gradually introduce CMMC clauses over a period of three years, prioritizing higher-risk programs first, while giving contractors time to achieve certification.

Breakdown of CMMC Final Rule Key Provisions

DFARS 204.7501 – Policy regarding CMMC level certification requirements

This section creates a binding award-eligibility condition. If a contractor does not have the required certificate, the offer is ineligible for award. Also, the rule implements a “CMMC Unique Identifier (UID),” which is assigned to each contractor system that has undergone CMMC assessment. The UID will serve as the primary tracking mechanism in the Supplier Performance Risk System (SPRS) and replaces the former “DoD unique identifier” term. The requirement to maintain the certificate during contract performance means that drop-of or lapse of certification can cause non-compliance or even contract termination risk.

DFARS 204.7502 – Procedures contracting officers must follow when identifying and implementing a requirement for a specific CMMC level

The procedural language formalizes how the DoD will assess and enforce CMMC level requirements. From a legal perspective, the allowance of conditional status is a meaningful flexibility, but it also comes with documentation obligations, such as Plan of Action and Milestone (POA&Ms). Failure to maintain legitimate conditional status or follow these procedures can jeopardize award eligibility or expose a contractor to downstream contract risk.

DFARS 204.7503 – Contract clause(s) to be included in solicitations and contracts that impose a CMMC level requirement

The inclusion of DFARS 252.204-7021, will be required when a contractor is required to hold a specific CMMC level. The clause requires the contractor to have at time of award, and maintain throughout the contract life, a CMMC certificate at the level required by the contract. The clause also ties eligibility and contract performance to the CMMC certificate status. The contract clause is the legal instrument by which CMMC compliance becomes a binding obligation. Careful attention must be paid to the flow-down of this clause, how the required level is defined in the solicitation, and how the “current certificate” requirement is articulated and verified.

DFARS 204.7504 – Solicitation Provision and Contract Clause (phased implementation)

This section addresses when and how the clauses(s) must be included in solicitations and contracts, including a multi-year phased implementation schedule. Of note, unless the requirements at 32 CFR 170.5(d) are met (relates to existing comparable assessments), use the contract clause at DFARS 252.204-7021. Until November 9, 2028, solicitations and contracts may include the clause in cases where the requiring activity determines a CMMC level is required. On or after, November 10, 2028, the clause must be included in solicitations, contracts, and orders that require contractor systems to process, store, or transmit CI or CUI. The section also prescribes the use of the solicitation provision at DFARS 252.204-7025 (Notice of CMMC Level Requirements) in solicitations that include the clause at 252.204-7021.

The phased rollout means that not all DoD contracts will immediately include CMMC requirements; contractors need to monitor solicitations to see whether the clause is needed. Until full rollout, program offices may selectively apply CMMC. After full application (post 2028), any contract involving FCI/CUI must include the clause and the certification requirement is mandatory. Recognizing the timeline helps in strategic planning, readiness, and negotiating subcontract flow-downs.

Considerations for Contractors Navigating CMMC under DFARS Subpart 204.7501-04

The recently finalized CMMC rule brings clarity, but also complexity, especially around timing, eligibility, and risk allocation between primes and subcontractors. Below are several key takeaways to consider as you prepare for CMMC’s full rollout.

  • Scrutinize Every Solicitation for CMMC Clauses: The first step is to carefully review each solicitation or task order for inclusion of the CMMC clause, DFARS 204-7021. Contracting officers cannot award a contract unless the offeror has a “current” CMMC certificate at the level specified in the solicitation. “Current” generally means the certification is not more than three years old, and it must remain valid throughout performance. If a contractor bids without the appropriate certification, the offer is technically ineligible for award—no matter how competitive the price or past performance. Finally, verify your CMMC status in the SPRS before submission.
  • Understand and Manage Conditional CMMC Status: Under DFARS 204.7502, contractors may receive a “conditional” CMMC status at Level 2 or 3 if they have an approved POA&Ms for remediating limited control deficiencies. This conditional period typically lasts up to 180 days. While this flexibility is welcome, it introduces new documentation and oversight risk. Contractors must not only maintain accurate POA&Ms but also ensure that any outstanding controls are fully remediated before the conditional period expires. Failing to close out a POA&M could invalidate the certification and jeopardize the contract.
  • Flow Down the Requirements: Primes must vet their subcontractors’ CMMC levels before award and document those certifications in their procurement files. For subcontractors, the clause can appear in purchase orders or subcontracts even if they are removed from the prime. Flow-down language should be carefully drafted to (1) specify the required CMMC level for each subcontract; (2) require subcontractors to maintain certification for the duration of performance; and (3) reserve audit or verification rights tied to SPRS data. The wrong, or missing, clause could expose the prime to breach of contract.
  • Monitor Certification Lifecycles and Renewal Obligations: The rule requires that contractors hold a current CMMC certificate not only at award, but throughout contract performance. That means companies must track expiration dates, renewal cycles, and any reassessment requirements. A lapsed certificate during performance could prevent the DoD from exercising an option year or could even create a cause for termination.
  • Be aware of the False Claims Act (FCA) Risk: A contractor that represents, either explicitly or implicitly, that it has a valid CMMC certification when it does not may face significant penalties. The same is true for maintaining non-compliant systems while continuing to invoice the government. The best defense is transparency. If a contractor identifies a control gap, it should disclose and document its remediation plan, rather than over-certify its readiness. A truthful self-assessment with a clear POA&Ms is far safer legally than an inflated certification that could later be challenged.
  • Track the Phased Implementation Schedule: Under DFARS 204.7504, CMMC requirements are rolling out in phases between 2025 and 2028. Initially, contracting officers may include the CMMC clause in select solicitations based on program risk; after November 10, 2028, inclusion becomes mandatory for any contract involving FCI or CUI. Contractors that rely heavily on DoD work should plan backward from that 2028 date. Those bidding on new programs or recompetes should expect to see CMMC requirements well before then. Early compliance not only avoids eligibility issues, it can also become a competitive differentiator in source selections.
  • Finally, Verify Through SPRS and Maintain Internal Records: CMMC certifications and statuses are tracked in SPRS. Contractors should ensure their records there are accurate and align with the certification’s UID for the applicable covered system(s). Internally, companies should maintain organized files containing the CMMC certificate, POA&Ms documentation, assessor reports and internal correspondence verifying compliance. These records serve as evidence of due diligence and are often the first thing counsel will need if a dispute or government inquiry arises.

If you have any questions about your company’s compliance with cyber regulations, concerns about vulnerability to attacks or other breaches, or if you want to learn more about proactive cybersecurity defense, contact a member of McDonald Hopkins' national data privacy and cybersecurity team.

Jump to Page

McDonald Hopkins uses cookies on our website to enhance user experience and analyze website traffic. Third parties may also use cookies in connection with our website for social media, advertising and analytics and other purposes. By continuing to browse our website, you agree to our use of cookies as detailed in our updated Privacy Policy and our Terms of Use.