The Defense Federal Acquisition Regulation Supplement (DFARS) implementing the Cybersecurity Maturity Model Certification (CMMC) program has been finalized. This rule, available on the Federal Register, will become effective November 10, 2025. This action by the Department of Defense (DoD) (now the Department of War) will make CMMC compliance a contractual requirement on all solicitations and contracts.
DFARS 252.204-7021 is a regulation that outlines the Cybersecurity Maturity Model Certification (CMMC) requirements for Department of Defense contracts. It mandates that defense contractors maintain a specific CMMC level to ensure compliance with cybersecurity requirements. The CMMC was implemented to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). A class deviation had been issued to postpone the CMMC compliance requirement being issued by contracting officers on DoD contracts.
Department CIO Sets Expectations
The Department of War’s chief information officer stated that the expectation was that defense contractors put U.S. national security at a high priority. The CMMC has been created and modified to provide the defense industrial base with a consistent methodology for cybersecurity requirements. The CMMC program has faced numerous delays due to the complex rulemaking process and a phase implementation approach. Many have argued that it imposes significant compliance cost that impose unrealistic burdens on small businesses.
CMMC Implementation Timelines
CMMC assessments are conducted by Certified Third-Party Assessment Organization (C3PAO) based on DoD contracting requirements. These requirements for CMMC programs fall under three levels:
- Level 1: Requires an annual self-assessment and affirmation of compliance with 15 basic security requirements.
- Level 2: Involves a more comprehensive assessment every three years, focusing on 110 security requirements from NIST SP 800-171.
- Level 3: Similar to Level 2 but includes additional requirements to protect against advanced persistent threats.
The CMMC is being rolled out in phases to enhance cybersecurity among defense contractors. Starting November 10th requirements will be added to new contracts, RFPs, and RFIs for CMMC Level 1. By October 31, 2026 Phase 2 will require Level 2 contractors to be compliant. Phase 3 is slated to begin 24 months after the initial roll out. Full implementation is expected 36 months after the commencement of Phase 1.
CVG Strategy CMMC Consultants
After significant delays, the DFARS Implementing CMMC requirements for DoD contractors and subcontractors is here. Many small businesses face challenges meeting CMMC requirements because of limited budgets and lack of qualified personnel. CVGS can provide guidance and help your organization understand and implement CMMC.
We are dedicated to helping small businesses navigate federal regulations and contract requirements for Quality Management, Cybersecurity, Export Compliance, and Test and Evaluation. We can help you meet your information security management system goals. CVG Strategy QMS experts can provide the training required to understand and engage in a ISMS and make it meet desired objectives.
Identify CUI Areas with CVG Strategy Signs
CVG Strategy provides signs to identify areas containing CUI and export controlled items. These signs should be posted at all facility entrances where products are being produced or services are being performed that are under the control of the U.S. Department of State Directorate of Defense Trade Controls (DDTC) and are subject to the International Traffic in Arms Regulations per title 22, Code of Federal Regulations (CFR), Parts 120-130.