DOD Finalizes CMMC Rules, Adding Cybersecurity and False Claims Act Compliance Risks

The US Department of Defense has issued its final rule implementing the Cybersecurity Maturity Model Certification program, effective November 10, 2025. The rule establishes new cybersecurity requirements for federal contractors and subcontractors, introduces phased compliance deadlines, and heightens potential False Claims Act risks ties to inaccurate reporting.

The long-anticipated Cybersecurity Maturity Model Certification (CMMC) requirements begin to take effect on November 10, as the US Department of Defense (DOD) published its Defense Federal Acquisition Regulation Supplement (DFARS) final rule that incorporates these new cybersecurity requirements into federal contracts. Although CMMC requirements will be mandatory for some DOD contracts under which Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) is processed, stored, or transmitted, civilian agencies have discretion to include their own CMMC requirements in their contracts. This development means that companies doing business with the DOD or civilian agencies should ensure that their cybersecurity systems are prepared to meet the CMMC audit and certification requirements.

Many companies that routinely engage in DOD work have been tracking the CMMC requirements for some time in preparation for their implementation, but these requirements may be less familiar to companies that engage in government contracting on a less frequent basis. And since CMMC requirements may be included in civilian agency contracts and could trigger significant False Claims Act (FCA) liability, among other issues, companies across all industries (including healthcare, technology, energy, and manufacturing) would be well advised to consider whether they currently maintain agreements with DOD or civilian agencies that could incorporate CMMC requirements and, if so, take stock of the compliance measures that may be required.

CMMC REQUIREMENTS OVERVIEW

CMMC is a cybersecurity framework used to assess contractors’ information security programs. There are three CMMC compliance levels that impose different cybersecurity requirements, assessments, and certifications:

• Level 1: Applies to contractors that handle FCI, which is any information not intended for public release that is provided by or generated for the government under a government contract. Generally, compliance requires implementing Federal Acquisition Regulation 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems) and the 15 security controls that clause specifies. Contractors that handle FCI are required to complete annual self-assessments and affirmations regarding compliance with Level 1 cybersecurity requirements.
• Level 2: Applies to contractors that handle CUI, which is “information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.” Generally, compliance requires that contractors implement the 110 NIST 800-171 security requirements, which is an existing obligation for contractors subject to DFARS 252.204-7012. Contractors are required to perform a self-assessment of compliance or are required to secure an assessment by a C3PAO.
• Level 3: Applies to contractors that handle CUI and support the government’s most critical programs and technologies. Generally, compliance requires that contractors comply with NIST 800-171 and the additional 24 security requirements prescribed by NIST 800-172. Contractors subject to CMMC Level 3 must undergo review by the DOD Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) and provide a certification of compliance with cybersecurity requirements.

In implementing the CMMC compliance requirements, the rule provides that companies may resolve conditional CMMC status for CMMC levels 2 and 3 within 180 days by closing out any outstanding items in their Plan of Action & Milestones (POA&M). When implementing these requirements, contractors must also report their cybersecurity compliance to the Supplier Performance Risk System (SPRS). Contracting officers are required to check SPRS before awarding a contract to ensure that the intended recipient has provided all required information. Notably, subcontractors similarly must report compliance and self-assessment results in SPRS, and prime contractors must confirm subcontractor compliance when awarding and administering subcontracts that involve FCI or CUI.

CMMC STATUS REQUIREMENTS

Contractors should be able to recognize the level of compliance they require under the CMMC program by either identifying the type of information they possess (e.g., FCI or CUI) or the designation in their contracts. Indeed, contracting officers will be required to include the required CMMC status level in solicitations and contracts starting under the schedule below:

• Phase 1 (November 10, 2025): Contracting officers will begin requiring self-assessed Level 1 & 2 CMMC status in applicable solicitations and contracts. Additionally, if the DOD so chooses, C3PAO-assessed Level 2 CMMC status may be required.
• Phase 2 (November 10, 2026): Contracting officers will begin requiring C3PAO-assessed Level 2 CMMC status in applicable solicitations and contracts. Additionally, if the DoD so chooses, DIBCAC-assessed Level 3 CMMC status may be required.
• Phase 3 (November 10, 2027): Contracting officers will begin requiring DIBCAC-assessed Level 3 CMMC status in applicable solicitations and contracts.
• Phase 4 (November 10, 2028): Full implementation. Contracting officers will include CMMC status requirements in all applicable solicitations and contracts.

As solicitations and contracts begin including CMMC status requirements, contractors will only be awarded contracts if they meet or exceed the requirements.

SUBCONTRACTORS

As noted above, the CMMC status requirements in government contracts do not flow down to each one of a contractor’s subcontractors. Rather, they flow down based on the information the subcontractor will process, store, or transmit. Under the rule, contractors are required to consult the flow-down requirements laid out in 32 CFR §170.23, which state the following:

• Level 1 (self-assessed): Required when the subcontractor will only process, store, or transmit FCI (and not CUI).
• Level 2 (self-assessed): Required when the subcontractor will process, store, or transmit CUI.
• Level 2 (C3PAO-assessed): Required when the subcontractor will process, store, or transmit CUI and the prime contractor is required to have a C3PAO-assessed Level 2 CMMC status or a DIBCAC-assessed Level 3 CMMC status.

In addition, any DOD solicitation can provide more specific or heightened requirements regarding the flow down for subcontractors.

COMPLIANCE BURDENS

The new CMMC DFARS rule imposes significant compliance burdens on government contractors. Although contractors have had time to prepare for implementation (indeed, the underlying substantive obligations of this rule date back to the implementation of DFARS 252.204-7012 in 2017), the rule prescribes a framework that is expected to significantly increase contractor accountability for compliance with contract-specific cybersecurity requirements. Particularly burdensome requirements include requirements for periodic certifications and the need to manage subcontractor relationships.

For example, self-assessed Level 1 and Level 2 CMMC status typically will require annual reassessment, and contracts requiring C3PAO-assessed Level 2 CMMC status will require annual recertification. Additionally, contractors that are required to maintain DIBCAC-assessed Level 3 CMMC status will need to complete that certification every three years.

The rule requires contractors to use a CMMC unique identifier (UID) to identify each information system that will process, store, or transmit FCI or CUI. The SPRS issues each UID when a CMMC assessment is submitted.

Further, contractors will be required to periodically reaffirm their CMMC status for the duration of their contracts and publish mandatory annual affirmations of continuous compliance for each information system in the SPRS. With respect to subcontractors, prime contractors are required to complete annual affirmations of continuous compliance in SPRS. These affirmations must be completed not only on an annual basis but also when CMMC compliance status changes occur, affirming that the applicable security requirements for each information system associated with a CMMC UID are met and no changes in compliance have occurred.

ENFORCEMENT RISKS

The certifications required under the CMMC program significantly raise the compliance risk profile for contractors. Noncompliance with contract requirements can lead to serious consequences, including contractual and administrative remedies as well as civil FCA risk and even criminal liability under a variety of statutes prohibiting false statements to the government.

FCA risk is particularly significant for a few reasons, including (1) the increased focus over the last several years by both the government and qui tam relators on cybersecurity-based FCA allegations, (2) the heightened risk associated with CMMC subcontractor flow-downs, and (3) CMMC’s new affirmation and certification requirements that create an easier path to proving “false certification” liability under the FCA. These and other concerns will be discussed in further detail in a forthcoming article focused on the intersection between cybersecurity requirements, recent enforcement activity, and future risk.

KEY TAKEAWAYS

• Beginning on November 10, DOD solicitations will begin including self-assessed Level 1 and 2 CMMC status requirements and may begin including C3PAO-assessed Level 2 CMMC status. Contractors should perform self-assessments now to ensure they are ready to comply when those requirements begin being included in solicitations and prepare to obtain C3PAO-assessed Level 2 CMMC status certification, if necessary.
• Contractors with upcoming renewal options should prepare to impose the CMMC flow-down requirements on their subcontractors as necessary so that when the time for renewal comes, the contractors can affirm their subcontractors’ CMMC compliance.
• Contractors should build out and test redundant systems for CMMC assessment and affirmation to ensure accurate assessment and reporting and confirm that timely reassessments and certifications are obtained.
• Any possibility of noncompliance or compliance lapses should be flagged, assessed, and addressed.
• Contractors should inform themselves of the enforcement risk associated with noncompliance by reading our forthcoming article, which will describe, among other things, recent FCA activity in this space.