The US Department of Defense (DOD) has implemented the Cybersecurity Maturity Model Certification (CMMC) program as of November 2025. The final rule implementing CMMC established new cybersecurity requirements for federal contractors and subcontractors and, resultingly, heightened the risks of noncompliance, including potential False Claims Act (FCA) risks.
Who Is Impacted?
CMMC requirements are mandatory for all DOD contracts under which Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) is processed, stored, or transmitted. Additionally, civilian agencies have the option of incorporating the CMMC requirements in their own contracts.
What Are the CMMC Requirements?
As explained in greater detail in our October 31, 2025 LawFlash, the CMMC program instituted three compliance levels. Level 1 applies to contractors that handle FCI (and not CUI) and requires only annual self-assessments and affirmations. Levels 2 and 3 apply to contractors handling CUI and, depending on the DOD’s determination, can require either self-assessment or Certified Third-Party Assessor Organization (C3PAO) assessment for Level 2 contractors and Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) assessment for Level 3 contractors.
To pass Level 1 assessment, contractors must implement Federal Acquisition Regulation 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems) and the 15 security controls that clause specifies. Level 2 and Level 3 contractors must implement the 110 security requirements provided under NIST 800-171 and Level 3 contractors must implement the 24 additional security requirements prescribed by NIST 800-172.
What Are the Compliance Timelines?
Though the DOD’s CMMC final rule became effective on November 10, 2025, compliance requirements are being phased in annually. On November 10, 2025, contracting officers began requiring self-assessed Level 1 and 2 CMMC status in applicable solicitations and contracts. Later this year, on November 10, 2026, contracting officers will begin requiring C3PAO-assessed Level 2 CMMC status in applicable solicitations and contracts. Then, on November 10, 2027, contracting officers will begin requiring DIBCAC-assessed Level 3 CMMC status in applicable solicitations and contracts and full implementation of the CMMC requirements will conclude on November 10, 2028.
How Does the CMMC Program Affect Subcontractors?
CMMC requirements do not automatically flow down to all of a covered contractor’s subcontractors. Rather, the requirements flow down based on whether those subcontractors process, store, or transmit FCI or CUI. Under the rule, contractors are required to consult the subcontractor flow-down requirements laid out in 32 CFR Section 170.23.
What Are the Compliance and Enforcement Risks?
Compliance with the CMMC requirements can lead to both contractual and administrative remedies. Further, because multiple certifications and affirmations are required under the rule, any incorrect certification or affirmation can lead to action under the FCA. FCA concerns may be especially acute given the increased focus of qui tam relators and the government on cybersecurity-based FCA allegations in recent years.
What Should Contractors Do Now?
- First, all DOD contractors should determine whether they process, store, or transmit FCI or CUI. All DOD contractors who process, store, or transmit FCI or CUI are already subject to at least some CMMC requirements.
- Next, those contractors should determine whether their subcontractors process, store, or transmit FCI or CUI and ensure the proper flow down of CMMC requirements in contracts and impose those requirements in active contracts and renewals.
- Then, any contractors that handle CUI should prepare to obtain C3PAO-assessed Level 2 CMMC status certification, if asked.
- Lastly, contractors should implement systems for CMMC assessment and affirmation to ensure accurate assessment and reporting and confirm that they obtain timely reassessments and certifications.