CMMC Regulations: Key Questions and Answers for Defense Contractors
Highlights
- The U.S. Department of Defense (DOD) issued the long-awaited final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to implement the Cybersecurity Maturity Model Certification (CMMC) program.
- Effective Nov. 10, 2025, the regulations fundamentally change how cybersecurity requirements are incorporated into DOD contracts and subcontracts.
- This Holland & Knight alert provides answers to common questions about how the new rule impacts defense contractors.
On Nov. 10, 2025, the long-awaited final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to implement the Cybersecurity Maturity Model Certification (CMMC) program became effective. This rule, discussed in a previous Holland & Knight alert (see link below), fundamentally changes how cybersecurity requirements are incorporated into U.S. Department of Defense (DOD) contracts and subcontracts.
What does this mean for defense contractors? Below are the most common questions asked and responses from Holland & Knight's Government Contracts Group:
1. Is CMMC real now?
Yes. The final DFARS rule indicates that CMMC requirements will be added to select DOD solicitations starting Nov. 10, 2025.
2. What new cybersecurity standards does CMMC create?
None. Generally speaking, CMMC imposes new assessment or certification requirements for cybersecurity obligations that had already been imposed in defense contracts and/or by previously published government standards.
3. So, what changed on Nov. 10?
The new obligations will be the level of verification required by contractors to demonstrate they meet the preexisting cybersecurity obligations.
4. How will CMMC be implemented?
The requirements will be imposed through the clauses prescribed for applicable DOD1 solicitations and contracts. The acquisition of commercially available off-the-shelf (COTS) items is excepted from the requirement. In particular, every DOD solicitation and contract that requires the processing, storage, or transmission of Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) will now specify the exact CMMC level required for the contractor's information systems.
5. What levels of CMMC will be required?
The CMMC level is determined by the program office or requiring activity based on the sensitivity of the information and the risk profile of the contract:
- Level 1: FCI. Contractors must perform an annual self-assessment against the Level 1 requirements and post the results in the Supplier Performance Risk System (SPRS).
- Level 2: Controlled Unclassified Information (CUI). In Accordance with (IAW) DFARS – 7012
- Self-assessment
- Third party assessors (Certified Third-Party Assessment Organization (C3PAO))
- Level 3: National Institute of Standards and Technology (NIST) 800-172 (DOD's Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) certifies)
6. What is the timing to come into compliance?
Plan of Action and Milestones (POA&Ms) must have specified end dates with a maximum amount of time before completion.
7. When will the requirements be imposed?
Requirements will begin being phased into DOD contracts – starting with major programs.
8. What are subcontractors' obligations for compliance?
Subcontractors also must comply, with prime contractors being tasked to ensure flowdown and – to a degree – compliance.
Please review our previous Holland & Knight alert, which provides a more detailed analysis of the final DFARS rule and recommendations for the next steps defense contractors should consider. (See "CMMC Goes Live: New Cybersecurity Requirements for Defense Contractors," Sept. 10, 2025).
Holland & Knight's Government Contracts Group is prepared to assist with navigating the new requirements, developing robust compliance programs and ensuring your organization remains eligible and competitive in the evolving defense contracting environment. For tailored advice on CMMC compliance strategies, contract review or supply chain management, please reach out to the authors.
Notes
1 We continue to use the term "DOD" instead of Department of War (DOW) in accordance with currently effective regulations – including the FAR and DFARS.
Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem, and it should not be substituted for legal advice, which relies on a specific factual analysis. Moreover, the laws of each jurisdiction are different and are constantly changing. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. If you have specific questions regarding a particular fact situation, we urge you to consult the authors of this publication, your Holland & Knight representative or other competent legal counsel.