The Pentagon has issued the final Defense Federal Acquisition Regulation Supplement, or DFARS, rule implementing the contractual requirements of the Cybersecurity Maturity Model Certification, or CMMC, program.
The Department of War said Tuesday the final DFARS rule, or 48 CFR, seeks to ensure that contractors properly safeguard federal contract information, or FCI, and controlled unclassified information, or CUI, by including CMMC assessment requirements in the department’s procurement efforts.
“We expect our vendors to put U.S. national security at the top of their priority list,” said Katie Arrington, a previous Wash100 awardee who currently performs the duties of the DOW chief information officer.
“By complying with cyber standards and achieving CMMC, this shows our vendors are doing exactly that,” Arrington added.
The final CMMC rule is expected to be published in the Federal Register on Tuesday, Sept. 10.
What Is the 48 CFR Rule?
In a July 25 blog post, managed security services provider Summit 7 said the final 48 CFR, or Code of Federal Regulations, rule on CMMC is one of the two regulations governing the CMMC program. The other regulation is 32 CFR Part 170, which outlines the program’s requirements, assessments, department policy, roles and levels and has been in effect since December 2024.
According to Summit 7, 48 CFR Parts 204, 212, 217 and 252 seek to implement the CMMC program’s acquisition policy and standardized contract language.
The final 48 CFR rule is required to officially authorize the inclusion of CMMC language in solicitations and contracts and is set to take effect in November.
Summit 7 said that the final 48 CFR rule does not alter the core program requirements but authorizes contracting officials to include CMMC language in solicitation, incorporates the DFARS 252.204-7021 clause into contracts and begins the four-phase CMMC program implementation.
What Is the CMMC Program?
The CMMC Program aligns with the department’s existing information security requirements for the defense industrial base. It requires companies entrusted with sensitive unclassified information to implement cybersecurity standards at progressively advanced levels. CMMC assessments allow the Pentagon to verify contractors’ implementation of existing cyber standards.
CMMC Level 1 requires basic protection of FCI and includes annual self-assessment and affirmation.
CMMC Level 2 covers broad protection of CUI and requires either a self-assessment or evaluation by a CMMC third-party assessment organization, or C3PAO, every three years. It also requires annual affirmation.
CMMC Level 3 covers higher-level protection of CUI against advanced persistent threats. Requirements include achieving CMMC status of final Level 2; undergoing an assessment by the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center, or DIBCAC, every three years; and providing an annual affirmation verifying compliance with the 24 identified requirements from NIST SP 800-172.
Preparing for CMMC Compliance
According to Summit 7, contractors in the defense industrial base handling CUI that plan to compete for contracts in 2026 or earlier should now be in the implementation and assessment phase of the CMMC program.
The company stated that preparing for the CMMC program takes time because most contractors need nine to 12 months to fully implement NIST 800-171, validate compliance and pass a C3PAO assessment. It also noted that CMMC Level 2, which includes C3PAO assessments, can be required starting in 2025.
Summit 7 warned that organizations have no time to delay if they need to be certified under CMMC by the first quarter of fiscal year 2026.
