Relevant Results
Sorry, there are no results matching your search.
Autocomplete suggestions are available. Use up and down arrows to review and enter to select.
See more results

Cybersecurity: DoD Final Rule on CMMC Contract Requirements

Three-year phase-in; Varying based on sensitivity/risk

KPMG Regulatory Insights

  • Preparedness: Assessments permit DoD to evaluate implementation of existing cybersecurity standards; anticipate potential amendments to strengthen safeguards as needed.
  • Phased-In Approach: Intended to provide impacted entities (DoD estimates 337,000 prime contractors and subcontractors) time to understand and implement CMMC assessment requirements.
  • Non-Compliance: Companies should proactively evaluate cybersecurity programs against the CMMC Level 1 and Level 2 assessment guides, and complete assessments as needed; non-compliance increases risk of ineligibility for awards or possible suspension, debarment, termination, or False Claims Act violations.
  • Third Parties/Subcontractors: Ensure subcontractors and suppliers that process, store, or transmit FCI or CUI meet the same CMMC level requirements as the prime contractor, including assessments and compliance affirmations.  

 

 

September 2025

The Department of Defense (DoD)1  finalizes a rule amending the DFARS (Defense Federal Acquisition Regulation Supplement) to formally incorporate the Cybersecurity Model Maturity Certification (CMMC) program into the DoD contracting process. The new rule requires DoD prime contractors and subcontractors to comply with the CMMC program as a condition of new contract awards involving sensitive information. The rule, commonly referred to as the 48 CFR Rule and hereinafter “Rule,” becomes effective November 10, 2025. The primary features include:

  1. Phased Implementation (e.g., three-year progression toward higher levels of security)
  2. CMMC Program Requirements (e.g., cybersecurity standards, assessment, affirmation)

1.  Phased Implementation

The Rule requires each new DoD solicitation and contract that requires a contractor (prime contractors and subcontractors) to process, store, or transmit information designated as FCI (federal contract information) or CUI (controlled unclassified information) to specify the necessary CMMC level (i.e., Levels 1-3) for a contractors’ information system (see CMMC Program table below). The CMMC level is determined by the program office based on the sensitivity of the information and risk profile of the contract. Contractors must have a current CMMC Status at the level required by a solicitation (or higher) to be awarded a contract.  

Application of the Rule will be phased-in over a three-year period:

Phase 1

Phase 2

Phase 3

Phase 4

  • Begins at the Effective Date (November 10, 2025)
  • Where applicable, solicitations will require Level 1 or Level 2 Self-Assessment
  • Begins 12 months after Phase 1 start
  • Where applicable, solicitations will require Level 2 Certification (by a Certified Third-Party Assessment Organization (C3PAO))
  • Begins 24 months after Phase 1 start
  • Where applicable, solicitations will require Level 3 Certification
  • Begins 36 months after Phase 1 start
  • All solicitations and contracts will include applicable CMMC level requirements as a condition of contract award


NOTE: The Rule includes a fill-in for the Contracting Officer to designate the CMMC level and level of certification required.  Offerors should be aware that Contracting Officers have the option to move faster than the established phase-in schedule.  Further, subcontractors may face requirements from prime contractors to meet specific CMMC levels and certifications before the government requires it.  

2.  CMMC Program Requirements

The CMMC program (commonly referred to as the 32 CFR Rule was finalized in October 2024) requires contractors to meet certain cybersecurity standards based on the type and sensitivity of the information to be processed, stored, or transmitted. The program comprises a tiered model – three distinct levels, each with its own assessment and certification requirements. The Rule formally incorporates this model into the DoD contracting process.

In particular, a contractor is required to perform a self-assessment or obtain a third-party assessment (as appropriate, see table below) of its compliance with certain existing cybersecurity regulations and guidelines. As amended by the Rule, contractors must disclose their level of compliance to the DoD Supplier Performance Risk System (SPRS) and maintain continuous compliance for the life of the contract. On an annual basis, each contractor must provide affirmation, by a senior business official (the “affirming official”), that each information system the contractor uses to handle FCI or CUI is compliant, consistent with the relevant CMMC program levels.

CMMC Level

Type of Information

Plan of Action Requirements

Assessment/Certification Requirements

Level 1 Foundational (Self-Assessment)

  • FCI - “Basic Safeguarding”
  • None
  • 15 requirements from FAR Clause 52.204-21
  • Annual self-assessment
  • Annual compliance affirmation uploaded to SPRS

Level 2 Advanced (Self-Assessment)

  • CUI – “Broad Protection”
  • Permitted as defined in § 170.21(a)(2) and must be closed out within 180 days
  • 110 requirements from NIST SP 800-171A
  • Self-assessment conducted every 3 years
  • Annual compliance affirmation uploaded to SPRS

Level 2 Advanced (C3PAO)

  • CUI – “Broad Protection”
  • Permitted as defined in § 170.21(a)(2) and must be closed out within 180 days
  • 110 requirements from NIST SP 800-171A
  • C3PAO assessment every 3 years
  • Annual compliance affirmation uploaded to SPRS

Level 3 Expert (DIBCAC – Defense Industrial Base Cybersecurity Assessment Center (part of the Defense Contract Management Agency))

  • CUI – “Higher Level Protection Again Advanced Persistent Threats”
  • Permitted as defined in § 170.21(a)(2) and must be closed out within 180 days
  • Pre-requisite CMMC Status Level 2 (C3PAO)
  • 110 requirements from NIST SP 800-171 R2 and 24 selected requirements from NIST SP 800-172 February 2021
  • DIBCAC assessment every 3 years
  • Annual compliance affirmation uploaded to SPRS
  • Annual Level 2 affirmation to also be completed

 

Eligibility for a contract award or extension will be contingent on having a current CMMC Status at or above the required level posted in the SPRS. Subcontractor assessment scores should be current and registered with the government. (Prime contractors will not have access to the government database and must work directly with the subcontractor to determine subcontractor compliance.)

In certain circumstances based on specific control scoring, the Rule introduces a framework that allows for a contractor that does not meet all of the necessary standards to be awarded a contract with a “conditional” status provided the contractor is actively working to close out a “plan of action and milestones” or POA&M. The POA&M is limited to CMMC Levels 2 and 3 standards and must be closed out within 180 days.

Key changes from the proposed rule include clarifications/amendments to certain definitions (e.g., “current,” “CMMC Status”), clarifications to policies and procedures related to CMMC Status, and updates to the solicitation provisions and contract clauses related to identification/eligibility. 

 

_________________________________________________

1Note: The President signed Executive Order 14347, Restoring the United States Department of War, on September 5, 2025 to rename the U.S. Department of Defense to the U.S. Department of War. The Rule has been published using the name U.S Department of Defense and that has been retained in this summary.

Dive into our thinking:

Cybersecurity: DoD Final Rule on CMMC Contract Requirements

Three-year phase-in; Multiple levels of compliance

Download PDF

Explore more

Points of View
Insight
Webcast Replay Webcast Upcoming Listen Now From The Web

Points of View

Insights and analyses of emerging regulatory issues and their impact.

Read more
Regulatory Insights View
Insight
Webcast Replay Webcast Upcoming Listen Now From The Web

Regulatory Insights View

Series covering regulatory trends and emerging topics

Read more
Insight
Webcast Replay Webcast Upcoming Listen Now From The Web

Regulatory Alerts

Quick hitting summaries of specific regulatory developments and their impact.

Read more

Subscribe to receive regulatory and compliance transformation insights

By registering you will periodically receive additional compliance-related communications from KPMG.

Subscribe

Thank you

You are now subscribed to receive Regulatory and Compliance Transformation insights and will receive a confirmation email in your inbox.

Subscribe to receive regulatory and compliance transformation insights

By registering you will periodically receive additional compliance-related communications from KPMG.

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's . Privacy Statement

An error occurred. Please contact customer support.

Meet our team

Image of Amy S. Matsuo
Amy S. Matsuo
Principal, Growth & Strategy, Regulatory Insights, KPMG LLP
Read bio
Image of Ellen Ozderman
Ellen Ozderman
Advisory Managing Director, Line of Business, Technology, KPMG US
Read bio
Image of Michael Gomez
Michael Gomez
Principal, Cyber Security, KPMG US
Read bio
Image of Amy S. Matsuo
Amy S. Matsuo
Principal, Growth & Strategy, Regulatory Insights, KPMG LLP
Read bio
Image of Ellen Ozderman
Ellen Ozderman
Advisory Managing Director, Line of Business, Technology, KPMG US
Read bio
Image of Michael Gomez
Michael Gomez
Principal, Cyber Security, KPMG US
Read bio

KPMG. Make the Difference.


Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates or related entities.

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation. KPMG LLP does not provide legal services.

The information contained herein is not intended to be “written advice concerning one or more Federal tax matters” subject to the requirements of section 10.37(a)(2) of Treasury Department Circular 230.

© 2025 KPMG LLP, a Delaware limited liability partnership and a member firm of the KPMG global organization of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.

For more detail about the structure of the KPMG global organization please visit https://home.kpmg/governance.

Thank you!

Thank you for contacting KPMG. We will respond to you as soon as possible.

Contact KPMG

Use this form to submit general inquiries to KPMG. We will respond to you as soon as possible.

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's . Privacy Statement

An error occurred. Please contact customer support.

Job seekers

Visit our careers section or search our jobs database.

Search now!

Submit RFP

Use the RFP submission form to detail the services KPMG can help assist you with.

Submit

Office locations

View locations

International hotline

You can confidentially report concerns to the KPMG International hotline

Learn more

Press contacts

Do you need to speak with our Press Office? Here's how to get in touch.

Contact

Headline