As early as November 10, 2025, defense contractors could begin to see the long-awaited Cybersecurity Maturity Model Certification (“CMMC”) clauses included in contracts, solicitations, contract modifications, the exercise of contract options, or performance extensions. Until November 9, 2028, the new rule, sometimes called the CMMC Clause Rule, requires the Department of Defense (“DoD”) to include mandatory CMMC compliance language in contracts where the program office or requiring activity determines that the contractor must have a specific CMMC level. On or after November 10, 2028, DoD must include mandatory CMMC compliance language in contracts where the program office or requiring activity determines that the contractor must use contractor information systems in the performance of a contract, task order, or delivery order to process, store, or transmit Federal Contract Information (“FCI”) or Controlled Unclassified Information (“CUI”).

TL; DR

Starting on or after November 10, 2025, CMMC compliance may become a prerequisite for contract award or modification—contractors who are not ready risk being sidelined. Now is the time to assess your cybersecurity posture, identify your required CMMC level, and begin certification preparations.

Catch Me Up

On September 10, 2025, the Department of Defense (“DoD”) issued a final rule that, when it goes into effect on November 10, will enable contract officers to include language requiring CMMC compliance as a condition of contract award in solicitations. [1] CMMC is “a framework . . . for assessing a contractor’s information security protections.” [2] The new rule, sometimes called the CMMC Clause Rule “prescribes policies and procedures for including the [CMMC] level requirements in DoD contracts.” [3] The Clause Rule is the latest step taken by the DoD to fully implement the CMMC program. On December 16, 2024, the DoD also finalized a rule setting forth the mechanics of the CMMC program (sometimes called the CMMC Program Rule). [4] Although the CMMC Program Rule established the meat and potatoes of the CMMC regulations, the rule that will go into effect on November 10th sets forth the clauses necessary for DoD contracting officers to actually apply the CMMC Program Rule’s compliance requirements to defense contractors by including those clauses in solicitations and contracts.  

Read Me In

As an initial matter, the system security requirements that must be applied by all Federal agencies for the protection of FCI and CUI and that underlie CMMC are not new; some have been in existence for nearly a decade. [5] And, although CMMC provides assessment, attestation, and verification mechanisms, it will not change the security or incident reporting obligations of those underlying requirements—48 C.F.R. § 52.204-21, Basic Safeguarding of Covered Contractor Information Systems (NOV 2021); National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171 R2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations; and NIST SP 800-172 (FEB 2021), Enhanced Security Requirements for Protecting CUI. Nonetheless, the implementation of the CMMC Clause Rule on November 10 will be a significant step because the DoD will no longer rely solely on contractor self-representations and affirmations to confirm that they meet these system security requirements. Rather, once CMMC is fully implemented, defense contractors will be required to comply with CMMC, undergo assessments to confirm that compliance, and attest to such compliance to do business with the DoD. This will not only provide increased assurance to the DoD that a defense contractor can adequately protect sensitive unclassified information, but will also help protect that information and intellectual property from malicious activity, the impact of which has been significant on the U.S. economy and national security.

Specifically, the CMMC Clause Rule:  

• Requires a contracting officer to include any required CMMC level in a solicitation if it is provided by the relevant program office or requiring activity.
• Prohibits a contracting officer from awarding a contract, task order or delivery order to, or exercising an option period or extending a period of performance related to, an offeror that does not have a CMMC status at at least the required level that is not more than 3 years old and is posted in the Supplier Performance Risk System (“SPRS”).
• Requires that, at the time of the award, contractors achieve a CMMC status at at least the required level for any information system that will process, store, or transmit FCI or CUI and that will be used in the performance of a contract, task order, or delivery order; and maintain that status for the life of the contractual instrument. 
• Requires use of the 252.204-7021 clause (the “-7021 Clause”), Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirements, until November 9, 2028, if the program office or requiring activity determines that the contractor is required to have a specific CMMC level; and on or after November 10, 2028, if the program office or requiring activity determines that the contractor is required to use contractor information systems in the performance of a contract, task order, or delivery order to process, store or transmit FCI or CUI. 
• Provides an exception to the requirements of the -7021 clause for acquisitions that are solely for commercial off-the-shelf (“COTS”) items. [6]

What Is “CMMC Status”?

A CMMC status is the result of meeting or exceeding the minimum required score for a corresponding assessment.

Potential statuses include:

• Final Level 1 (With a self-assessment);
• Conditional Level 2 (With a self-assessment);
• Final Level 2 (With a self-assessment);
• Conditional Level 2 (With a CMMC Third-Party Assessment Organization assessment);
• Final Level 2 (With a C3PAO assessment);
• Conditional Level 3 (With a Defense Industrial Base Cybersecurity Assessment Center or DIBCAC assessment);
• Final Level 3 (With a DIBCAC assessment)

A CMMC status, other than a Level 1 CMMC status which must be final for award, may be conditional for a period of 180 days or less. An award can be made to a government contractor with a conditional CMMC level. However, an offeror with a conditional CMMC status must successfully close out any plan of action and milestones ("POA&M") to achieve a CMMC final status.

If You Retain Nothing Else…

The -7021 clause is the heart of the CMMC Clause Rule. Though it is largely the same as past versions, changes were made to harmonize the -7021 clause with Federal Acquisition Regulation (“FAR”) 52.204-21, the FAR Basic Safeguarding of Covered Contractor Information Systems clause, as well as with the CMMC Program Rule. In this regard, the version of the -7021 clause that will go into effect on November 10, 2025, requires a contractor to:

• Have and maintain a current CMMC status at at least the required level for each relevant information system for the life of a contractual instrument. 
• Flow down the correct CMMC level to relevant subcontracts and other contractual instruments, excluding subcontracts solely for COTS, and ensure that relevant subcontractors have a current CMMC certificate or status at the appropriate CMMC level prior to award of a subcontract or other contractual instrument. [7]
• Only process, store, or transmit FCI or CUI on contractor information systems that have a CMMC status of at least the required CMMC level. 
• Have its affirming official complete annually and maintain in SPRS an affirmation of continuous compliance with the requirements of the necessary CMMC level for each relevant contractor information system.
• Ensure that all subcontractors and suppliers have their affirming official complete, prior to subcontract award, and maintain annually, an affirmation of the subcontractor’s or supplier’s continuous compliance with the requirements associated with the required CMMC level for each relevant subcontractor information system. 
• Close out any POA&M to achieve a Final CMMC status if the contractor has a Conditional CMMC status.
• Report the CMMC unique identifier (“CMMC UID”) issued by SPRS for any relevant contractor information system, as well as any changes to a CMMC UID during the life of a contractual instrument. 
• Enter the results of any self-assessment for each relevant contractor information system in SPRS. 
• Maintain a current affirmation of continuous compliance by an affirming official for each self-assessment, certified C3PAO, or DIBCAC assessment required under a contract in SPRS. [8]

The CMMC Program Rule does provide a waiver whereby, “[i]n very limited circumstances . . .  [DoD] may elect to waive inclusion of CMMC Program requirements in a solicitation or contract.” [9]

Also noteworthy is the -7025 clause, Notice of Cybersecurity Maturity Model Certification Requirements, which must be used in any solicitations that contain the -7021 clause. The -7025 clause makes an offeror ineligible for an award if, for each relevant information system, an offeror does not have: (1) A current CMMC status entered into SPRS at at least the required CMMC level; and (2) A current affirmation of continuous compliance with the relevant CMMC security requirements. [10] It also requires that offerors’ proposals include the CMMC UIDs issued by SPRS for each relevant contractor information system, updated as necessary; and that offerors with a Conditional CMMC status successfully close out a POA&M to achieve a Final CMMC status. [11]

What’s CMMC Got To Do With Me?

It is estimated that the CMMC compliance regime will impact approximately 337, 968 Defense Industrial Base (“DIB”) contractors, of which approximately 229, 818, or 68%, are expected to be small businesses. [12] The CMMC compliance requirements are also expected to be rolled out in four phases. The first phase will begin on November 10, during which the DoD will include the requirement for CMMC Level 1 (Self) or Level 2 (Self) for all applicable DoD solicitations and contracts as a condition of award. [13] CMMC Level 1 is required for contracts and subcontracts that handle FCI, and CMMC Level 2 is required for contracts and subcontracts that involve the handling of CUI. During Phase 2, which is expected to begin in or around November of 2026, in addition to the Phase 1 requirements, DoD will include the requirement for CMMC Level 2 (C3PAO) for applicable DoD solicitations and contracts as a condition of award. [14] In Phase 3, which is expected to begin in or around November of 2027, in addition to the Phase 1 and 2 requirements, DoD will include the requirement for CMMC Level 2 (C3PAO) for all applicable DoD solicitations and contracts as a condition of award and as a condition for the exercise an option period on a contract awarded after November 10, 2025. [15] During Phase 3, DoD also intends to include the requirement for CMMC Level 3 (DIBCAC) for all applicable DoD solicitations and contracts as a condition of award. [16] CMMC Level 3 applies to contracts that involve the handling of CUI where the DoD has determined that additional safeguarding requirements are necessary. Finally, in Phase 4, the full implementation phase, which is expected to begin in or around November 2028, DoD will include all CMMC Program requirements in applicable DoD solicitations and contracts, including option periods on contracts awarded prior to the beginning of Phase 4. [17] 

Though DoD’s phase-in approach may lessen the associated compliance burden on defense contractors, absent a waiver contracts containing CMMC clauses cannot be awarded to contractors and subcontractors that do not meet applicable CMMC system security requirements. Therefore, government contractors that do business with the DoD, that act as subcontractors on DoD contracts, or that hope to do so in the future should start getting CMMC compliant as soon as possible, if they have not begun doing so already. CMMC compliance is expected to take six to twelve months, so government contractors aiming to do business with the DoD in 2026 should start the CMMC compliance process now. 

The Nelson Mullins Cybersecurity & Data Breach Response and Government Contracts & Grants teams can help you get CMMC ready. Specifically, we can assist you in:

1. Conducting compliance assessments for CMMC readiness. 
2. Assessing your subcontractor’s CMMC readiness.
3. Reviewing and updating cybersecurity and privacy policies, notices, and technical configurations.
4. Providing training and guidance to mitigate enforcement risk.

We would be pleased to connect and explore how our team can support your organization’s CMMC readiness. If an introductory strategy session would be helpful, we would be glad to walk through key compliance steps and share tailored insights. 

[1] 48 C.F.R. § 204.7500 et seq. Contractors may see language mandating Cybersecurity Maturity Model Certification (“CMMC”) compliance before November 10, 2025, where a contract would not be awarded, an option would not be extended, or a modification would not go into effect until after that date. Pursuant to 32 C.F.R. § 170.3(e), DoD also has the discretion to include the requirement for CMMC Status of Level 1 (Self) or Level 2 (Self) for applicable DoD solicitations and contracts as a condition to exercise an option period on a contract awarded prior to November 10, 2025. DoD may also, at its discretion, include the requirement for CMMC Status of Level 2 (C3PAO) in place of the Level 2 (Self) CMMC Status for applicable DoD solicitations and contracts.

[2] 48 C.F.R. § 204.7500(a); see also 32 C.F.R. part 170.

[3] 48 C.F.R. § 204.7500(a).

[4] 32 C.F.R. part 170.

[5] Federal Contract Information is information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government. 48 C.F.R. § 204.7501. Controlled Unclassified Information is information the Government creates or possesses, or information an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Governmentwide policy requires or permits an agency to handle using safeguarding or dissemination controls. Id.

[6] 48 C.F.R. §§ 204.7502—204.7504(a).

[7] “A subcontractor that does not process, store or transmit FCI or CUI on its subcontractor information systems during performance of the subcontract would not have a requirement for a CMMC assessment.” 90 Fed. Reg. 43,563.

[8] 48 C.F.R. § 204.7504.

[9] 32 C.F.R. § 170.5(d).

[10] 48 C.F.R. § 204.7504.

[11] Id.

[12] 90 Fed. Reg. 43,571.

[13] 32 C.F.R. § 170.3. DoD also has discretion during Phase 1 to include a requirement for CMMC Level 2 (C3PAO) in place of a requirement for CMMC Level 2 (Self) for applicable DoD solicitations and contracts.

[14] Id. In Phase 2, DoD also has discretion to delay the inclusion of the requirement for CMMC Level 2 (C3PAO) to an option period instead of as a condition of contract award and to include the requirement for CMMC Level 3 (DIBCAC) for applicable DoD solicitations and contracts. A C3PAO, or a CMMC Third-Party Assessment Organization, is a third-party organization that has been authorized or accredited to conduct Level 2 certification assessments.

[15] Id.

[16] Id. During Phase 3, DoD has discretion to delay the inclusion of the requirement for CMMC Level 3 (DIBCAC) to an option period instead of as a condition of contract award. The DIBCAC, or the Defense Industrial Base Cybersecurity Assessment Center, is an organization of the Defense Contract Management Agency that will perform Level 3 assessments.

[17] Id.