On September 10, 2025, the Department of Defense (DoD) published its final Cybersecurity Maturity Model Certification (CMMC) rule in the Federal Register, which takes effect on November 10, 2025 – officially launching a three-year rollout of cybersecurity requirements across DoD contracts.
DOD procuring activities will assign solicitations and contracts a CMMC Level, either Level 1 (Self), Level 2 (Self), Level 2 (C3PAO), or Level 3 (DIBCAC), depending on the type and sensitivity of the information being shared with or developed by the contractor. CMMC is to be rolled out in different phases to provide the DOD contracting community sufficient time for training and compliance. Phase 1 starts on November 10, 2025.
Until November 9, 2028, contracting officers will insert DFARS 252.204-7021 in solicitations and contracts if the program office or requiring activity determines that the contract is required to have a specific CMMC Level (excluding contracts solely for the acquisition of commercially available off-the-shelf (COTS) items).
Starting on November 10, 2028, contracting officers must insert DFARS 252.204-7021 in solicitations and contracts if the program office or requiring activity determines that the contractor is required to use contractor information systems during performance to process, store, or transmit FCI or CUI (excluding contracts solely for COTS items).[1]