The Department of War has issued the final DFARS rule implementing the Cybersecurity Maturity Model Certification (CMMC). It was published on September 10, 2025, and will take effect on November 10, 2025. On that date, contracting officers can begin including new DFARS clauses in solicitations and contracts, formally tying cybersecurity compliance to eligibility for defense awards.
What Is CMMC and Why It Matters in 2025
The Cybersecurity Maturity Model Certification, or CMMC, is the Department of Defense’s framework for protecting sensitive information in the federal contracting space. Starting in October 2025, CMMC requirements will begin appearing in DoD solicitations. The rollout will occur in phases through 2028.
CMMC applies to both prime contractors and subcontractors that handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). Even if it’s not yet written into your current contract, many prime contractors are already requesting proof of compliance or system readiness from their subs.