On September 10, 2025, the Department of Defense (DoD) published a final rule implementing the Cybersecurity Maturity Model Certification (CMMC) program through the Defense Federal Acquisition Regulation Supplement (DFARS). This Acquisitions Rule took effect November 10, 2025 and initiates the implementation schedule of the compliance framework in the CMMC Program Rule (32 C.F.R. Part 170) that took effect on December 16, 2024.
By integrating the CMMC into the DFARS, the Program Rule represented a transformative shift for defense contractors and subcontractors handling federal contract information (FCI) and controlled unclassified information (CUI). Now, with the implementation of the Acquisitions Rule, CMMC compliance will become a precondition of eligibility for contractors to bid on and win defense contracts, as well as a requirement to maintain eligibility throughout the contract term.
Both existing and prospective contractors should be prepared to demonstrate compliance with security requirements—such as those outlined in NIST SP 800-171 or NIST SP 800 172—to meet CMMC obligations, to ensure that subcontractors are CMMC-compliant, and to mitigate the risk of potential False Claims Act (FCA) liability from these increasingly complex and stringent requirements.
CMMC Compliance Levels
The Program Rule outlines three levels of CMMC compliance, which are generally tied to the sensitivity of the information that the contractor stores, processes, or transmits. All three levels require the contractor or subcontractor to conduct an annual assessment of their compliance and to post the results of the assessment—along with an affirmation attesting compliance—to the Supplier Performance Risk System (SPRS) and to retain artifacts of compliance used for the assessment for at least six years after the contractor submits the results of its CMMC assessment. Moreover, under the Acquisitions Rule, DoD contracting officers must verify CMMC compliance before a contract award.
Level 1
Level 1 applies to contractors that process, store, or transmit FCI, which “means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government. It does not include information provided by the Government to the public, such as on public websites, or simple transactional information, such as information necessary to process payments.”
The cybersecurity requirements at this level are derived from FAR 52.204-21, which outlines 15 basic safeguarding controls intended to ensure that basic cyber hygiene and physical security control practices are in place to protect FCI from unauthorized access and disclosure.
Contractors must conduct annual self-assessments of their compliance, but a third-party assessment is not required at this level.
To obtain certification at Level 1, a contractor must demonstrate full compliance before a contract award and cannot have any plans of action and milestones (POAMs).
Level 2
Level 2 applies to contractors that handle CUI, which means “information the Government creates or possesses, or information an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Governmentwide policy requires or permits an agency to handle using safeguarding or dissemination controls.” However, CUI does not include classified information or information a non-Executive Branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency.
The cybersecurity requirements at this level align with the 110 security controls outlined in NIST SP 800-171 Rev. 2, which are designed to protect CUI in nonfederal systems and organizations.
Depending on the program office’s determination, assessments may be conducted by the contractor (as a self-assessment) or a CMMC third-party assessment organization (C3PAO).
Certification at Level 2 is valid for three years, but contractors must submit annual affirmations to SPRS to confirm continued compliance.
Cloud service providers that handle CUI must obtain Federal Risk and Authorization Management Program moderate authorization or meet equivalent security requirements.
Contractors seeking a Level 2 certification must implement the security requirements specified in NIST SP 800-171 Rev. 2 for either the self-assessment portion under 32 C.F.R. 170.16 or the C3PAO portion under 32 C.F.R. 170.17.
At Level 2, certifications begin to divide into conditional, or interim, status and final status. A contractor may only achieve a CMMC status of Conditional Level 2 (Self) or Conditional Level 2 (C3PAO), as appropriate, if all the following conditions are met:
- The contractor must achieve a score of at least 80% for the Level 2 security requirements, relative to the weighted total of those requirements.
- POAMs are not permitted for any security controls that contain a point value greater than “1” as specified by CMMC scoring methodology except for, in some instances, the CUI encryption security control.
- None of the following security controls may be included in the POAMs:
- External Connections (CUI Data)
- Control Public Information (CUI Data)
- System Security Plan
- Escort Visitors (CUI Data)
- Physical Access Logs (CUI Data)
- Manage Physical Access (CUI Data)
To achieve a Final Level 2 status, the contractor must either complete the assessment without any POAMs or must perform a POAM closeout within 180 days of the CMMC status date associated with achieving Conditional Level 2 (Self) or Conditional Level 2 (C3PAO).
Level 3
Level 3 is reserved for contracts involving highly sensitive CUI, particularly when the information is subject to heightened risk from advanced persistent threats. In addition to satisfying all Level 2 requirements, Level 3 contractors must implement 24 enhanced security controls from NIST SP 800-172.
Any Level 2 POAMs must be closed before the initiation of the Level 3 certification assessment.
To achieve Level 3 conditional status, the contractor must meet the following criteria:
- Achieve a score of at least 80% for all Level 3 security requirements.
- The Level 3 POAMs may not include any of the following security requirements:
- Security Operations Center
- Cyber Incident Response Team
- Threat-Informed Risk Assessment
- Supply Chain Risk Response
- Supply Chain Risk Plan
- Security Solution Rationale
- Specialized Asset Security
Assessments at this level are conducted exclusively by the Defense Contract Management Agency Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
To achieve a Final Level 3 status, the contractor must either complete the assessment without any POAMs or must perform a POAM closeout within 180 days of the CMMC status date associated with achieving Conditional Level 3 (DIBCAC).
A Level 3 certification assessment must be performed every three years for all information systems within the Level 3 CMMC assessment scope.
Implementation Timeline
Both the Program Rule and Acquisitions Rule have separate timeframes for their implementation. The Program Rule timeframes fit within the Acquisitions Rule’s much broader structure. The schedule below shows the regulatory changes government contractors can expect to see over the next three years:
- November 10, 2025 – November 9, 2028 (Acquisitions Rule). During this discretionary period, DoD program offices will have discretion whether to include CMMC clauses in solicitations.Contractors should expect variability across programs and agencies.
- November 10, 2025 (Program Rule). The DoD can begin to condition awards of relevant DoD solicitations and contracts on the completion of Level 1 or Level 2 self-assessments.
- November 10, 2026 (Program Rule). The DoD can begin to condition awards of relevant DoD solicitations and contracts on Level 2 C3PAO assessment requirements and Level 3 DIBCAC assessment requirements.
- November 10, 2027 (Program Rule). The DoD can begin to include Level 2 C3PAO assessment requirements through its exercise of options in active DoD contracts.
- Beginning November 10, 2028 (Acquisitions Rule and Program Rule). CMMC clauses become mandatory in all applicable DoD contracts. Contractors must be certified at the required level to be eligible for award and to continue performance.
Subcontractors
The Program Rule makes clear that the requirements of the CMMC Program “apply to prime contractors and subcontractors throughout the supply chain at all tiers that will process, store, or transmit any FCI or CUI on contractor information systems in the performance of the DoD contract or subcontract.” The Acquisitions Rule applies to all contracts except those exclusively for commercially available off the-shelf items.
Enforcement and Risk Exposure
Contractors must maintain a current CMMC status throughout the contract life cycle. Misrepresentation of certification status or failure to maintain compliance may be viewed as material to claims submissions or government payment decisions, potentially triggering liability under the FCA.
Over the past few years, regulators have increasingly focused on FCA enforcement based on real or perceived cybersecurity noncompliance. Since 2022, the Department of Justice has announced at least 12 cybersecurity-related FCA settlements, including high-profile cases against Illumina, MORSECORP, Pennsylvania State University (Penn State), Raytheon, and most recently Georgia Institute of Technology (Georgia Tech). Those matters have been joined by a host of whistleblower actions in qui tam cases and enforcement actions by other bodies, including the Federal Trade Commission. Given the potential increase in complexity and scope of cyber requirements facing contractors and subcontractors under the CMMC and the stringency of the CMMC framework, government contractors will continue to see enforcement and litigation activity in this space.
Preparing for Compliance
Contractors should take immediate steps to prepare for the CMMC Program to take effect. Organizations seeking to obtain or maintain their status as contractors in possession of FCI or CUI should already be reviewing the data they process on behalf of the DoD, their current security posture, and the steps necessary to demonstrate compliance with the CMMC Program. At a minimum, organizations should be determining the applicable certification level based on the sensitivity of information they handle, engaging with C3PAOs to schedule assessments, reviewing subcontractor relationships to assess flowdown compliance, and establishing internal protocols to support affirmations and identify potential FCA risk.
Alston & Bird’s Privacy, Cyber & Data Strategy and False Claims Act Teams are uniquely positioned to assist in developing compliance plans and approaches for government contractors falling under the CMMC Program. We will continue to monitor developments in this space and FCA enforcement activity that will serve as a bellwether for continued cybersecurity enforcement trends.
Ransomware Fusion Center
Stay ahead of evolving ransomware threats with Alston & Bird's Ransomware Fusion Center. Our Privacy, Cyber & Data Strategy Team offers comprehensive resources and expert guidance to help your organization prepare for and respond to ransomware incidents. Visit Alston & Bird's Ransomware Fusion Center to learn more and access our tools.
If you have any questions, or would like additional information, please contact one of the attorneys on our Privacy, Cyber & Data Strategy team.
You can subscribe to future advisories and other Alston & Bird publications by completing our publications subscription form.