DoD Introduces New Cybersecurity Regulations for Defense Contractors
Washington, D.C., Friday, 12 September 2025.
The Department of Defense announced final cybersecurity regulations, requiring defense contractors to comply with the Cybersecurity Maturity Model Certification by November 2025 to secure contracts.
Introduction of the Cybersecurity Maturity Model Certification
On September 10, 2025, the U.S. Department of Defense (DoD) published its long-anticipated final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to introduce the Cybersecurity Maturity Model Certification (CMMC). This new framework is designed to enhance the protection of sensitive government information by establishing cybersecurity standards for defense contractors [1][2].
Phase-In Plan for Implementation
The CMMC requirements will be implemented in phases starting from November 10, 2025. During the first year, DoD will require at least a self-assessment for new contracts. The phased implementation will extend over three years, with increasing levels of certification required each year, culminating on November 9, 2028 [2][3].
Details of the Certification Levels
CMMC 2.0 introduces a simplified three-tiered assessment model. Level 1 requires a self-assessment for contractors managing Federal Contract Information (FCI). Level 2 involves both a self-assessment and third-party verification for contractors handling Controlled Unclassified Information (CUI). Level 3, which applies to high-value CUI, requires a formal assessment by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) [4][5].
Implications for Contractors
These regulations underscore the growing emphasis on cybersecurity within defense procurement. Contractors must comply with the CMMC standards to remain eligible for government contracts. Failure to meet these standards could result in ineligibility, emphasizing the importance of cybersecurity in safeguarding national security interests. This regulatory development is part of a broader strategy to mitigate risks from cyber threats and improve the overall security posture of the defense industrial base [5][6].
Sources
- govcon.mofo.com
- www.jdsupra.com
- defensescoop.com
- www.insidegovernmentcontracts.com
- www.wiley.law
- www.crowell.com