After years of development, the Pentagon finalized a rule Tuesday that officially enforces Cybersecurity Maturity Model Certification (CMMC) standards in defense contracts, marking a shift from policy to enforceable requirements across the defense industrial base.
Published in the Federal Register for public inspection, the rule amends the Defense Federal Acquisition Regulation Supplement (DFARS) and will take effect on Nov. 10.
With the regulatory framework now in place, CMMC moves from concept to practice, requiring Department of Defense (DOD) – which the Trump administration has rebranded as the Department of War – contracting officers to apply cybersecurity tiers in all solicitations and contracts.
According to the Pentagon, the rule ensures all future DOD procurements “will include CMMC assessment requirements that ensure defense contractors properly safeguard the department’s Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).”
The CMMC program, introduced in 2020 and revised as CMMC 2.0 in 2021, requires contractors to meet cybersecurity benchmarks based on the sensitivity of the information they handle. The model includes three certification levels, ranging from basic protections for FCI to more stringent requirements for high-risk CUI. Contractors must also annually affirm compliance.
The final CMMC rule was released in October 2024, about a year before it will begin appearing in contracts.
While the Pentagon celebrates this milestone, the path to finalizing CMMC has been marked by industry pushback, multiple revisions, and ongoing concerns over cost and compliance. Developed during the first Trump administration, the program initially faced criticism from industry groups, which argued it was too complex and placed excessive regulatory burdens on companies.
These concerns prompted the creation of CMMC 2.0, which simplified the certification levels from five to three and introduced more flexible assessment requirements. Despite these changes, some industry stakeholders continued to resist.
However, whether the industry is ready or not, CMMC is now official.
“We expect our vendors to put U.S. national security at the top of their priority list,” Katie Arrington, the Pentagon’s acting chief information officer and one of the original architects of the CMMC program, said in a statement. “By complying with cyber standards and achieving CMMC, this shows our vendors are doing exactly that.”