48 CFR Parts 204 212 217 252

From CMMC Toolkit Wiki
Jump to navigation Jump to search


Federal Register / Vol. 90, No. 173 / Wednesday, September 10, 2025 / Rules and Regulations

Agency Information

Field Value
Agency Defense Acquisition Regulations System, Department of Defense (DoD)
Action Final rule
Docket DARS–2020–0034
RIN 0750–AK81
Effective Date November 10, 2025
Contact Ms. Heather Kitchens, telephone 571–296–7152

Summary

DoD is issuing a final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to incorporate contractual requirements related to the final Cybersecurity Maturity Model Certification (CMMC) program rule. This final DFARS rule also partially implements a section of the National Defense Authorization Act for Fiscal Year 2020 that directed the Secretary of Defense to develop a consistent, comprehensive framework to enhance cybersecurity for the U.S. defense industrial base.

I. Background

  • DoD published an interim rule in the Federal Register at 85 FR 61505 on September 29, 2020, to assess contractor implementation of cybersecurity requirements and enhance the protection of unclassified information within the DoD supply chain.
  • DoD subsequently published a proposed rule at 89 FR 66327 on August 15, 2024, to implement the contractual requirements related to CMMC. Ninety-seven respondents submitted public comments in response to the proposed rule.
  • Separately, a proposed rule to establish the CMMC program at 32 CFR part 170 was published at 88 FR 89058 on December 26, 2023. A final rule was published at 89 FR 83092 on October 15, 2024, and became effective on December 16, 2024.

II. Discussion and Analysis

A. Summary of Significant Changes From the Proposed Rule

1. Definitions

The final rule adds and modifies certain definitions at DFARS 204.7501, Definitions.

  • The definition of "current" was changed to clarify that it is related to having no changes in compliance with the requirements at 32 CFR part 170, and to clarify what "current" means when referring to "Conditional CMMC Status," "Final CMMC Status," and "affirmation of continuous compliance."
  • The term "DoD unique identifier" was updated to "CMMC unique identifier" to match the naming convention in the Supplier Performance Risk System (SPRS). The CMMC UID means ten alpha-numeric characters assigned to each contractor CMMC assessment and reflected in SPRS for each contractor information system.
  • The final rule adds the definition of "Federal contract information" based on the definition from the clause at FAR 52.204–21.
  • The final rule adds a definition of "plan of action and milestones" (POA&M) based on the definition codified at 32 CFR part 170.
  • The final rule adds the term "CMMC status" and a definition for the term.

2. Policy

DFARS 204.7502, Policy, includes language to add clarity by stating that for CMMC levels 2 and 3 only, a conditional CMMC status is permitted for a period not to exceed 180 days from the conditional CMMC date, in accordance with 32 CFR 170.21, and an award can occur with a CMMC conditional status. The language also clarifies that a final CMMC is achieved upon successful closeout of a valid POA&M.

3. Procedures

  • Language at DFARS 204.7503 was updated to add paragraph headings.
  • Language clarifies that contracting officers are required to check SPRS and not award a contract, task order, or delivery order to an offeror that does not have a current CMMC status posted in SPRS at the CMMC level required by the solicitation, or higher, for each CMMC UID provided by the offeror.
  • Paragraph (d) clarifies that all offerors are required to provide the CMMC UIDs applicable to each contractor information system that processes, stores, or transmits FCI or CUI and that will be used in performance of the contract.

4. Clause Prescription

At DFARS 204.7504, the prescription for the contract clause has been updated to clarify the phased implementation approach:

  • Until three years after the effective date of the rule: the clause will be prescribed for use if program managers and requiring activities make a determination to apply a CMMC requirement to contracts, excluding awards solely for the acquisition of commercially available off-the-shelf (COTS) items (unless the requirements at 32 CFR 170.5(d) are met).
  • Beginning three years and one day after the effective date of the rule: the clause will be prescribed for use if program managers and requiring activities determine that the contractor will be required to use contractor information systems in the performance of the contract to process, store, or transmit FCI or CUI, excluding awards solely for the acquisition of COTS items.

5. Solicitation Provision and Contract Clause

  • The contract clause has been updated to include a fill-in for the contracting officer to identify the CMMC level required by the contract.
  • The subcontract flowdown language has been updated to identify that subcontractors also must submit affirmations of continuous compliance and the results of self-assessments in SPRS.
  • The clause has been updated to include the term "affirming official" in place of "senior company official" to match 32 CFR part 170.
  • The solicitation provision and contract clause include the terminology needed for entering the CMMC level: CMMC Level 1 (Self); CMMC Level 2 (Self); CMMC Level 2 (C3PAO); or CMMC Level 3 (DIBCAC).
  • The solicitation provision clarifies that offerors will not be eligible for award if the offeror does not have a current CMMC status entered in SPRS at the required level and a current affirmation of continuous compliance for each applicable contractor information system.

B. Analysis of Public Comments

Note: Technical and programmatic comments on CMMC, and comments related to the CMMC cost analysis, were addressed in the CMMC program rule that codified 32 CFR part 170. This DFARS rule addresses the nontechnical and nonprogrammatic comments.

1. Clarification of "Changes"

Comment: Several respondents asked for more clarity regarding what "changes" means in the proposed rule.

Response: Based on public comment, the final DFARS rule adds the sentence: "Submit to the Contracting Officer . . . any changes in the CMMC UIDs generated in SPRS throughout the life of the contract, task order, or delivery order, if applicable." The notification requirement to report lapses in information security or changes in compliance with 32 CFR part 170 was removed, since the reporting requirement at DFARS 252.204–7012 paragraph (c) already provides sufficient notification of relevant information security incidents.

2. Clarification of "Lapses in Information Security"

Comment: Several respondents asked for clarity on "lapses in information security" in proposed paragraph (b)(4) at DFARS 252.204–7021; several recommended it be removed.

Response: The requirement to notify the contracting officer of lapses in information security or changes in CMMC status has been removed from the final rule.

3. Editorial Changes

Comment: Respondents identified typos and recommended using "and/or" instead of "or" for CMMC UIDs.

Response: Editorial comments were noted; most were mooted by other final-rule changes. The "and/or" recommendation was not implemented because it could narrow the scope of the requirement beyond what was intended.

4. CMMC Level Notification and Compliance

Comment: Respondents asked how the required CMMC level will be communicated and determined, and requested clarity on phase-in exemptions for small businesses.

Response: The CMMC level determination is made in accordance with 32 CFR 170.19 (CMMC scoping) by the program office/requiring activity (for the prime contract) or the prime/next higher-tier subcontractor (for subcontracts). CMMC levels are: CMMC Level 1 (Self); CMMC Level 2 (Self); CMMC Level 2 (C3PAO); and CMMC Level 3 (DIBCAC) (see 32 CFR 170.14). DoD did not incorporate the recommendation to limit CMMC inclusion in existing contracts, as contracting officers already have discretion to bilaterally modify existing contracts.

5. COTS Item Exclusion

Comment: Respondents requested clarification on the scope of the COTS exclusion.

Response: The rule does not apply to awards that are exclusively for COTS items, as defined at FAR 2.101. Any award exclusively for items meeting the FAR definition is considered an "exclusively COTS" award.

6. Extending the Certification Time for New Bidders

Comment: A respondent requested an extension of certification time for new bidders.

Response: Per 32 CFR part 170, contractors must have a CMMC self-assessment or certification at time of award; there is no delayed implementation for new bidders, though 32 CFR 170.21 allows a POA&M in certain instances.

7. Flowdown Requirements When Subcontractors Use Prime Contractor Information System

Comment: Respondents asked about flowdown when subcontractors use the prime's information system rather than their own.

Response: A subcontractor that does not process, store, or transmit FCI or CUI on its own systems has no CMMC assessment requirement. DoD does not have an automated tool giving primes visibility into subcontractor certification status in SPRS, but subcontractors may voluntarily share scores/certificates.

8. Definitions

a. CUI

Comment: Respondents asked to define CUI and streamline it with "covered defense information."

Response: The definition of CUI incorporates the definition codified at 32 CFR part 170; modifying it further is outside the scope of this rule.

b. FCI

Comment: A respondent requested clarification of "not intended for public release" and "simple transactional information," and whether FOIA-subject information is still FCI.

Response: A definition of FCI was added, based on FAR 52.204–21, with "information necessary to process payments" as an example of simple transactional information. Marking/FOIA comments are outside scope.

c. Current

Comment: Clarify whether "current" refers to date of assessment or date of certification.

Response: The final rule changes the definition of "current" to address this; the underlying requirements were established in 32 CFR part 170, and DoD cannot make changes beyond that in this DFARS rule.

d. Data

Comment: Respondents asked that "data" be replaced with "FCI and/or CUI" to narrow scope.

Response: Based on public comments, the rule was revised to remove the term "data." The rule applies to information that is FCI and CUI only.

e. Contractor Information Systems

Comment: Respondents asked that "contractor information systems" be limited/defined more narrowly, similar to "covered contractor information systems."

Response: The rule clarifies that "contractor information systems" throughout the rule means systems "that process, store, or transmit FCI or CUI in performance of the contract."

9. Regulatory Impact Analysis (RIA) Estimate

Comment: Several respondents said the RIA cost estimate was too low and should include all offerors and a revised estimate of average information systems per contractor.

Response: The RIA only covers costs of contractual requirements to upload self-assessments and complete affirmations in SPRS (technical/programmatic CMMC costs are addressed under 32 CFR part 170). The RIA was revised to expand the estimated impacted entities to include, in year four and beyond, all entities in the Federal Procurement Data System awarded DoD contracts FY2022–FY2024. The estimate of five information systems per contractor remains a DoD subject-matter-expert estimate.

10. Application to Fundamental Research

Comment: Respondents raised concerns about applying CMMC to fundamental research that could become CUI.

Response: Fundamental research (per NSDD 189) is published and broadly shared and cannot be safeguarded as FCI or CUI; however, if it has the potential to become CUI, it would be subject to CMMC once it becomes CUI.

11. Applicability

Comment: Respondents raised numerous applicability questions: FCI-only Level 1 self-assessment carve-outs, program manager documentation of rationale, existing vs. new contracts, micro-purchase threshold subcontracts, and scope of paragraph (b)(3).

Response: The clause will be included in solicitations issued on/after the effective date and in resulting contracts; contracting officers may also bilaterally incorporate the clause into existing contracts (see FAR 1.108(d)). Until three years after the effective date, CMMC applies only where program managers/requiring activities determine to apply it (excluding COTS-only awards); afterward, it applies wherever contractor information systems will process, store, or transmit FCI or CUI. 32 CFR part 170 does not allow spot checks and requires the CMMC requirement be met at time of award.

12. Flowdown

Comment: Respondents requested clarification on flowdown scope, CUI dissemination limits, and lower-tier CMMC level determination.

Response: See 32 CFR 170.23 for flowdown guidance. Clause paragraph (d)(1) was revised to clarify flowdown applies only where the subcontract requires a CMMC level, and to no longer exclude paragraph (b)(3) (affirmation of continuous compliance) from subcontractor flowdown. The rule was not revised regarding which subcontractors must receive CUI — that determination remains with the prime contractor.

13. CMMC as an Evaluation Factor

Comment: Is CMMC a competition evaluation factor or set-aside requirement?

Response: No. CMMC is not an evaluation factor or set-aside requirement; DFARS 204.7503 requires contracting officers not to award to an offeror that fails to meet the CMMC requirements in the solicitation, and if included in the solicitation, it becomes a contract requirement.

14. Program Office Requirements

Comment: Require the program office to review contractor-provided information.

Response: The rule was revised to require the contracting officer to work with the program office/requiring activity to review the offeror's CMMC status and affirmation information.

15. Clarifying When FCI Applies

Comment: Clarify that systems processing FCI (not CUI) need only CMMC Level 1.

Response: Not included in the final rule; contracting officers do not determine the required CMMC level.

16. International Applicability

Comment: Respondents raised questions about C3PAO assessments outside the U.S., international harmonization, and foreign verification bodies (e.g., Taiwan's TAF).

Response: Contracts subject to NIST SP 800–171 compliance (e.g., via DFARS 252.204–7012) require foreign or domestic contractors to secure their systems. See 32 CFR 179 regarding foreign C3PAO accreditation; DoD permits an equivalent process for personnel ineligible for a Tier 3 background investigation, for CMMC Program purposes only.

17. POA&M

Comment: Respondents sought clarity on POA&M closeout, conditional certification for subcontract award, and continued reliance on POA&Ms for newly discovered risks.

Response: The rule was revised to clarify (via the "current" definition) that for CMMC Levels 2 and 3 only, conditional CMMC status is permitted for up to 180 days from the conditional CMMC status date, and that final CMMC status is achieved upon successful POA&M closeout. 32 CFR part 170 does not allow additional POA&Ms beyond established scoping, other than for scenarios appropriate for an "operational plan of action" (32 CFR 170.4).

18. Subcontractor Compliance

Comment: Respondents asked how primes monitor/verify subcontractor CMMC adherence, requested an automated SPRS visibility tool, and asked when subcontractors must be compliant.

Response: Contractors can only access their own CMMC information in SPRS; DoD has no tool for automatic sharing with primes. Subcontractors may screenshot/print their own SPRS status to share voluntarily. Prior to awarding a subcontract, the prime must ensure the subcontractor has a current CMMC status at the appropriate level. 32 CFR part 170 does not allow limiting enforcement to direct suppliers only.

19. Senior Company Official

Comment: Respondents noted the proposed rule's "senior company official" term does not match 32 CFR part 170's "affirming official," and asked for a clear definition.

Response: The final rule updates terminology to "affirming official" to align with 32 CFR part 170 (the proposed DFARS rule used the older term due to timing of the two rulemakings).

20. Task Orders and Delivery Orders

Comment: Will existing IDIQ contracts' task/delivery orders issued after the rule contain a CMMC requirement?

Response: Task orders or delivery orders issued after the rule's effective date may include a CMMC requirement under the prescribed clause/provision.

21. Relationship Between "Covered Contractor Information Systems" and "Contractor Information Systems"

Comment: Clarify the relationship between the two terms and possible over-broad scope.

Response: The rule clarifies that "contractor information systems" are limited to those "that process, store, or transmit FCI or CUI during performance of the contract."

22. CMMC Unique Identifiers

Comment: Respondents sought clarification on CMMC UIDs vs. CAGE codes, mandatory vs. optional UID submission, and prime vs. subcontractor UID reporting obligations.

Response: A CMMC UID is assigned per CMMC Assessment Scope as defined by the Organization Seeking Assessment (OSA) (see 32 CFR 170.19). SPRS/eMASS assigns the UID upon submission of assessment results. OSAs must obtain a CAGE code (via sam.gov) or NCAGE code (for non-U.S. businesses, via NSPA) and a PIEE account. Only prime contractors with a CMMC requirement must submit CMMC UIDs to the contracting officer (which may include subcontractors' UIDs); subcontractors themselves do not submit UIDs to the contracting officer. A new UID is generated whenever a new SPRS score is entered (e.g., at reassessment or 3-year renewal).

23. Creation of Exception

Comment: Requests for exceptional-circumstance relief and small-business exemptions for second-tier suppliers.

Response: 32 CFR part 170 does not include an exemption for exceptional circumstances, and this DFARS rule cannot create one. DoD does not require flowdown to subcontractors that do not receive FCI or CUI.

24. Period of Performance

Comment: Should contracting officers validate CMMC compliance before extending a period of performance?

Response: Yes — 32 CFR part 170 requires CMMC statuses to be maintained for the life of the contract, so contracting officers must validate compliance before extending performance periods or exercising options.

25. Prime Contractor Protection From Subcontractor Noncompliance

Comment: Clarify that primes won't be rendered ineligible due to subcontractor noncompliance.

Response: The Government does not establish the prime/subcontractor relationship and does not indemnify the prime from its subcontractors, as it lacks privity of contract with subcontractors.

26. Application of CMMC to FAR Part 16 Contract Types

Comment: Require CMMC Program Office/USD(A&S) approval before applying CMMC to FAR part 16 contract types during phase-in.

Response: 32 CFR part 170 does not include such an approval process, and this rule cannot create one.

27. Acquiring Entities Without CMMC Certification

Comment: How are newly acquired entities or new sites added to an existing certification?

Response: Per DFARS 252.204–7021(c)(1), contractors must report changes to UIDs to the contracting officer. Adding new users to an existing system does not necessarily change the CMMC assessment scope (see 32 CFR 170.19).

28. Applicability to Civilian Agencies

Comment: Does CMMC apply to CUI from non-DoD agencies?

Response: This rule amends the DFARS and applies only to DoD or DoD-funded acquisitions.

29. Provision and Clause Clarifications

Comment: Questions on subcontractor UID updates and the "unless electronically posted" language.

Response: The clause was updated to require subcontractors to enter self-assessment results in SPRS and complete annual affirmations, which they may share via screenshot. "Unless electronically posted" language was removed. Paragraph (c)(1) is excluded from subcontractor flowdown because the Government lacks privity of contract with subcontractors, though primes are encouraged to flow down similar language voluntarily.

30. Outside the Scope of the Rule

DoD received numerous comments outside the scope of this rule, including topics related to: the DFARS Case 2022–D017 timeline; CUI marking and definitions; the CMMC Program's underlying policy at 32 CFR part 170 (permissible changes, exemptions for MWR/NAF procurements, ISO/IEC 27001 relationship, phase-in timeline, spot checks, FedRAMP, waivers, eMASS training, and more); cost impacts; and various sector-specific applicability questions (medical devices, furniture manufacturers, common carriers, etc.).

Response (selected points):

  • CMMC level selection is made by the program office/requiring activity per DoD policy and 32 CFR 170.5; contracting officers do not determine the level.
  • All CUI categories require at least a self-assessment; DoD Organizational Index group CUI categories generally require a C3PAO assessment at minimum.
  • MWR/NAF procurements requiring NIST SP 800–171 implementation are subject to the CMMC requirement.
  • Waivers are established at 32 CFR 170.5 and are at the discretion of the program office/requiring activity, prior to contracting officer involvement.
  • Contractors do not have access to CMMC eMASS (used only for certification assessments); all CMMC assessments are reflected in SPRS.
  • Enclave scoping is determined by the contractor per 32 CFR 170.19.
  • Reassessments are expected to be infrequent and DoD-conducted, per updates to 32 CFR part 170.
  • Flowdown requirements are at 32 CFR 170.23.

C. Other Changes

  • DFARS 204.7500 was updated to remove a web address and replace it with a reference to 32 CFR part 170.
  • Clarified throughout that a higher CMMC level than required is also permissible.
  • The term "CMMC status" was added throughout, clarifying that contracts may be awarded with a current Final Level 1 (Self), Conditional Level 2 (Self), Final Level 2 (Self), Conditional Level 2 (C3PAO), or Final Level 2 (C3PAO) CMMC status. A definition of "CMMC status" was added to DFARS subpart 204.75, clause 252.204–7021, and provision 252.204–7025.

III. Applicability to Contracts at or Below the SAT, Commercial Products, and Commercial Services

The clause at DFARS 252.204–7021 is prescribed at DFARS 204.7504 for use:

  • Until November 9, 2028 (three years after the effective date): in solicitations and contracts, task orders, or delivery orders — including FAR part 12 commercial product/service acquisitions, except those solely for COTS items — if the program office or requiring activity determines the contractor is required to have a specific CMMC level (unless 32 CFR 170.5(d) requirements are met).
  • On or after November 10, 2028: in solicitations and contracts, task orders, or delivery orders — including FAR part 12 acquisitions, except those solely for COTS items — if the program office or requiring activity determines the contractor must use contractor information systems to process, store, or transmit FCI or CUI.

The provision at DFARS 252.204–7025 is prescribed at DFARS 204.7504(b) for use in solicitations that include the clause at DFARS 252.204–7021.

Consistent with DoD's analysis of section 1648 of the NDAA for FY 2020, DoD applies the statute (as implemented in these clause/provision) to contracts at or below the Simplified Acquisition Threshold (SAT), to commercial products (excluding COTS items), and to commercial services as defined at FAR 2.101.

IV. Expected Impact of the Rule

A. Background

DoD is amending the DFARS to implement contractual requirements tied to the CMMC policy (32 CFR part 170, 89 FR 83092, October 15, 2024). New solicitation/contractual requirements include:

  • Offeror/contractor requirement to post CMMC Level 1 or Level 2 self-assessment results to SPRS prior to award, option exercise, or period-of-performance extension, if not already posted.
  • Contractor requirement to maintain the required CMMC status for the life of the contract.
  • Contractor requirement for an affirming official to complete an annual affirmation of continuous compliance in SPRS for each applicable CMMC UID.
  • Offeror/contractor requirement to identify contractor information systems used to process, store, or transmit FCI or CUI, by providing CMMC UIDs generated by SPRS.

B. Summary of Impact

The rule will be implemented over a phased, three-year period, after which it applies to all contracts where the contractor processes, stores, or transmits FCI or CUI on contractor information systems (except COTS-only contracts).

Estimated impacted entities (Year 4 and beyond):

Metric Value
Average unique entities awarded DoD contracts above micro-purchase threshold (FY2022–FY2024) 32,756
Unique entities awarded using only commercial procedures 18,370
Estimated COTS-only awardees (25% of 18,370) 4,592
Unique entities after removing COTS-only awardees 28,164
Assumed offerors per solicitation 2
Total prime offerors (28,164 × 2) 56,328
Assumed subcontractors per prime offer 5
Total estimated impacted entities (primes + subcontractors) 337,968
Of which, small entities (68%) 229,818

Estimated time burden per contractor information system:

  • Offerors/contractors: ~5 minutes to post CMMC self-assessment results in SPRS; ~5 minutes to complete the required affirmation; ~5 minutes to retrieve and submit CMMC UIDs.
  • Government: ~5 minutes to validate CMMC level/currency prior to award, option exercise, or performance extension; ~5 minutes to validate affirmation currency; ~5 minutes to validate CMMC status/affirmation when UIDs change during performance.

Benefits: Verification of DIB contractors' implementation of system security requirements, protection of CUI/FCI and intellectual property, and reduced exposure to malicious cyber activity. The Council of Economic Advisers estimated malicious cyber activity cost the U.S. economy $57–109 billion in 2016 (a 10-year burden of an estimated $400–765 billion at a 7% discount rate, or $486–929 billion at a 3% discount rate). GAO cited Treasury reporting that ransomware-related incidents reached $886 million in 2021.

Estimated public and Government costs over a 10-year period:

Summary (3% discount rate) Public Government Total
Present Value $329,097,922 $15,812,069 $344,909,991
Annualized Costs $38,580,316 $1,760,303 $40,340,619
Summary (7% discount rate) Public Government Total
Present Value $254,756,766 $11,533,649 $266,290,415
Annualized Costs $36,271,632 $1,642,132 $37,913,764

V. Executive Orders 12866 and 13563

This is a significant regulatory action, subject to review under section 6(b) of E.O. 12866, Regulatory Planning and Review, as amended.

VI. Executive Order 14192

This rule is not subject to E.O. 14192, because it is issued with respect to a national security function of the United States. Implementation of CMMC Program requirements is urgently needed to strengthen protection of DoD information, protect critical defense technologies from exfiltration, and protect the DIB's intellectual property and the broader U.S. economy from malicious cyber actors.

VII. Congressional Review Act

DoD will submit the rule to the U.S. Senate, House of Representatives, and Comptroller General as required by the Congressional Review Act (5 U.S.C. 801–808). The Office of Information and Regulatory Affairs has determined this rule is not a major rule as defined by 5 U.S.C. 804(2).

VIII. Regulatory Flexibility Act

A final regulatory flexibility analysis was prepared under 5 U.S.C. 601 et seq. Key points:

  • This rule responds to threats posed by malicious cyber activity targeting U.S. intellectual property and DoD CUI.
  • Requirements apply to all offerors/contractors under a CMMC-requirement solicitation/contract: (1) post current CMMC status in SPRS; (2) maintain CMMC status for contract life; (3) provide CMMC UIDs to the contracting officer, with updates; (4) maintain a current affirmation of continuous compliance.
  • These requirements do not apply to awards not involving FCI or CUI.
  • No public comments were submitted in response to the initial regulatory flexibility analysis.

Estimated small entities impacted, phased rollout:

Year Estimated Small Entities
Year 1 1,104
Year 2 5,565
Year 3 18,554
Year 4+ 229,818

Anticipated mix of CMMC statuses starting Year 4:

CMMC Level Percentage Small Entities Large Entities Total Entities
Level 1 Self-assessment 62% 142,487 67,053 209,540
Level 2 Self-assessment 2% 4,596 2,163 6,759
Level 2 Certificate 35% 80,436 37,853 118,289
Level 3 Certificate 1% 2,298 1,082 3,380
Total 100% 229,818 108,150 337,968

New reporting/recordkeeping requirements for small entities:

  1. Post current CMMC status (not covered by C3PAO/DIBCAC assessment) to SPRS for each applicable CMMC UID.
  2. Provide CMMC UIDs prior to award and upon any changes.
  3. Affirming official completes and maintains, annually (or upon compliance status change), the affirmation of continuous compliance in SPRS.

DoD identified no alternatives that would accomplish the statutory objectives while further reducing small-entity burden; the phased rollout and COTS exemption are intended to minimize economic impact.

IX. Paperwork Reduction Act

This final rule's information collection requirements have been approved by OMB under the Paperwork Reduction Act (44 U.S.C. chapter 35), OMB Control Number 0750–0008, DFARS Part 204, Contractor Implementation of Cybersecurity Requirements.

List of Subjects in 48 CFR Parts 204, 212, 217, and 252

Government procurement.

Signed: Kimberly R. Ziegler, Editor/Publisher, Defense Acquisition Regulations System.

The interim rule amending 48 CFR parts 204, 212, 217, and 252 (published at 85 FR 61505 on September 29, 2020) is adopted as final with the following changes.

Authority citation for parts 204, 212, 217, and 252: 41 U.S.C. 1303 and 48 CFR chapter 1.

PART 204—Administrative and Information Matters

Subpart 204.75—Cybersecurity Maturity Model Certification

Contents:

  • 204.7500 Scope of subpart.
  • 204.7501 Definitions.
  • 204.7502 Policy.
  • 204.7503 Procedures.
  • 204.7504 Solicitation provision and contract clause.

204.7500 Scope of subpart

(a) This subpart prescribes policies and procedures for including the Cybersecurity Maturity Model Certification (CMMC) level requirements in DoD contracts. CMMC is a framework (see 32 CFR part 170) for assessing a contractor's information security protections.

(b) This subpart does not abrogate any other requirements regarding contractor physical, personnel, information, technical, or general administrative security operations governing the protection of unclassified information, nor does it affect requirements of the National Industrial Security Program.

(c) This subpart applies to unclassified contractor information systems.

204.7501 Definitions

As used in this subpart—

Controlled unclassified information means information the Government creates or possesses, or information an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Governmentwide policy requires or permits an agency to handle using safeguarding or dissemination controls (32 CFR 2002.4(h)).

Current means—

(1) With regard to Conditional Cybersecurity Maturity Model Certification (CMMC) Status—

(i) Not older than 180 days for Conditional Level 2 (Self) assessments and Conditional Level 2 (certified third-party assessment organization (C3PAO)) assessments, with—
(A) No changes in compliance with the requirements at 32 CFR part 170 since the Conditional CMMC Status date (see 32 CFR 170.16 and 170.17); and
(B) A corresponding affirmation of continuous compliance by an affirming official (see 32 CFR 170.4); and
(ii) Not older than 180 days for Conditional Level 3 (Defense Industrial Base Cybersecurity Assessment Center (DIBCAC)) assessments, with—
(A) No changes in compliance with the requirements at 32 CFR part 170 since the Conditional CMMC Status date (see 32 CFR 170.18); and
(B) A corresponding affirmation of continuous compliance by an affirming official;

(2) With regard to Final CMMC Status—

(i) Not older than 1 year for Final Level 1 (Self), with—
(A) No changes in compliance with the requirements at 32 CFR part 170 since the Final CMMC Status date (see 32 CFR 170.15); and
(B) A corresponding affirmation of continuous compliance, not older than 1 year, by an affirming official;
(ii) Not older than 3 years for Final Level 2 (Self) assessments and Final Level 2 (C3PAO) assessments, with—
(A) No changes in compliance with the requirements at 32 CFR part 170 since the Final CMMC Status date (see 32 CFR 170.16 and 170.17); and
(B) A corresponding affirmation of continuous compliance, not older than 1 year, by an affirming official; and
(iii) Not older than 3 years for Final Level 3 (DIBCAC) assessments, with—
(A) No changes in compliance with the requirements at 32 CFR part 170 since the Final CMMC Status date (see 32 CFR 170.18); and
(B) A corresponding affirmation of continuous compliance, not older than 1 year, by an affirming official; and

(3) With regard to affirmation of continuous compliance (32 CFR 170.22), not older than 1 year with no changes in compliance with the requirements at 32 CFR part 170.

Cybersecurity Maturity Model Certification (CMMC) status means the result of meeting or exceeding the minimum required score for the corresponding assessment. The potential statuses are as follows:

  1. Final Level 1 (Self).
  2. Conditional Level 2 (Self).
  3. Final Level 2 (Self).
  4. Conditional Level 2 (C3PAO).
  5. Final Level 2 (C3PAO).
  6. Conditional Level 3 (DIBCAC).
  7. Final Level 3 (DIBCAC).

Cybersecurity Maturity Model Certification unique identifier (CMMC UID) means 10 alpha-numeric characters assigned to each CMMC assessment and reflected in the Supplier Performance Risk System (SPRS) for each contractor information system.

Federal contract information (FCI) means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government. It does not include information provided by the Government to the public, such as on public websites, or simple transactional information, such as information necessary to process payments.

204.7502 Policy

(a) Award eligibility.

(1) The contracting officer shall include in the solicitation the required CMMC level, if provided by the program office or the requiring activity.

(2) Contracting officers shall not award a contract, task order, or delivery order to an offeror that does not have a current CMMC status at the CMMC level required by the solicitation.

(3) Contractors are required to achieve, at time of award, a CMMC status at the CMMC level specified in the solicitation, or higher, for all information systems used in the performance of the contract, task order, or delivery order that will process, store, or transmit FCI or CUI. Contractors are required to maintain a current CMMC status at the specified CMMC level or higher, if required by the contract, task order, or delivery order, throughout the life of the contract, task order, or delivery order.

(b) CMMC status.

(1) Contracting officers may award a contract, task order, delivery order, or modification to exercise an option or extend a period of performance, if the offeror's or contractor's CMMC status is—

(i) Listed in the definition of "CMMC status"; and
(ii) Equal to or higher than the CMMC level required by the solicitation or contract, task order, or delivery order.

(2) CMMC levels 2 and 3 can be in a conditional level for a period not to exceed 180 days from the CMMC status date (32 CFR 170.21), and award can occur with a conditional CMMC level. CMMC level 1 requires a final CMMC level for award.

204.7503 Procedures

(a) CMMC level. The contracting officer shall include the CMMC level (see 32 CFR 170.19) required by the program office or requiring activity in the solicitation provision and contract clause prescribed at 204.7504.

(b) Award. Contracting officers shall check SPRS and not award a contract, task order, or delivery order to an offeror that does not have a current CMMC status posted in SPRS at the CMMC level (see 32 CFR 170.15 through 170.18) required by the solicitation, or higher, for each CMMC UID provided by the offeror. The CMMC UIDs are applicable to each of the contractor information systems that will process, store, or transmit FCI or CUI and that will be used in performance of the contract.

(c) Option exercise or period of performance extension. Contracting officers shall check SPRS and not exercise an option or extend the period of performance on a contract, task order, or delivery order, unless the contractor has a current CMMC status posted in SPRS at the CMMC level (see 32 CFR 170.15 through 170.18) required by the contract, task order, or delivery order, or higher, for each CMMC UID provided by the contractor. The contractor's CMMC UIDs are applicable to each of the contractor information systems that process, store, or transmit FCI or CUI and that are or will be used in performance of the contract.

(d) CMMC UIDs. If the contractor provides new CMMC UIDs during performance of the contract, task order, or delivery order, the contracting officer shall check in SPRS, using the CMMC UIDs assigned by SPRS, that the contractor has a current CMMC status at the required CMMC level, or higher, for each of the contractor information systems identified that will process, store, or transmit FCI or CUI during contract performance.

204.7504 Solicitation provision and contract clause

(a) Unless the requirements at 32 CFR 170.5(d) are met, use the clause at 252.204–7021, Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirements, as follows:

(1) Until November 9, 2028, in solicitations and contracts, task orders, or delivery orders, including those using FAR part 12 procedures for the acquisition of commercial products and commercial services, except for those solely for the acquisition of commercially available off-the-shelf (COTS) items, if the program office or requiring activity determines that the contractor is required to have a specific CMMC level.

(2) On or after November 10, 2028, in solicitations and contracts, task orders, or delivery orders, including those using FAR part 12 procedures for the acquisition of commercial products and commercial services, except for those solely for the acquisition of COTS items, if the program office or requiring activity determines that the contractor is required to use contractor information systems in the performance of the contract, task order, or delivery order to process, store, or transmit FCI or CUI.

(b) Use the provision at 252.204–7025, Notice of Cybersecurity Maturity Model Certification Level Requirements, in solicitations that include the clause at 252.204–7021.

PART 212—Acquisition of Commercial Products and Commercial Services

212.301 Solicitation provisions and contract clauses for the acquisition of commercial products and commercial services

Amendment:

  • In paragraph (f)(ii)(L), remove "204.7503 (a) and (b)" and add "204.7504(a)" in its place.
  • Add paragraph (f)(ii)(P):
(P) Use the provision at 252.204–7025, Notice of Cybersecurity Maturity Model Certification Level Requirements, as prescribed in 204.7504(b).

PART 217—Special Contracting Methods

217.207 Exercise of options

(c) In addition to the requirements at FAR 17.207(c), exercise an option only after—

(1) Determining that the contractor's record in the System for Award Management database is active and the contractor's unique entity identifier number, Commercial and Government Entity (CAGE) code, name, and physical address are accurately reflected in the contract document. (See PGI 217.207 for the requirement to perform cost or price analysis of spare parts prior to exercising any option for firm-fixed-price contracts containing spare parts.); and

(2) Working with the program office or requiring activity to verify in the Supplier Performance Risk System (https://piee.eb.mil) that—

(i) The summary level score of a current NIST SP 800–171 DoD Assessment (i.e., not more than 3 years old, unless a lesser time is specified in the solicitation) for each covered contractor information system that is relevant to an offer, contract, task order, or delivery order are posted (see 204.7303); and
(ii) If there is a requirement for the contractor to have a Cybersecurity Maturity Model Certification (CMMC) status at a specific CMMC level, the contractor has a current CMMC status at the CMMC level required by the contract, or higher, for each of the CMMC unique identifiers applicable to each of the contractor information systems that process, store, or transmit Federal contract information or controlled unclassified information (see 204.7503(c)).

PART 252—Solicitation Provisions and Contract Clauses

252.204–7021 Contractor Compliance With the Cybersecurity Maturity Model Certification Level Requirements

As prescribed in 204.7504(a), use the following clause:

CONTRACTOR COMPLIANCE WITH THE CYBERSECURITY MATURITY MODEL CERTIFICATION LEVEL REQUIREMENTS (NOV 2025)

(a) Definitions. As used in this clause—

Controlled unclassified information means information the Government creates or possesses, or information an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Governmentwide policy requires or permits an agency to handle using safeguarding or dissemination controls (32 CFR 2002.4(h)).

Current means— (see definition under DFARS 204.7501 above, which is incorporated identically into this clause)

Cybersecurity Maturity Model Certification (CMMC) status means the result of meeting or exceeding the minimum required score for the corresponding assessment. The potential statuses are as follows:

  1. Final Level 1 (Self).
  2. Conditional Level 2 (Self).
  3. Final Level 2 (Self).
  4. Conditional Level 2 (C3PAO).
  5. Final Level 2 (C3PAO).
  6. Conditional Level 3 (DIBCAC).
  7. Final Level 3 (DIBCAC).

Cybersecurity Maturity Model Certification unique identifier (CMMC UID) means 10 alpha-numeric characters assigned to each CMMC assessment and reflected in the Supplier Performance Risk System (SPRS) for each contractor information system.

Federal contract information (FCI) means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government. It does not include information provided by the Government to the public, such as on public websites, or simple transactional information, such as information necessary to process payments.

Plan of action and milestones means a document that identifies tasks to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones, as defined in National Institute of Standards and Technology Special Publication 800–115 (32 CFR 170.21).

(b) Framework. The Cybersecurity Maturity Model Certification (CMMC) is a framework for assessing a contractor's compliance with applicable information security protections (see 32 CFR part 170).

(c) Duplication. The CMMC assessments will not duplicate efforts from any other comparable DoD assessment, except for rare circumstances when a reassessment may be necessary, for example, when there are indications of issues with cybersecurity and/or compliance with CMMC requirements.

(d) Requirements. The Contractor shall—

(1)(i) Have and maintain for the duration of the contract a current CMMC status at the following CMMC level, or higher: _____ [Contracting Officer insert: CMMC Level 1 (Self); CMMC Level 2 (Self); CMMC Level 2 (C3PAO); or CMMC Level 3 (DIBCAC)] for all information systems used in performance of the contract, task order, or delivery order that process, store, or transmit FCI or CUI; and

(ii) Consult 32 CFR 170.23 related to the flowdown of the CMMC requirements, and flow down the correct CMMC level to subcontracts and other contractual instruments;

(2) Only process, store, or transmit FCI or CUI on contractor information systems that have a CMMC status at the CMMC level required in paragraph (d)(1) of this clause, or higher;

(3) Complete on an annual basis, and maintain as current, an affirmation, by the affirming official (see 32 CFR 170.4), of continuous compliance with the requirements associated with the CMMC level required in paragraph (d)(1) of this clause in the Supplier Performance Risk System (SPRS) (https://piee.eb.mil) for each CMMC UID applicable to each of the contractor information systems that process, store, or transmit FCI or CUI and that are used in performance of the contract;

(4) Ensure all subcontractors and suppliers complete prior to subcontract award, and maintain on an annual basis, an affirmation, by the affirming official (see 32 CFR 170.4), of continuous compliance with the requirements associated with the CMMC level required for the subcontract or other contractual instrument for each of the subcontractor information systems that process, store, or transmit FCI or CUI and that are used in performance of the subcontract; and

(5) If the Contractor has a CMMC Status of Conditional, successfully close out a valid plan of action and milestones (32 CFR 170.21) to achieve a CMMC Status of Final.

(e) Reporting. The Contractor shall—

(1) Submit to the Contracting Officer—

(i) The CMMC UID(s) issued by SPRS for contractor information systems that will process, store, or transmit FCI or CUI during performance of the contract; and
(ii) Any changes in the CMMC UIDs generated in SPRS throughout the life of the contract, task order, or delivery order, if applicable;

(2) Enter into SPRS the results of a current self-assessment for each CMMC UID, not covered by a C3PAO assessment or DIBCAC assessment, applicable to each of the contractor information systems that process, store, or transmit FCI or CUI and that are used in performance of the contract; and

(3) Complete in SPRS on an annual basis and maintain as current an affirmation of continuous compliance by the affirming official (see 32 CFR 170.4) for each self-assessment, C3PAO assessment, or DIBCAC assessment required under the contract in SPRS.

(f) Subcontracts. The Contractor shall—

(1) Insert the substance of this clause, including this paragraph (f) and excluding paragraph (e)(1), in subcontracts and other contractual instruments, including those for the acquisition of commercial products and commercial services, excluding commercially available off-the-shelf items, if the subcontract or other contractual instrument will contain a requirement to process, store, or transmit FCI or CUI; and

(2) Prior to awarding a subcontract or other contractual instrument, ensure that the subcontractor has a current CMMC certificate or current CMMC status at the CMMC level that is appropriate for the information that is being flowed down to the subcontractor based on the requirements at 32 CFR 170.23.

(End of clause)

252.204–7025 Notice of Cybersecurity Maturity Model Certification Level Requirements

As prescribed in 204.7504(b), use the following provision:

NOTICE OF CYBERSECURITY MATURITY MODEL CERTIFICATION LEVEL REQUIREMENTS (NOV 2025)

(a) Definitions. As used in this provision, controlled unclassified information (CUI), current, Cybersecurity Maturity Model Certification (CMMC) status, Cybersecurity Maturity Model Certification unique identifier (CMMC UID), Federal contract information (FCI), and Plan of action and milestones have the meaning given in the Defense Federal Acquisition Regulation Supplement 252.204–7021, Contractor Compliance With the Cybersecurity Maturity Model Certification Level Requirements, clause of this solicitation.

(b)(1) Cybersecurity Maturity Model Certification (CMMC) level. The CMMC level required by this solicitation is: _____ [Contracting Officer insert: CMMC Level 1 (Self); CMMC Level 2 (Self); CMMC Level 2 (C3PAO); or CMMC Level 3 (DIBCAC)]. This CMMC level, or higher (see 32 CFR part 170), is required prior to award for each contractor information system that will process, store, or transmit Federal contract information (FCI) or controlled unclassified information (CUI) during performance of the contract.

(2) The Offeror will not be eligible for award of a contract, task order, or delivery order resulting from this solicitation if the Offeror does not have, for each of the contractor information systems that will process, store, or transmit FCI or CUI and that will be used in performance of a contract resulting from this solicitation—

(i) The current CMMC status entered in the Supplier Performance Risk System (SPRS) (https://piee.eb.mil) at the CMMC level required by paragraph (b)(1) of this provision; and
(ii) A current affirmation of continuous compliance with the security requirements identified at 32 CFR part 170 in SPRS.

(c) Plan of action and milestones. If the Offeror has a CMMC Status of Conditional, the Offeror shall successfully close out a valid plan of action and milestones (32 CFR 170.21) to achieve a CMMC Status of Final.

(d) CMMC unique identifiers. The Offeror shall provide, in the proposal, the CMMC unique identifier(s) (CMMC UIDs) issued by SPRS for each contractor information system that will process, store, or transmit FCI or CUI during performance of a contract, task order, or delivery order resulting from this solicitation. The Offeror also shall update the list when new CMMC UIDs are generated in SPRS. The CMMC UIDs are provided in SPRS after the Offeror enters the results of self-assessment(s) for each such information system.

(End of provision)


[FR Doc. 2025–17359 Filed 9–9–25; 8:45 am]

BILLING CODE 6001–FR–P