Listen to this post

Key point: Beginning November 10, 2025, DoD contracting officers will begin adding Cybersecurity Maturity Model Certification (CMMC) requirements to solicitations, and contracting officers “shall not award a contract, task order, or delivery order to a [contractor] that does not have a current CMMC status at the CMMC level required by the solicitation.”

Last week we discussed OIRA’s completion of its review of the DoD’s proposed rule revising the DFARS to formally incorporate the CMMC requirements into future solicitations. As expected, on September 10, 2025, the National Archives and Records Administration published the final rule, Assessing Contractor Implementation of Cybersecurity Requirements, 90 Fed. Reg. 43560 (Sept. 10. 2025).

What does this mean for defense contractors?

Businesses that want to do business with the DoD must review their cybersecurity policies and procedures to ensure they already meet the CMMC level specified in the solicitation. As stated in the new 48 C.F.R. § 204.7502(a)(2), “Contracting officers shall not award a contract, task order, or delivery order to an offeror that does not have a current CMMC status at the CMMC level required by the solicitation” (emphasis added). Be forewarned, the current backlog to schedule a third-party certification for CMMC Level 2 is approximately eight weeks. But reviewing internal policies and procedures is not enough.

Cybersecurity requirements for subcontractors

Contractors must also review their subcontractor agreements to ensure proper flow down of CMMC requirements is occurring to subcontractors that will handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). Prime contractors and higher-tier subcontractors must ensure that lower-tier subcontractors handling FCI or CUI, and external service providers (e.g., IT vendors) must also meet the appropriate CMMC level. The revised DFARS contract clause that will be included in future solicitations and awards includes in relevant parts the following flow down language:

The Contractor shall include the substance of this clause, including this paragraph … in subcontracts and other contractual instruments, including those for the acquisition of commercial products and commercial services, excluding commercially available off-the-shelf items, if the subcontract or other contractual instrument will contain a requirement to process, store, or transmit FCI or CUI.

48 C.F.R. § 252-204-7021(f) (2025). Before a contractor awards a subcontract or other contractual instrument, the contractor must ensure the subcontractor has a current CMMC certificate or current CMMC status at the CMMC level that is appropriate for the information that is being flowed down to the subcontractor. Id.

Risks and rewards of flowing down CMMC requirements

The revised flow down clause is a double-edged sword. It gives primes and higher-tier subcontractors the flexibility to partner with companies that are not CMMC compliant, so long as those companies do not receive, store, or transmit FCI or CUI. However, this flexibility increases the oversight obligations to accurately manage information flows within a supply chain, to ensure information is not shared with unauthorized business partners.  

If you have questions about bringing your business into compliance with the new CMMC requirements, please reach out to Erik Dullea or your Husch Blackwell attorney.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Erik Dullea Erik Dullea

As head of Husch Blackwell’s Cybersecurity practice group, Erik assists clients in all aspects of cybersecurity and information security compliance and data breach response. Erik previously served as the acting deputy associate general counsel for the National Security Agency’s cybersecurity practice group before…

As head of Husch Blackwell’s Cybersecurity practice group, Erik assists clients in all aspects of cybersecurity and information security compliance and data breach response. Erik previously served as the acting deputy associate general counsel for the National Security Agency’s cybersecurity practice group before returning to the firm in 2023.

Read more about Erik DulleaErik's Linkedin Profile
Show more Show less
Photo of Luis Hidalgo Luis Hidalgo

Luis assists clients with government contracts. A former accountant and auditor, Luis thrived on investigative work but was keenly aware that his role never included resolving any of the problems he uncovered. He chose to pursue a career as an attorney, where he

Luis assists clients with government contracts. A former accountant and auditor, Luis thrived on investigative work but was keenly aware that his role never included resolving any of the problems he uncovered. He chose to pursue a career as an attorney, where he could combine his passions for fact-finding, problem-solving, and creativity.

Read more about Luis Hidalgo
Show more Show less