Key point: Historically, civilian‑agency contractors who handled Controlled Unclassified Information (CUI) enjoyed an informal compliance environment, with a requirement to adhere to NIST SP 800‑171 often framed as self‑attestation. That world is now decisively over, with the GSA following a path similar, but not identical, to the DoD’s CMMC requirements.
The Defense Department’s Cybersecurity Requirements Go Live
Key point: Beginning November 10, 2025, DoD contracting officers will begin adding Cybersecurity Maturity Model Certification (CMMC) requirements to solicitations, and contracting officers “shall not award a contract, task order, or delivery order to a [contractor] that does not have a current CMMC status at the CMMC level required by the solicitation.”
OIRA Completes its Review of the DFARS CMMC Proposed Rule: Is Your Company CMMC Certified, or Will It be Excluded from Future Awards?
Key point: CMMC took another step towards reality, with OIRA clearing for publication the DFARS proposed rule that will add CMMC requirements as a condition of award for new contracts.