DoD Publishes Final CMMC Rule

September 10, 2025

Today, the Department of Defense (DoD) published the final Cybersecurity Maturity Model Certification (CMMC) rule.  This is a major step toward strengthening cybersecurity across the defense industrial base (DIB). This rule, now part of the Defense Federal Acquisition Regulation Supplement (DFARS), outlines mandatory cybersecurity requirements for contractors and subcontractors handling Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). The CMMC Final Rule goes into effect 60 days after its publication in the Federal Register.

Evolution of Cybersecurity Requirements for DoD Contractors

The final rule expands on existing cybersecurity requirements for government contractors. In fact, defense contractors have been required to comply with cybersecurity regulations since at least 2017.

CMMC Model Overview

The revised CMMC framework includes three certification levels:

• Level 1 (Self-assessment): For contractors handling less sensitive FCI. Requires 15 controls aligned with FAR 52.204-21.
• Level 2 (Self or C3PAO assessment): For contractors handling CUI. Requires 110 controls aligned with NIST SP 800-171. More sensitive CUI requires a third-party assessment by a C3PAO. A C3PAO is a Certified Third-Party Assessor Organization authorized by the Cyber Accreditation Body (Cyber AB) to conduct official CMMC Level 2 assessments for defense contractors.
• Level 3 (DIBCAC assessment): For high-value assets. Requires 134 controls (NIST SP 800-171 + NIST SP 800-172) and a certification by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

All levels require an annual affirmation of continuous compliance in the Supplier Performance Risk System (SPRS).

Implementation Timeline

The rule introduces a three-year phased rollout:

• Years 1–3: CMMC applies to select contracts.
• Year 4 onward: Required for all contracts involving FCI or CUI, excluding those solely for commercial off-the-shelf (COTS) items.

 Compliance Requirements

All contractors must:

• Achieve the required CMMC level at the time of award.
• Maintain a current CMMC status throughout the contract.
• Submit CMMC Unique Identifiers (UIDs) for each information system used.
• Ensure subcontractors handling FCI or CUI meet the appropriate CMMC level.

Consequences of Non-Compliance

Failure to comply with CMMC requirements can result in:

• Ineligibility for contract award or extension
• Contract termination
• Loss of future DoD business

Importantly, misrepresenting CMMC status or cybersecurity compliance may expose contractors to False Claims Act (FCA) liability. The FCA imposes significant penalties for submitting false claims to the government or for using false records to seek payment from the government. Having a third-party assessor (C3PAO or DIBCAC) verify cybersecurity compliance may help contractors mitigate FCA exposure, so long as the contractors provide accurate and complete information to the third-party assessors.

Increasing Enforcement of Cybersecurity by Department of Justice

Since the introduction of DOJ’s Civil Cyber Fraud Initiative, enforcement of cybersecurity compliance has grown significantly.  In 2025 so far, there have already been 3 notable settlements.

In March 2025, the government settled the landmark case against Morsecorp, Inc. brought by one of our clients. The $4.6 million settlement resolved allegations that Morsecorp. made false representations concerning its compliance with required cybersecurity controls for safeguarding sensitive government information.  It was the first major False Claims Act settlement with a member of the defense industrial base based on the failure to implement the required cybersecurity controls.

In May 2025, Raytheon Company, its parent RTX Corporation, and successor Nightwing Group agreed to pay $8.4 million to resolve allegations under the False Claims Act for failing to comply with cybersecurity requirements in 29 Department of Defense contracts.

In July 2025, biotech company Illumina, paid $9.8 million to settle allegations that it sold its genomic sequencing systems to government agencies without having an adequate security program.

We Help Others Report Cybersecurity and Other Government Fraud

The Whistleblower Law Collaborative, based in Boston, represents individuals nationwide in bringing cases under the False Claims Act and other whistleblower programs. One of our recent successes was the $4.6 million settlement with MORSECORP, Inc. It was the first major False Claims Act cybersecurity settlement with a defense contractor.

If you know a government contractor has falsely certified compliance with its cybersecurity requirements, or failed to report a cybersecurity breach, contact us for a confidential consultation.  Our attorneys include several former federal prosecutors with experience safeguarding sensitive military, intelligence, and healthcare data and a Lawdragon 500 Leading Global Cyber Lawyer.