The Department of War has officially released its long-awaited cybersecurity rule that will fundamentally reshape how defense contractors handle sensitive information, marking a watershed moment in the government’s push to secure its supply chain against mounting digital threats.
On September 9, 2025, the DoW published the final Defense Federal Acquisition Regulation Supplement (DFARS) rule implementing the Cybersecurity Maturity Model Certification (CMMC) Program for public inspection in the Federal Register. The rule, which cleared regulatory review just weeks earlier, will require thousands of defense contractors to meet specific cybersecurity standards to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
New Era for Defense Contractors
“We expect our vendors to put U.S. national security at the top of their priority list,” said Kate Arrington, performing the duties of the DoW Chief Information Officer. “By complying with cyber standards and achieving CMMC, this shows our vendors are doing exactly that.”
The CMMC Program establishes a uniform way for the Department of Defense to verify that both prime contractors and subcontractors have implemented required cybersecurity safeguards. Unlike previous self-attestation models, the program verifies that defense contractors are not only implementing but maintaining these critical safeguards throughout the entire contract performance period.
What’s at stake? Potentially billions in defense contracts. Starting as early as October 2025, contractors who fail to meet these requirements could find themselves locked out of bidding on new defense work.
Three-Tiered Approach
The finalized program requires contractors to meet one of three ascending cybersecurity levels, with requirements escalating based on the sensitivity of information handled. Senior DoD officials will be closely involved in determining which contractors warrant Level 3 requirements, the most stringent tier of compliance, according to experts familiar with the rule.
Notably, senior acquisition executives retain some flexibility to waive CMMC requirements for particular contracts or solicitations — though such exceptions are expected to be rare.
The final 48 CFR rule, which formally incorporates CMMC acquisition policy and standardized contract language into DFARS, was submitted to the Office of Information and Regulatory Affairs on July 22, 2025. This procedural step cleared the way for CMMC requirements to begin appearing in defense contracts this fall.
Rapid Regulatory Approval
Government watchers have noted the unusually swift approval process for such a complex regulation. The OIRA completed its review in just over 30 days — a process that typically takes 60-90 days — signaling strong governmental prioritization of cybersecurity for national defense.
“While it may take a few weeks for this rule to be published, it could be as soon as next week,” one industry publication noted before the official release. “It becomes enforceable at a maximum of 60 days from the listed effective date.”
The speed of approval demonstrates “the Executive Branch’s prioritization of cybersecurity in the areas of critical infrastructure and national defense.”
Phased Implementation
The Department of Defense plans a phased rollout of CMMC requirements, starting primarily with self-assessments. These initial requirements will likely apply to approximately 65% of the Defense Industrial Base (DIB), according to DoD estimates.
For smaller contractors concerned about compliance costs, the tiered approach offers some relief. Most will only need to meet Level 1 requirements, which focus on basic cyber hygiene practices, while more sensitive contracts will trigger more stringent controls.
Still, the clock is now ticking for thousands of companies that support America’s defense infrastructure. With enforcement set to begin within 60 days of publication, contractors who haven’t already begun preparing face a rapidly closing window to achieve compliance.
As defense supply chains continue to face sophisticated cyber threats from nation-state actors and criminal groups, this regulatory shift represents perhaps the most significant overhaul of defense contractor cybersecurity requirements in decades — one that will reshape the competitive landscape for years to come.
