On September 10, 2025, the DoD issued its final rule amending DFARS to make the Cybersecurity Maturity Model Certification (CMMC) a contractual requirement. Starting November 10, 2025, CMMC clauses will be included in solicitations and contracts, creating a consistent framework to strengthen cybersecurity across the defense industrial base.
September 2025 CMMC DFARS Rule Marks the Start of the CMMC Implementation
The DoD published the final DFARS rule amending Title 48 of the Code of Federal Regulations. This rule adds DFARS clause 252.204-7021, which embeds CMMC requirements into DoD solicitations and contracts. This rule is the acquisition side of CMMC: it creates the mechanism for Contracting Officers to enforce CMMC at the time of award.
Without meeting the required CMMC level, contractors will simply be ineligible for DoD contracts.
Top Takeaways from the CMMC DFARS Final Rule
CMMC is now contractually enforceable
Contractors cannot be awarded new contracts if they fail to meet the required CMMC level. The level depends on whether they handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).
Effective date: November 10, 2025
From this date forward, Contracting Officers can include DFARS 252.204-7021 in new solicitations and contracts.
Three-year phased implementation
DoD will roll out CMMC in phases, allowing time for assessor training and contractor readiness.
| Phase | Start Date | What It Means |
|---|---|---|
| Phase 1 | November 10, 2025 | Applies to solicitations selected by DoD that require Level 1 or Level 2 self-assessments. In limited cases, DoD may require a Level 2 C3PAO certification instead of self-assessment. |
| Phase 2 | November 10, 2026 (12 months later) | Applies to solicitations selected by DoD that require a Level 2 C3PAO certification. DoD may delay this requirement until an option period, or in select cases, require Level 3 certification. |
| Phase 3 | November 10, 2027 (24 months later) | Applies to solicitations selected by DoD that require Level 3 certification. DoD may delay this requirement until an option period instead of making it a condition of award. |
| Phase 4 | November 10, 2028 (36 months later) | By this date, all DoD solicitations and contracts must include the appropriate CMMC level requirements. |
Flow-down to subcontractors
Prime contractors must ensure subcontractors meet the appropriate CMMC level. Compliance is continuous, not one-time affirmations, status reporting, and evidence must be kept up-to-date.
Learn how StratoKey helps with CMMC readiness
What This Means for Contractors and Subcontractors
If your contracts or bids involve FCI or CUI, you should expect the CMMC clause (DFARS 252.204-7021) to appear starting November 10, 2025. That means:
-
Level 1: Basic safeguarding of FCI (annual self-assessment).
-
Level 2: Most CUI contracts can be either self-assessment or third-party certification, depending on contract risk.
-
Level 3: Reserved for prioritized programs with highly sensitive CUI; requires government-led assessment.
Contractors must also:
-
Maintain SPRS entries and affirm compliance annually (Supplier Performance Risk System is the DoD database where contractors must upload their NIST SP 800-171 self-assessment scores).
-
Ensure subcontractors and cloud providers are compliant at the required level.
-
Prepare for assessments under NIST SP 800-171 Rev.3 and NIST SP 800-171A Rev.3 procedures
Securing the Cloud Apps You Use Every Day for CMMC
For many contractors and subcontractors, CUI and FCI flow through everyday SaaS platforms. Tools like ERPs, MES, PLMs, CRMs, and collaboration apps were not built with defense-grade controls, leaving gaps against CMMC and NIST 800-171 requirements.
StratoKey CDP fills that gap by applying encryption, tokenization, access controls, and monitoring directly to the applications you rely on. With StratoKey, data in platforms like NetSuite, SuiteProjects Pro, Salesforce, Pipedrive, Jira, and Confluence remains secure, compliant, and under your control.
How StratoKey CDP Helps You Align with CMMC
-
Data Encryption & Tokenization
Protects FCI and CUI before it leaves your environment, satisfying System & Communications Protection requirements. -
Customer-Controlled Key Management (BYOK/CMEK)
Keeps encryption keys in your control, meeting DFARS expectations for cryptographic separation from cloud providers. -
Granular Access Controls & Monitoring
Enforces least privilege, provides strong authentication, and continuously monitors activity to support compliance and auditability. -
Subcontractor & Cloud Oversight
Helps ensure subcontractors and SaaS/cloud providers comply with DFARS 252.204-7021, including storing CUI within FedRAMP-authorized environments (via tokenization) where required. -
Audit Trails & Evidence Collection
Generates the compliance evidence (logs, dashboards, reports) needed to assist with self-assessments, C3PAO reviews, or government audits.
What You Should Do Now
-
Review which of your contracts will fall under DFARS 252.204-7021 after November 10, 2025.
-
Conduct a gap assessment against NIST SP 800-171 Rev.3 and document controls.
-
Verify your CSPs are FedRAMP authorized (Moderate for Level 2, High for Level 3).
-
Prepare internal processes for continuous compliance: SPRS submissions, annual affirmations, and assessment readiness.
-
Explore how StratoKey CDP can close technical gaps quickly and provide audit-ready compliance evidence.
Stay eligible for DoD contracts. Book a StratoKey CMMC discovery call today and get your organization CMMC-ready.