On September 10, 2025 the Department of Defense (DoD) issued its final rule (Rule) amending the Defense Federal Acquisition Regulation Supplement (DFARS) to the Cybersecurity Maturity Model Certification (CMMC) program, a cybersecurity framework for evaluating a DoD contractor’s information security protections. The Rule charts out enhanced cybersecurity requirements for Pentagon contractors and includes phased implementation requirements impacting differently situated contractors over the course of the next several years. It follows on the release of the final CMMC rule in October 2024, which itself laid out the mechanisms DoD would be using to certify contractor compliance with the certification program requirements.

The Rule, which applies to unclassified contractor information sys

See Full Page