The Department of Defense just released its final CMMC 2.0 rule requiring DoD contractors and subcontractors to meet new security certification levels before contract award.

The new DFARS rule takes effect November 10, 2025.

If you touch Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), even as a subcontractor, this rule applies to you.

CMMC Certification Levels are based on data handled:

• Level 1: Basic cybersecurity for FCI (17 practices). Self-assessment.
• Level 2: Advanced protection for CUI (110 practices based on NIST SP 800-171). Select cases are Self-assessments, others are 3^rd party.
• Level 3: Expert level for highly sensitive CUI (based on NIST SP 800-172; limited use). 3^rd party.

You cannot be awarded DOD Contracts unless you meet the CMMC level required by the solicitation or can get conditional certification/waiver.

Contracting Actions to Take: How do you know if this applies to your immediate bids/contracts?

• Every DOD solicitation and contract that requires the processing, storage or transmission of FCI or CUI will specify the exact CMMC level required for the contractor’s information systems.
• The CMMC level is determined by the program office or requiring activity based on the sensitivity of the information and risk profile of the contract.
• This requirement is codified in the contract clause at DFARS 252.204-7021 and the solicitation provision at DFARS 252.204-7025.
• NIST SP 800-171: The security standard that CMMC builds upon

Action to take before bidding: Search solicitations for DFARS 252.204.7025 and CMMC key terms like CMMC, FCI, CUI, NIST SP 800, Level

Action to before signing contract: Search contracts for DFARs 252.204-7021 and other key terms like CMMC, FCI, CUI, NIST SP 800, level  

These clauses must be included in all applicable solicitations and contracts, except those solely for the acquisition of commercially available off-the-shelf (COTS) items

Cost and Schedule Impacts:  

• CMMC costs are often allowable under DOD contracts in most cases. Did you include this in your estimates or contracts that required CMMC?
• Third party certifications can cost $20 – $60k depending on business size and readiness.
• Once awarded, certifications must be maintained through the contract lifecycle. This will be visible to COs on SPRS.

• Certification can take up to a year or more. Noone wants you to lose contract award if you wait until contract award to get certified, except maybe next viable bidder.
• False claims of compliance could trigger civil or criminal penalties under the False Claims Act

Potential good news:

Rule introduces flexibility for contractors working toward full CMMC compliance since full certification may not always be feasible, especially higher levels.

• Conditional Status: for CMMC Levels 2 & 3, contractors may be awarded contract with a “conditional” CMMC Status for up to 180 days if they are actively closing out a Plan of Action and Milestones (POA&M).
• No conditional status is allowed for Level 1.

The rule balances the need for cybersecurity with practical considerations for contractor readiness. DOD programs don’t want to get unduly delayed so flexibility is being considered in phased rollout.

Subcontractors:

• Prime contractors must ensure their subs are certified at the appropriate level before work begins.
• CMMC 2.0 Flowdown is based on the type of information the subcontractor handles, not just their role.

CMMC cybersecurity expert Josh of H&V Facility Solutions provided some applicable training to our federal contractor clients and friends to help them prepare for CMMC 2.0 rollout.  Their helpful slides are below:

The DFARS Final Ruling was published in Federal Register on 9/10/2025:  https://www.federalregister.gov/documents/2025/09/10/2025-17359/defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of

 

As federal surety bond experts, we’re proud to support contractors navigating these new federal mandates.

 

Florida Surety Bonds is honored to secure success for our clients building America’s national infrastructure and critical defenses. Let us know if you have questions that we can help you with.

 

Written by Sarah O’Linn, former civilian DOD Source Selection Evaluation Lead and Lead Systems Engineer.

 

Florida Surety Bond Construction Bond Agent and Principal

 

sarah@floridasuretybonds.com | 407-755-6353 | Sarah’s LinkedIn

 

#CMMC #CMMC2 #DoDCompliance #FederalContracting #Cybersecurity #ConstructionBusiness #Federal Contracting #DODContractors #FloridaSuretyBonds #GovCon #DFARS