The CMMC final rule – A turning point for cybersecurity and supply chain risk management

The Department of Defense (DOD) has finalized its long-anticipated rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to implement the Cybersecurity Maturity Model Certification (CMMC) program. Effective Nov. 10, 2025, this rule marks a pivotal shift in how cybersecurity compliance is assessed and enforced across the defense industrial base (DIB). While the rule applies broadly to all DOD contractors handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), it also places a distinct burden on prime contractors to ensure their subcontractors meet the same standards.

What is CMMC? 

CMMC is the DOD’s standardized framework for assessing and verifying the cybersecurity practices of contractors and subcontractors within the DIB. Its primary goal is to ensure that companies handling FCI or CUI have appropriate safeguards in place to protect sensitive data from cyber threats. CMMC introduces a tiered model — Levels 1 through 3 — each corresponding to increasing levels of cybersecurity maturity and rigor. Depending on the type of information a contractor handles, they may be required to undergo self-assessments, third-party audits, or government-led evaluations. CMMC transforms cybersecurity from a best practice into an expanded contractual obligation. Baker Tilly’s dedicated CMMC specialists are here to help you navigate this evolving landscape — offering guidance, tailored strategies and hands-on support to ensure your organization meets compliance with confidence and clarity.

How does this new rule finally implement CMMC? 

The CMMC framework is governed by two distinct but interrelated rules: the Program Rule and the DFARS Rule. Together, they establish both the structure of the CMMC program and its integration into DOD contracts.

The Program Rule, codified at 32 C.F.R. Part 170, lays out the foundational requirements of the CMMC framework. It defines the certification levels (Level 1, 2 and 3), assessment types (self-assessments, third-party assessments and government-led assessments), and the roles of affirming officials and assessors. This rule also confirms the standards for protecting FCI and CUI, and sets expectations for continuous compliance, including annual affirmations and the use of the Supplier Performance Risk System (SPRS) to track assessment results. This rule became effective Dec. 16, 2024, but did not result in CMMC being fully operational because it was not a contractual requirement.