CMMC Is Live: What the Latest FAR and DFARS Changes Mean for the Defense Industrial Base

For years, many companies in the Defense Industrial Base treated the NIST SP 800-171 requirements as something that was always “coming soon.” That period is over. DoD formally established the CMMC Program in 32 CFR part 170 with a final rule published in October 2024 and effective in December 2024. The follow-on DFARS acquisition rule then moved CMMC from policy into the procurement process, making it an active part of how DoD evaluates contractors for award and contract performance.

In plain terms, CMMC is live. The “market rollout” began when the Title 32 rule codified the third-party compliance assessment program, and its “phased rollout” triggered when the Title 48 acquisition rule, which became effective on November 9, 2024, defined how CMMC requirements would appear in solicitations, contracts, task orders, and delivery orders. For DIB companies, that means cybersecurity readiness is no longer a future-state initiative. It is now a real acquisition issue that can at any time affect award eligibility, option exercises, and contract continuation.

How FAR Part 40 and DFARS Part 240 Reorganize Defense Cybersecurity Requirements

Recently, the Government has been reorganizing security-related acquisition content under FAR Part 40, Information Security and Supply Chain Security, which now groups these requirements more topically. Under DoD’s February 1, 2026, class deviation for this FAR overhaul, contracting officers were directed to use revised FAR Part 40 and a new DFARS Part 240, which reorganizes where some of these acquisition requirements sit. The practical takeaway for contractors is important: the clause numbers and locations may have shifted, but NONE of the underlying compliance requirements have gone away.

The DFARS Clauses Every DIB Contractor Must Know

DFARS 252.204-7008: Representing Cybersecurity Compliance at the Offer Stage

The first clause DIB companies should keep front and center is DFARS 252.204-7008, the solicitation provision on representing compliance with safeguarding covered defense information controls. In the current Part 240 deviation text, this provision still requires an offeror to represent that it will implement the security requirements tied to NIST SP 800-171 for covered contractor information systems. In other words, this is not just boilerplate. It is an offer-stage representation of your cybersecurity posture.

DFARS 252.204-7012: The Core Safeguarding Clause for Covered Defense Information

The second clause is DFARS 252.204-7012, the core safeguarding clause. That clause requires contractors to provide adequate security on covered contractor information systems, including full implementation of NIST SP 800-171 protections. This clause dictates the operational backbone of compliance because it governs the day-to-day safeguarding of covered defense information and the systems that store, process, or transmit it.

DFARS 252.204-7021: CMMC Compliance Verification and Contract Eligibility

The third clause is the one many contractors seem to have been waiting for: DFARS 252.204-7021, the CMMC compliance verification clause. This is the clause that ties contract eligibility to a previously assessed or third-party certified CMMC level. Currently, contracting officers are required to use 252.204-7021 when the program office or requiring activity determines a specific CMMC level is required, and with the phased approach continuing until November 9, 2028. On and after November 10, 2028, the rule requires use whenever contractor information systems will process, store, or transmit FCI or CUI, except in contracts solely for COTS items.

DFARS 252.204-7025: What This Solicitation Notice Means for Your Capture Team

Solicitations that include 252.204-7021 will also include DFARS 252.204-7025, Notice of Cybersecurity Maturity Model Certification Level Requirements. This is essentially the Government’s heads-up to industry that the resulting contract will carry a CMMC assessment or certification requirement. If your capture, contracts, and compliance teams see 252.204-7025 in a solicitation, they should treat that as an immediate signal to verify the required CMMC level, confirm which systems will touch FCI or CUI, and make sure the necessary affirmed assessment or third-party certified status is current in SPRS before award. Waivers will not be available, and award cannot be otherwise made.

Operational CMMC Compliance Points DIB Companies Cannot Afford to Miss

There are also a few operational points DIB companies should not miss. First, CMMC is not just about passing an assessment once. The rules tie eligibility to a current CMMC status and to an affirmation of continuous compliance in SPRS. Second, while the rules allow a limited conditional path for Levels 2 and 3 with very limited, defined POAMs, where an award can occur with a conditional CMMC status for up to 180 days, there is no long-term substitute for full compliance. Third, the annual affirmation is legally significant. Companies need a defensible internal process for who is serving as the affirming official, what evidence supports the affirmation, and how changes in continuance compliance status are tracked.

Important Nuances: NIST SP 800-171 Assessment Clause and SPRS Score Requirements

One nuance worth calling out is the treatment of the NIST SP 800-171 DoD assessment clause. In the baseline DFARS text effective November 10, 2025, contractors will still see 252.204-7020 prescribed in DFARS Subpart 204.73. But under the February 1, 2026, FAR-overhaul class deviation, the provisions permitting DoD assessments are prescribed instead as 252.240-7997. This is functionally the same DoD assessment requirement.

Another nuance is that 252-204-7019 will not be included in new prime contracts awarded after February 1, 2026. Those clauses, which require submission of SPRS scores for consideration for contract award, can, however, still affect subcontract and task and delivery order awards under existing contracts.

What DIB Contractors Should Do Now to Prepare for CMMC Compliance

So what should DIB companies do now? Start by identifying which information systems will process, store, or transmit FCI or CUI during contract performance. Then work through the following steps:

• Confirm that your NIST SP 800-171 implementation under 252.204-7012 is real, documented, and supportable.
• Make sure the right systems are tied to the right CMMC UIDs in SPRS.
• Establish an internal ongoing tracking and annual affirmation process that leadership understands.
• Train capture and contracts teams to recognize 252.204-7025 and 252.204-7021 as business signals, not just compliance footnotes.

The Bottom Line: CMMC is Now an Active Acquisition Requirement

CMMC is no longer theoretical. It is now part of the acquisition environment, and DIB companies that wait until a must-win solicitation hits the street will be reacting too late. The organizations that move now — by tightening system scoping, validating 800-171 implementation, preparing assessment evidence, and operationalizing affirmations — will be in a much stronger position to compete and perform.

At SSE, we help defense contractors turn regulatory language into practical action: scoping environments, aligning controls, preparing for assessments, and building compliance programs that support both contract eligibility and long-term resilience.