Standards, Regulations & Compliance
Pentagon Formally Rolls Out Long-Awaited Cybersecurity Requirements for Vendors
New cybersecurity certification standards for defense contractors and their subcontractors took effect Monday after years of industry debate over compliance costs, audit oversight and supply chain accountability.
The new Cybersecurity Maturity Model Certification rule, which amends federal defense acquisition regulations to include CMMC requirements across all new contracts, option years and extensions, also tasks prime contractors with ensuring their subcontractors meet the appropriate certification level. The phased rollout begins with Level 1 enforcement and will expand through 2028, while allowing program offices to include higher levels earlier when warranted.
Experts told Information Security Media Group that the rule formalizes long-anticipated obligations for industry while clarifying questions around how enforcement will extend to existing contracts and renewals. The new rule resolves one of the program’s biggest early ambiguities, said Thomas Graham, chair of the Cyber AB C3PAO Accreditation Committee, which serves as Department of Defense accreditation body for the CMMC program.
“One of the biggest loopholes – if you call it that – that was unclear prior to [the rule] being final is that it will apply to option years and period-of-performance extensions on current contracts,” said Graham, who is also CISO at Redspin. He added that contractors preparing for compliance should begin by updating their Supplier Performance Risk System scores and consulting with their contracting officers to determine which CMMC level their upcoming contracts will require and when.
“Trust is ultimately the foundation of CMMC,” Graham said. “While the program reinforces DOD’s confidence in its contractors, it also marks a collective commitment to strengthening the nation’s cyber defenses.”
Starting in the program’s first year, DOD will require contractors to complete self-assessments as a condition for all new contract awards and certain exercised options. Companies handling more sensitive data will need certification from an accredited third-party assessment organization beginning in the second year, with requirements expanding further in year three as solicitations begin to mandate validations from the defense industrial base cybersecurity assessment center.
The Pentagon introduced plans in 2019 for a unified cybersecurity standard for information that falls below the threshold of classification amid concerns that its hundreds of thousands of contractors were unevenly safeguarding data. The initiative aims to close longstanding gaps in how defense suppliers manage cyber risk across a supply chain that spans more than 300,000 vendors (see: Pentagon Releases Long-Awaited Contractor Cybersecurity Rule).
The final rule builds on years of revisions, shifting the model from a single sweeping requirement to a tiered framework aligned with guidance from the National Institute of Standards and Technology. The updated structure establishes varying levels of rigor based on the sensitivity of information a contractor handles, from basic cyber hygiene to advanced, continuously monitored protections.
