Cybersecurity Maturity Model Certification Rule Finalized for Defense Industrial Base

September 15, 2025—The Department of Defense (DoD) on Sept. 10 published the rule requiring Cybersecurity Maturity Model Certification (CMMC) assessments in contracts with defense industrial base (DIB) suppliers. CMMC is a certification program that improves the security and cyber hygiene of the DIB supply chain. The Software Engineering Institute (SEI), alongside the Johns Hopkins University Applied Physics Laboratory (APL), co-created the CMMC program for the DoD Chief Information Officer (CIO). The final rule’s publication begins a three-year phased approach to protecting DoD information within the DIB.

CMMC improves security throughout the DIB supply chain against increasing and evolving cyber threats. The program defines the cybersecurity measures that the more than 200,000 DIB organizations must implement to safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Defense contractors will use CMMC to measure their conformance with a baseline of cybersecurity requirements. The DoD verifies implementation of the measures through CMMC assessments of specified cybersecurity standards.

The program provides assessments at three levels, each with an increasing number of security requirements. Level 1 may be self-assessed by the DIB organization. A Level 2 assessment may be performed by the organization or a third party authorized to certify the organization. A Level 3 certification must be performed by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

The CMMC program rule became effective in December 2024, and voluntary assessments and certifications have been recognized since then. CMMC compliance became mandatory with the publication of the final rule. Though the CMMC program’s official implementation in solicitations and contracts takes place 60 days from the final rule’s release, the SEI’s Frank Smith encourages DIB organizations not to panic. The DoD is phasing implementation, allowing DIB organizations what Smith, who leads the SEI’s CMMC team, calls a “crawl, walk, run” approach.

Generally, for one year, DoD solicitations will require self-assessments at Level 1 or 2. Beginning in November of 2026, solicitations may require a Level 2 certification. In the third year, solicitations can include level three certifications where applicable. After that, all solicitations and contracts will require a CMMC Level 1, 2, or 3 assessment or certification. Detailed information can be found on the DoD CIO’s CMMC website.

Smith reminds DIB organizations that they get to decide what parts of their enterprise are within scope of a CMMC requirement. “Make sure the CMMC scope matches your business process. Don’t try to force your business process into it,” he advised.

Above all else, CMMC is intended to protect sensitive defense information from adversaries, said Smith. “This is about the confidentiality of DoD data, pure and simple.” A cyber attack within the DIB supply chain could result in devastating loss of intellectual property (IP) and CUI, which increases risks to the warfighter.

The final rule’s publication in the Federal Register represents the culmination of six years of collaboration between the SEI, APL, and the DoD CIO. Since the inception of CMMC in 2019, the SEI has touched virtually every aspect of the program, from helping establish its structure based on proven cybersecurity practices, to developing certification and assessment standards, to creating training for an estimated 160,000 contracting officers, program managers, and others in the defense acquisition workforce.

Knowledge and training are key for a successful CMMC rollout. The SEI’s support for the CMMC program expands the Defense Acquisition University’s current CMMC courses with additional training products and informational videos Smith is producing with the DoD CIO, slated for release this fall.

Learn more about the SEI’s history with the CMMC program on our website.