×
Monday, July 6, 2026

CMMC Cybersecurity Rules Are Rolling Into Defense Contracts - corporatecomplianceinsights.com

US defense contractors are now encountering CMMC cybersecurity requirements in their contracts. Ambika Biggs of Hirschler reviews the program’s structure, the levels at which contractors may self-certify and where inaccurate certifications have drawn False Claims Act scrutiny from the Justice Department.

A US government focus on cybersecurity is not new. DFARS 252.204-7012, which is included in defense contracts involving controlled unclassified information (CUI), became effective in 2016. However, after a defense department inspector general report in 2019 found that defense contractors were not consistently implementing security requirements to protect CUI, the defense department developed the cybersecurity maturity model certification (CMMC) program to assess implementation of cybersecurity requirements by defense contractors and subcontractors.

A final rule was published in November 2020 and became effective in 2024; the department began incorporating CMMC program requirements in contracts in November 2025, and phased-in implementation is proceeding as scheduled through 2028.

CMMC program and implementation

The CMMC program has three levels:

Level 1: Basic safeguarding of FCI

  • Mandates basic safeguarding requirements and procedures to protect contractor information systems that process, store or transmit federal contract information (FCI), which is information that’s not intended for public release and is provided by or generated for the government.
  • Requires an annual...


Read Full Story: https://news.google.com/rss/articles/CBMiogFBVV95cUxNUG9WekxJSnZwVHU1U0I5MEJq...