The US Department of Defense has issued its final rule implementing the Cybersecurity Maturity Model Certification program, effective November 10, 2025. The rule establishes new cybersecurity requirements for federal contractors and subcontractors, introduces phased compliance deadlines, and heightens potential False Claims Act risks ties to inaccurate reporting.
The long-anticipated Cybersecurity Maturity Model Certification (CMMC) requirements begin to take effect on November 10, as the US Department of Defense (DOD) published its Defense Federal Acquisition Regulation Supplement (DFARS) final rule that incorporates these new cybersecurity requirements into federal contracts. Although CMMC requirements will be mandatory for some DOD contracts under which Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) is processed, stored, or transmitted, civilian agencies have discretion to include their own CMMC requirements in their contracts. This development means that companies doing business with the DOD or civilian agencies should ensure that their cybersecurity systems are prepared to meet the CMMC audit and certification requirements.
Many companies that routinely engage in DOD work have been tracking the CMMC requirements for some time in preparation for their implementation, but these requirements may be less familiar to companies that engage in government contracting on a less frequent basis. And since CMMC requirements may be included in...
FORT COLLINS, Colo. (AP) — Two airmen at a Wyoming U.S. Air Force base have pleaded guilty to making false statements about the deadly shooting of a third that prompted the suspension of Sig Sauer...