This article was originally published on October 8, 2025 on Law360 and is republished here with permission.
The U.S. Department of Defense released the final rule implementing the Cybersecurity Maturity Model Certification on Sept. 9.[1] Through the program, the DOD seeks to enhance protections for sensitive information.
Defense contractors’ efforts to ramp up their CMMC
Shutdown, again. This advisory helps contractors manage operations during this period.
Contractors should closely monitor their customer and regulatory agencies’ websites for shutdown guidance, as agencies like DoD, DOJ, and others have already issued instructions.[1] Each agency may have slightly different responses, so staying informed is crucial. Contractors should be particularly mindful of: (1) when contractors must halt work, (2) what work and costs are reimbursable during the shutdown, (3) cost-saving measures that comply with labor laws, and (4) the impact of future administrative delays on commercial operations.
On September 10, the U.S. Department of Defense (DOD) posted its final rule implementing the Cybersecurity Maturity Model Certification (CMMC) program for defense acquisitions.[1] This new rule (acquisition rule) updates the Defense Federal Acquisition Regulation Supplement (DFARS) and imposes new cybersecurity requirements on defense contractors who handle (store, process, or transmit) sensitive information during contract performance.