New Cybersecurity Maturity Model Certification Program: Compliance Obligations; Implications for DoD Contractors

This CLE webinar will provide an overview of the new Cybersecurity Maturity Model Certification (CMMC) program and highlight important considerations for Department of Defense (DoD) contractors. The panel will review the key elements of the new rule, including compliance obligations, and provide guidance for defense contractors navigating this evolving regulatory landscape.

The DoD recently published its long-awaited final rule amending the Defense Federal Acquisition Regulation Supplement to formally implement the CMMC program. The new Rule, effective Nov. 10, 2025, will be implemented over a three-year period with full implementation by Nov. 10, 2028. Once the rule is fully implemented, defense contractors will be unable to obtain a DoD contract unless they meet the requisite CMMC program requirements. 

The CMMC program is designed to ensure that companies that handle federal contract information (FCI) or controlled unclassified information (CUI) are compliant with cybersecurity requirements, and the new Rule transcends the CMMC program from a policy framework into binding contractual obligations. Also, the new rule changes the current self-assessment model for certifying cybersecurity readiness to a third-party verification model that will require most defense contractors handling CUI or FCI to pass a cybersecurity assessment by a third-party assessment organization.

Noncompliance with the CMMC program will disqualify contractors from bidding on DoD contracts. Thus, it is imperative that defense contractors that process, store, or transmit federal FCI or CUI understand the key elements of the new rule to ensure they are and remain in compliance to be eligible for certain DoD contracts.

Listen as our authoritative panel reviews the new compliance obligations of the DoD's CMMC program and the implications for companies operating in the defense supply chain space.