Speaking Engagements
Georgetown Law 2025 Advanced eDiscovery Institute
November 21, 2025 | 8:30 AM – 9:30 AM ET
Leading the energy evolution.
Learn more
From compliance to the courtroom, we have you covered.
Learn more
Helping you focus on what matters – improving human health.
Learn more
Trusted advisors to leading insurers for 100+ years.
Learn more
Unlocking value in the middle market and beyond.
Learn more
Full-service legal advice from coast to coast.
Learn more
Applying radical applications of common sense
Explore More
Our standard-setting client experience program.
Explore more
Delivering life-changing help to those most in need.
Explore More
Our firm’s greatest asset is our people.
Explore More
Market-leading eDiscovery and data management services.
Explore more
The Pepper Center for Public Services
Explore more
Strategies helps businesses and individuals solve the complexities of dealing with the government at every level. Our team of specialists concentrate exclusively on government affairs, representing clients nationwide who need assistance with public policy, advocacy, and government relations strategies.
This unique program provides innovative and affordable opportunities to startups and early-stage emerging companies with a solid technology or scientific foundation. We help companies that have a quality management team in place and do not have other significant legal representation.
eMerge’s lawyers and technologists work together to deliver strategic end-to-end eDiscovery and data management solutions for litigation, investigations, due diligence, and compliance matters. We help clients discover the information necessary to resolve disputes, respond to investigations, conduct due diligence, and comply with legal requirements.
Stay ahead of the curve and in touch with our latest thinking on the issues that are top of mind across our practices and industry sectors.
Change happens fast in today’s turbulent world. Stay on top of the latest with our industry-specific channels.
Take a closer look at how we partner with clients to help them realize their goals.
Articles + Publications October 1, 2025
* Tony Pappas, an associate with Troutman Pepper Locke who is not admitted to practice law in any jurisdiction, also contributed to this article.
On September 10, the U.S. Department of Defense (DOD) posted its final rule implementing the Cybersecurity Maturity Model Certification (CMMC) program for defense acquisitions.[1] This new rule (acquisition rule) updates the Defense Federal Acquisition Regulation Supplement (DFARS) and imposes new cybersecurity requirements on defense contractors who handle (store, process, or transmit) sensitive information during contract performance.
1. Key Takeaways for Defense Contractors
2. The CMMC Program Under 32 C.F.R. 170
Industry stakeholders have been anticipating the acquisition rule since DOD codified the CMMC program under 32 C.F.R. Part 170, CMMC Program, on December 16, 2024 (program rule). This program is part of DOD’s initiative to strengthen the defense industrial base’s cybersecurity practices and protect FCI and CUI. By complying with CMMC requirements, defense contractors and vendors assure DOD that they are maintaining adequate standards for safeguarding sensitive information. The program rule accomplishes these goals by requiring contractors to assess and certify contractor information systems before contract award.
CMMC Levels and Assessment Requirements
Under the CMMC program, contractor information systems must pass a cybersecurity assessment to certify them for handling sensitive information. Each certification level (CMMC level) requires a different assessment and assessment method. DOD determines the CMMC level required for the contract and will include that information in the solicitation. There are three CMMC levels with escalating assessment requirements. Below are the general requirements[2] by CMMC level:
Conditional CMMC Status and POAMs
If a contractor information system does not meet all the requirements during an assessment, a conditional CMMC status may be available in certain instances. For a conditional CMMC Level 2 or 3 status, the contractor may use a plan of action and milestones (POAM) to track remediation and cure the deficiency within 180 days. Importantly, under DFARS 204.7502, Procedures, a contract award can occur with a conditional CMMC level.
However, there are limitations to conditional CMMC statuses. A contractor must close out a POAM within 180 days to achieve a final CMMC status, or their conditional status will be lost. Further, POAMs are not available for CMMC Level 1. Contractors should also note that eligibility for a conditional CMMC status is based on achieving a minimum score and satisfying all “critical requirements” on the initial assessment.[3]
CMMC Unique Identifiers
Contractor information system assessments are reported in DOD’s SPRS. SPRS generates a CMMC unique identifier (UID) for each contractor CMMC assessment it receives. When a contract requires a CMMC level, an offeror must include a list of their applicable UIDs with their proposal. Contractors must also update their UID list when new codes are generated by SPRS.
Current Affirmation of Continuous Compliance
In addition to achieving a CMMC level, contractors must also “affirm” their continuing compliance with their assessment’s requirements.[4] The contractor’s affirming official (the contractor’s senior representative responsible for CMMC program compliance) must submit an affirmation electronically in SPRS upon achieving a CMMC level, and annually thereafter. In the event of a cybersecurity incident, contractors will continue to follow the reporting requirements found in DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting.
Subcontractor Flowdown
Subcontractors must also adhere to CMMC requirements when they are required to handle FCI or CUI on their subcontractor information systems. However, as the subcontractor is not in privity with the government, the prime contractor is responsible for ensuring that subcontractors comply with the CMMC program before contract award and during performance. Unfortunately, SPRS does not allow contractors to view SPRS data other than their own. Therefore, prime contractors and subcontractors must develop the mechanisms to monitor CMMC compliance throughout their supply chain to prevent issues. For more information on subcontractor compliance, see 32 C.F.R. 170.23, Application to Subcontractors.
3. CMMC Implementation for Defense Acquisitions
Applicability of CMMC Requirements on Acquisitions
The acquisition rule, as a DFARS rule, only applies to DOD acquisitions. Contractors engaged in contracts with non-DOD agencies should refer to the acquisition procedures of those organizations to assess their cybersecurity requirements. Further, CMMC requirements only apply to contracts where the contractor will handle FCI or CUI on contractor information systems during contract performance. Note there is an exclusion for awards solely for the acquisition of commercially available off-the-shelf (COTS) items.[5] In those limited cases, CMMC requirements do not apply.
Phased Implementation of the CMMC Program Under the DFARS
To minimize the financial impacts and disruption to the industrial base, DOD is rolling out CMMC requirements in four phases. During the first three years after the acquisition rule becomes effective (November 10), the DOD will have discretion to add CMMC requirements to certain contracts. DOD’s four-phase implementation consists of the following:
Note that the DOD has retained discretion to delay or advance higher CMMC requirements at each phase of implementation. For more on the DOD’s phased plan for CMMC implementation, see 32 C.F.R. 170.3, Applicability.
CMMC DFARS Clauses.
The acquisition rule creates two new DFARS clauses that implement the CMMC in the DOD acquisition process:
4. Expected Impact and Takeaways.
The DOD estimates that CMMC program requirements will affect approximately 337,968 total contractors and subcontractors by the fourth year of the program’s implementation.[6] The DOD also anticipates the greatest concentration of CMMC level requirements will occur at CMMC Level 1 (62% of contractors) and Level 2 Certificate with a C3PAO assessment (35%). While the phased implementation of the CMMC program may soften its initial impact this November, preparation of full implementation is crucial. The CMMC program is on track to become an integral part of the DFARS, and contractors must be proactive with the new cybersecurity framework to remain competitive in the defense acquisition market.
Recommendations on Next Steps
[1] For the final rule, as well as the DOD’s responses to public comments, visit the Federal Register‘s website.
[2] See U.S. Dep’t of War Chief Info. Officer, About CMMC, https://dodcio.defense.gov/cmmc/About/ (last visited Sep. 16, 2025).
[3] See 32 C.F.R. 170.21, Plan of Action and Milestones requirements.
[4] See 32 C.F.R. 170.22, Affirmation.
[5] See Federal Acquisition Regulation 2.101, Definitions, for COTS definition.
[6] See Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements, 90 Fed. Reg. 43560, 43573 (Sep. 10, 2025) (to be codified in 48 C.F.R. pts. 204, 212,217, 252).
Speaking Engagements
Georgetown Law 2025 Advanced eDiscovery Institute
November 21, 2025 | 8:30 AM – 9:30 AM ET
Firm Events
2025 Mid-Atlantic Health Care IT Forum
November 19, 2025 | 3:30 PM – 7:00 PM ET
Troutman Pepper Locke Philadelphia Office – Philadelphia Conference Center
31st Floor, 3000 Two Logan Square, Philadelphia, PA 19103, Eighteenth and Arch Streets
Sponsored Events
2025 ACG Deal Crawl
November 19 – 20, 2025
JW Marriott Charlotte
600 S College Street, Charlotte, NC 28202
Speaking Engagements
Restructuring in the Age of Artificial Intelligence
November 17, 2025 | 1:30 PM – 2:30 PM ET
Offices of CohnReznick
New York, NY
Leading the energy evolution.
Learn more
From compliance to the courtroom, we have you covered.
Learn more
Helping you focus on what matters – improving human health.
Learn more
Trusted advisors to leading insurers for 100+ years.
Learn more
Unlocking value in the middle market and beyond.
Learn more
Full-service legal advice from coast to coast.
Learn more
Applying radical applications of common sense
Explore More
Our standard-setting client experience program.
Explore more
Delivering life-changing help to those most in need.
Explore More
Our firm’s greatest asset is our people.
Explore More
Market-leading eDiscovery and data management services.
Explore more
The Pepper Center for Public Services
Explore more
Strategies helps businesses and individuals solve the complexities of dealing with the government at every level. Our team of specialists concentrate exclusively on government affairs, representing clients nationwide who need assistance with public policy, advocacy, and government relations strategies.
This unique program provides innovative and affordable opportunities to startups and early-stage emerging companies with a solid technology or scientific foundation. We help companies that have a quality management team in place and do not have other significant legal representation.
eMerge’s lawyers and technologists work together to deliver strategic end-to-end eDiscovery and data management solutions for litigation, investigations, due diligence, and compliance matters. We help clients discover the information necessary to resolve disputes, respond to investigations, conduct due diligence, and comply with legal requirements.
Stay ahead of the curve and in touch with our latest thinking on the issues that are top of mind across our practices and industry sectors.
Change happens fast in today’s turbulent world. Stay on top of the latest with our industry-specific channels.
Take a closer look at how we partner with clients to help them realize their goals.