Alston and Bird’s Privacy, Cyber & Data Strategy Team breaks down the Department of Defense’s finalized Cybersecurity Maturity Model Certification (CMMC) rule, which establishes a tiered compliance framework that will soon be mandatory for all defense contractors and subcontractors.
- Contractors must achieve and maintain the required CMMC level, based on the sensitivity of information handled, to be eligible for DoD contracts
- Discretionary adoption begins November 2025, with mandatory compliance for applicable contracts by November 2028
- Prime and subcontractors should immediately assess their information security posture, certification needs, and subcontractor compliance to prepare for stricter oversight