Overview

• The DFARS rule launches a three-year, phased incorporation of CMMC into new awards and modifications, with full coverage by year four for work involving FCI or CUI.
• The framework sets three tiers: Level 1 requires annual self-assessments, most Level 2 contractors must obtain C3PAO certification, and Level 3 will undergo DoD-led assessments.
• Contractors must upload Level 1 and Level 2 self-assessment results to the Supplier Performance Risk System before award or option actions and must maintain status for the life of the contract.
• The rule requires an annual affirmation of compliance, with false statements risking termination, negative past performance, suspension or debarment, and liability under the False Claims Act.
• DoD estimates the rule will affect about 338,000 contractors, exempts COTS-only contracts, and legal analysts note third-party certifications can provide credible evidence of compliance.