On Sept. 10, the Department of Defense (DoD) released the final regulation that requires Cybersecurity Maturity Model Certification (CMMC) compliance for every DoD prime and subcontractor. The regulation will go into effect on November 10, 2025.
The DoD is implementing the CMMC requirements over four phases, starting with the inclusion of CMMC Level 1 and Level 2 Self-Assessment requirements in all applicable DoD solicitations. Most AGC members will fall under Level 1 or 2, and contractors should expect to see the CMMC clause in their contracts in the coming months. CMMC Level 3 requirements are expected to come into being in one year. The full rollout, which will see CMMC program requirements included in all applicable solicitations and contracts, is expected to continue through 2028.
AGC has long communicated the difficulty many contractors and their subcontractors have had implementing these cybersecurity requirements under the CMMC model. AGC commented many times on CMMC as it was developed and will continue to provide education to its members now that the program is in effect. AGC recently hosted a webinar about the CMMC program and how contractors can better prepare. In addition, AGC’s website provides a list of resources related to CMMC, including the CMMC’s Accreditation Body’s marketplace where contractors can find Accessors and C3PAOs.
For more information, please contact Jordan Howard.