Blog > CMMC

SEPTEMBER 10, 2025 - CMMC: Here are the final requirements for DoD contractors - 48 CFR CMMC

On September 10, 2025, the U.S. Department of Defense (DOD, recently renamed the U.S. Department of War) published the Final Rule clarifying its CMMC procurement rules and requirements (48 CFR CMMC).

This is an important step that indicates that within 60 days (November 10, 2025), the US Department of Defense will begin to include CMMC requirements in its contracts.

Please note that, upon publication, CMMC will be mandatory for obtaining contracts with the US Department of Defense.

Here is a summary of the main requirements:

 

The required CMMC level will be specified in each request for proposals

  • The U.S. Department of Defense will specify in its requests for proposals the required CMMC level (CMMC Level 1, CMMC Level 2 with self-assessment, CMMC Level 2 with assessment by an external C3PAO auditor, CMMC Level 3).

 

You must have CMMC certification in order to be awarded the contract

  • The US Department of Defense states that before it awards you a contract, you must prove that you have the required CMMC certification.

  • No contract will be awarded to a contractor or subcontractor that does not have the required CMMC certification.

 

Obligation to maintain your CMMC certification level throughout the contract

  • The US Department of Defense requires that all contractors maintain the required CMMC level throughout the duration of a contract they have been awarded.

  • The contractor must ensure that its subcontractors comply with the same requirement.

 

Discretionary CMMC certification for existing contracts

  • The US Department of Defense will not force organizations (with existing contracts) to obtain certification at the required CMMC level.

  • However, it may require you to obtain certification during the contract if it believes that your lack of CMMC certification puts its data at risk. The decision rests solely with the US Department of Defense.

 

Requirement to hold CMMC certification upon renewal of current contracts

  • From now on, upon renewal of any current contract, you must hold the required CMMC certification.

  • You therefore run the risk of losing a contract if you are not CMMC certified at the time of renewal.

 

Reporting cybersecurity incidents

  • Any cybersecurity incident impacting U.S. Department of Defense data must be reported to the Department in accordance with the requirements of DFARS 252.204-7012. Reports must be made promptly, within a maximum of 72 hours.

 

Deleted: Obligation to report defects and breaches

  • If, during the performance of a US Department of Defense contract, it becomes apparent that your systems that collect, store, and process CUI received (or created) under the contract are no longer CMMC compliant, it is no longer necessary to report to the Department.

  • The removal of this former requirement is intended to make the CMMC certification maintenance process less burdensome.

 

Obligation to ensure that your subcontractors also have the correct CMMC certification (flow down)

  • The Department of Defense states that you are responsible for ensuring that your subcontractors have the required CMMC level before sharing information (CUI or FCI) with them that it shares with you under a contract you have obtained.

  • It suggests collaborating (on a voluntary basis) with your subcontractors to obtain the correct information about their CMMC certification level.

 

How can Streamscan help you?

StreamScan is a Registered Provider Organization (RPO) CMMC and is officially authorized to support organizations in their CMMC process.

We are the first CMMC Level 2 certified cybersecurity company (MSSP/SOC/MDR) in Canada. This important milestone reinforces our commitment to serving our defense and aerospace customers in the United States and Canada with the highest level of assurance.

With our CMMC Level 2 certification:

  • Our defense partners benefit from a significant acceleration of their own compliance process by leveraging our already certified services and technologies.

  • The scope of their own CMMC certification is reduced, as many critical security functions are outsourced to an already compliant supplier, reducing compliance and audit costs.

  • They can quickly demonstrate that they meet the cybersecurity requirements imposed by US federal contracts.

 

Need expert advice for your situation?

Our specialists are here to help.

Take advantage of a free, no-commitment consultation to discuss your challenges, priorities, and find solutions tailored for your company.

Contact an expert now
A man pointing to computer screen