DFARS Changes to Integrate CMMC Requirements Effective November 10

On September 10, 2025, the Department of Defense (DOD) released the final version of changes to the Defense Federal Acquisition Regulation Supplement (DFARS) to integrate the requirements of the Cybersecurity Maturity Model Certification (CMMC) Program into defense contracting processes.^Footnote1 EDUCAUSE members institutions that are engaged in defense-related research have followed this issue closely, particularly since the proposed regulations were released for public comment in August 2024, anticipating what the final rule would ultimately include.^Footnote2 Their interest stems from the fact that the effective date of the final DFARS changes marks the start of the DOD's three-phase process to incorporate CMMC certification requirements into contract solicitations and, ultimately, into final contracts.^Footnote3

The DOD delayed the effective date of the new DFARS regulations by sixty days, setting November 10, 2025, as the date when institutions must begin watching for contract solicitations to carry CMMC Level 1 (because they involve Federal Contract Information [FCI]) or Level 2 (because they involve Controlled Unclassified Information [CUI]) designations. CMMC Level 1 requires self-assessment of compliance, not third-party certification, and the projects that receive a Level 2 designation in the first phase would primarily carry a self-assessment requirement as well. However, the DOD reserved the right at this stage to apply the Level 2 designation requiring third-party certification when it deems such certification is warranted. In order to compete for research contracts with CMMC Level 1 (Self), CMMC Level 2 (Self), or CMMC Level 2 (C3PAO) designations, institutions will have to have their self-assessment scores or third-party certification of compliance with the National Institute of Standards and Technology (NIST) SP 800-171 CUI safeguarding standards listed in the relevant defense contractor data system, the Supplier Performance Risk System (SPRS).^Footnote4 That makes November 10 the date on which an institution that has not completed its Level 1 or Level 2 self-assessment, or, if applicable, its Level 2 certification would be unable to compete for some DOD research contracts. The number of affected contracts will increase when phase 2 starts twelve months later and again when phase 3 begins twelve months after that. Once phase 3 ends, the DOD expects to incorporate CMMC Levels 1, 2, and 3 requirements into all relevant contract solicitations.

Fundamental Research and CMMC

As noted in the EDUCAUSE comments on the proposed DFARS changes in October 2024, recent DOD regulatory activities related to CMMC reinforced the view that fundamental research typically does not involve FCI or CUI and is therefore generally exempt from CMMC requirements.^Footnote5 However, in both the CMMC Program rule and the proposed DFARS changes to implement CMMC, the DOD noted that situations could arise in which projects that otherwise constitute fundamental research might receive FCI or CUI as part of the data conveyed by the department for the requested research, for example, and thus bring with them a requirement for CMMC self-assessment or certification. One particular concern for EDUCAUSE members was the statement in the proposed DFARS rule that "if fundamental research has the potential to become CUI, it would be subject to the requirements of CMMC."^Footnote6 The DOD did not define what it meant for fundamental research to have the potential to become CUI, leaving institutions uncertain about how and when CMMC requirements might apply.^Footnote7

The lack of clarity around when, where, and how data in a fundamental research project could become CUI seemed likely to open the door for a much broader range of research to be subject to CMMC requirements. As a result, researchers and institutions could be led into increasingly case-by-case negotiations to prevent the misapplication of CMMC. In response, EDUCAUSE reiterated the request made in our CMMC Program rule comments for the DOD to work with the higher education research and cybersecurity communities on developing a comprehensive framework for identifying and managing edge cases in which fundamental research projects become sufficiently entangled with FCI or CUI to fall under CMMC.^Footnote8

In the narrative that accompanies the final regulations, the DOD acknowledged our recommendation but chose not to adopt it. However, it also provided useful clarification regarding fundamental research edge cases. After acknowledging again that fundamental research as defined by National Security Decision Directive 189 (NSDD-189) generally "cannot be safeguarded as either FCI or CUI" since the information it generates is intended for public release, the DOD noted that "if fundamental research has the potential to become CUI, it would be subject to the requirements of CMMC once the data becomes CUI."^Footnote9 This confirmation that CMMC requirements would not apply unless and until the data suspected of having the potential to become CUI actually becomes CUI may provide important breathing room for researchers and their institutions in terms of CMMC compliance. They will still have to bear the weight of determining whether a fundamental research project might produce data that could become CUI and deciding whether to preemptively address CMMC requirements in relation to that possibility, all without much upfront guidance from the DOD. In other words, it does not appear that there will be any substitute for case-by-case evaluations and negotiations with the given DOD contracting officer. However, in situations where the determination may not be easy to reach or the application of CMMC requirements may be problematic, the fact that those requirements do not become real for the given project until the presence of actual CUI is established should provide researchers and institutions with additional time to achieve the CMMC level that the project entails.

Furthermore, in August 2025, the DOD Basic Research Office released formal guidance on fundamental research related to the DOD contracting process, reinforcing the unique status of such research as discussed in the final DFARS rule narrative.^Footnote10 This guidance notes, for example, that "the products of fundamental research" as defined by NSDD-189 should "to the maximum extent possible . . . remain unrestricted." It continues by highlighting the following points:^Footnote11

• The DOD budget categories that always indicate fundamental research or that do so if the research in question is to be conducted on a university campus, and
• The "Fundamental Research Review" process from Appendix B of the DOD's Science and Technology (S&T) Protection Guide that program and contract officers should use to help determine when a particular project should carry a fundamental research designation.

The explanation of the review process states that a fundamental research determination "should be made pre-award and should rarely be reassessed. Over-controlling research that could otherwise be fundamental risks forfeiting" its capacity to increase the pace and volume of transformative innovations that bolster our national defense.^Footnote12 The "Fundamental Research Guidance" memo continues, however, by identifying other factors beyond the "Fundamental Research Review" process that program and contracting officers should consider, such as not "imposing publication review of research that has been formally designated as fundamental and is conducted by an institution of higher education or some other external research institute" that is not a DOD component.^Footnote13

Thus, while the final DFARS rule does not incorporate our recommendation regarding the development of an explicit framework to govern fundamental research edge cases in relation to CMMC, the recent official guidance on fundamental research from the DOD identifies the established policies and principles that are intended to ensure fundamental research retains its essential character throughout the DOD contracting lifecycle. Furthermore, the DOD Basic Research Office guidance emphasizes to program and contracting officers the need to follow those principles and processes so that the DOD has the best opportunity to realize the full benefits of the fundamental research it sponsors.

Additional Issues and Clarifications

EDUCAUSE continued its comments on the proposed regulations by encouraging the DOD to automate CMMC changes to reporting to the extent reasonably possible.^Footnote14 In many cases, the proposed DFARS revisions mandated that institutions report system and self-assessment or third-party certification information to their contracting officers—information that the DOD already possesses and should be able to provide to its relevant staff as needed. Likewise, EDUCAUSE recommended that the DOD add functionality to its Supplier Performance Risk System (SPRS) to allow primary contractors to see basic CMMC self-assessment or certification information from potential subcontractors in order to streamline the subcontracting process. Unfortunately, the DOD essentially reconfirmed that SPRS doesn't have this functionality and implied that the department has no plans to add it:^Footnote15

• "A few respondents recommended updating SPRS to improve reporting functionality during the phase-in period to reduce requirements to report to the contracting officer manually and to allow for automated updates to CMMC information for prime contractors . . . . The determination of which CMMC UIDs are applicable to a particular contract [is] determined by the contractor. As a result, there is not a way to automatically update the contracting officer with the applicable CMMC UIDs for a particular solicitation or contract."
• "Contractors will only be able to access their own CMMC certificate or CMMC self-assessment information. DoD does not have a tool that would allow sharing of subcontractor information with prime contractors electronically. Prime contractors are expected to work with their suppliers to conduct verifications as they would for any other clause requirement that flows down to subcontractors."

Thanks to the expertise and efforts of the EDUCAUSE Regulated Information Security Compliance Community Group, the association comments on the proposed regulations also highlighted a number of points of clarification that the DOD should address. Unfortunately, most of those requests went unanswered, but the DOD did make a couple of key edits related to EDUCAUSE member points:

• The proposed rule stated that institutions would need to have a "senior company official" affirm annually their continuous compliance with the CMMC requirements that applied to their contracts. However, EDUCAUSE noted that the term "senior company official" did not appear in the CMMC Program regulations and requested that the DOD include "affirming official," which was the term provided and defined in the programmatic regulations. The DOD agreed: "The clause has been updated to include the term 'affirming official' in place of 'senior company official' to match the language codified at 32 CFR part 170."^Footnote16
• In the proposed regulations, institutions would have to report a "lapse in information security" to the relevant contracting officer within seventy-two hours of its occurrence. EDUCAUSE raised a concern about the lack of a definition regarding what would constitute a "lapse in information security" sufficient to trigger the requirement. Other commenters also noted problems with the proposed text. As a result, the DOD omitted the provision from the final rule in favor of the already well-established incident reporting requirement under DFARS 252.204-7012: "Based on public comments, the requirement to notify the contracting officer of lapses in information security or changes in the status of CMMC certificate or CMMC self-assessment levels during performance of the contract has been removed from the final rule."^Footnote17

The DOD made an additional clarification that aligned with one of our requests, even though the change came from a different reference than the one cited in the EDUCAUSE comments. Our comments noted a discrepancy between related paragraphs regarding whether successful respondents to a contract solicitation had to provide upfront the "DOD Unique Identifier (DOD UID)," identified as "CMMC UID" in the final rule, for each system involved in contract performance that handled FCI or CUI, or whether they were only required to provide UIDs at the request of the contracting officer. The final rule clarifies that successful respondents need to provide those system identifiers upfront: "The solicitation provision was also updated to clarify that all offerors will be required to provide, with the proposal, the CMMC UIDs issued by SPRS for each contractor information system that will process, store, or transmit FCI or CUI during performance of a contract, task order, or delivery order resulting from a solicitation containing the provision."^Footnote18

Significantly, the final regulations also make clear that only "contractor information systems that 'process, store, or transmit FCI or CUI in performance of the contract'" fall under the regulations' requirements.^Footnote19 Since many EDUCAUSE member institutions often serve as subcontractors on larger projects, it is important to note that prime contractors are responsible for reporting the system identifiers of their subcontractors relevant data systems. Subcontractors will not be required to report CMMC UIDs to the DOD themselves: "The rule clarifies that only prime contractors with a CMMC requirement will be required to submit CMMC UIDs to the contracting officer for any contractor information system that will process, store, or transmit FCI or CUI during performance of the contract, which may include the CMMC UIDs associated with the contractor information systems of the prime's subcontractors. Subcontractors do not have a requirement to submit CMMC UIDs to the contracting officer."^Footnote20

Conclusion

The final version of the DFARS changes to integrate CMMC requirements into defense contracting, unfortunately, does not resolve EDUCAUSE member concerns about fundamental edge cases. At least for now, the DOD seems intent on addressing any such situations on a case-by-case basis, which will no doubt impose additional time and effort burdens on institutions and DOD contracting officers alike. The text of the rule, combined with the separate DOD guidance on fundamental research cited above, however, offers some additional assurance to colleges and universities that fundamental research in general remains outside the scope of CMMC—something that EDUCAUSE and associations with which we have collaborated have long worked to ensure. Likewise, a number of our requests for clarification were overlooked in the final rule. Still, some important points were addressed that will help reduce the confusion institutions experience when seeking to comply with the regulatory requirements.

The most significant result of this process, though, is that issuance of these regulations finally establishes a clear deadline for when CMMC self-assessment and certification requirements will begin appearing in DOD contract solicitations. The three-year phase-in of CMMC starts on November 10. Pending any further delays or changes that might arise from the DOD, institutions seeking to receive or participate in DOD contracts will have to rapidly achieve compliance if they have not yet fully implemented the FCI and CUI standards where they do apply.

Notes

1. Department of Defense, Defense Acquisition Regulation System, "Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019–D041)," final rule, Federal Register 90, no. 173 (September 10, 2025): 43560–43577. Jump back to footnote 1 in the text.↩
2. Department of Defense, Defense Acquisition Regulation System, "Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019–D041)," final rule, Federal Register 89, no. 158 (August 15, 2024): 66327–66338 Jump back to footnote 2 in the text.↩
3. CMMC phased rollout timelines are explained in the CMMC Implementation section of U.S. Department of Defense, "About CMMC," Chief Information Officer, accessed November 3, 2025. Jump back to footnote 3 in the text.↩
4. Ibid.; C3PAO: Certified Third-Party Assessment Organization. Jump back to footnote 4 in the text.↩
5. EDUCAUSE, "Comments in Response to DFARS Case 2019-D041, 'Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements' (Docket No. DARS-2020-003; RIN 0750-AK81)," October 15, 2024, 1–2.Jump back to footnote 5 in the text.↩
6. Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation (proposed rule), August 15, 2024, p. 66331. Jump back to footnote 6 in the text.↩
7. Department of Defense, Defense Acquisition Regulation System, "Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation," proposed rule, Federal Register 89, no. 158 (August 15, 2024): 66331.Jump back to footnote 7 in the text.↩
8. EDUCAUSE, "Comments in Response to DFARS Case 2019-D041, 'Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements' (Docket No. DARS-2020-003; RIN 0750-AK81)," October 15, 2024, 3–4.Jump back to footnote 8 in the text.↩
9. Department of Defense, Defense Acquisition Regulation System, "Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation," final rule, Federal Register 90, no. 176 (September 10, 2025): 43564. Jump back to footnote 9 in the text.↩
10. Department of Defense, Basic Research Office, "Fundamental Research Guidance," August 4, 2025. Jump back to footnote 10 in the text.↩
11. Ibid. Jump back to footnote 11 in the text.↩
12. Ibid. Jump back to footnote 12 in the text.↩
13. Ibid, 2. Jump back to footnote 13 in the text.↩
14. EDUCAUSE, "Comments in Response to DFARS Case 2019-D041," 5, 4. Jump back to footnote 14 in the text.↩
15. Department of Defense, Defense Acquisition Regulation System, "Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation," final rule, Federal Register 90, no. 176 (September 10, 2025): 43589. Jump back to footnote 15 in the text.↩
16. Department of Defense, Defense Acquisition Regulation System, "Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation," final rule, Federal Register 90, no. 176 (September 10, 2025): 43515.Jump back to footnote 16 in the text.↩
17. See, Defense Acquisition Regulations System, "DFARS 252.204-7012: Safeguarding Covered Defense Information and Cyber Incident Reporting," Acquisition.gov, accessed November 3, 2025; Department of Defense, Defense Acquisition Regulation System, "Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation," final rule, Federal Register 90, no. 176 (September 10, 2025): 43526. Jump back to footnote 17 in the text.↩
18. Ibid., 43561. Jump back to footnote 18 in the text.↩
19. Ibid., 43564. Jump back to footnote 19 in the text.↩
20. Ibid., 43568. Jump back to footnote 20 in the text.↩

Jarrett Cummings is Senior Advisor for Policy and Government Relations at EDUCAUSE.