CMMC Takes Center Stage: Understanding the New DFARS Subpart 204.75 Update
- Cybersecurity Consultant Brent Gallo
- Jul 23
- 3 min read
The Department of Defense (DoD) has quietly but decisively elevated the Cybersecurity Maturity Model Certification (CMMC) from a pilot concept to a formal contractual gatekeeper. The newly revised DFARS Subpart 204.75 inserts mandatory CMMC language into the Defense FAR Supplement, transforming certification from “coming soon” to “contract‑critical.” Here’s what the change means, why it matters, and how your organization can stay ahead of the curve.
What exactly changed?
Before | After the update |
CMMC requirements appeared only in select pilot RFPs and “pathfinder” contracts. | Subpart 204.75 now requires contracting officers to insert CMMC language in most DoD solicitations and contracts. |
Award decisions could proceed while an offeror’s CMMC status was “in progress.” | No award, option exercise, or extension is permitted unless the contractor already holds a current (≤ 3 years old) certificate at the required level. |
Verification was largely manual. | Contracting officers must verify certificates in the Supplier Performance Risk System (SPRS). |
The rollout timetable was ambiguous. | Phased rollout ends 30 September 2025; on 1 October 2025 the CMMC clause (DFARS 252.204‑7021) becomes mandatory in all non‑COTS DoD contracts. |
Key implications for industry
· Bid‑no‑bid filters tighten. If your target contract calls for Level 2 or Level 3, you must show a valid certificate before the proposal due date—self‑attestations or “scheduled assessments” no longer suffice.
· Schedule risk shifts left. Certification lead times (assessment prep, assessor availability, SPRS upload) now sit on the critical path. Build at least six months of margin into your capture plans.
· Option years are on the line. Lapses in certification can de‑obligate option periods or even terminate contracts for default. Continuous compliance is the new normal.
· Duplicate audits minimized. The rule bars duplicative DoD assessments unless red flags emerge, reducing audit fatigue but raising the stakes of the first assessment.
· Small‑business competitiveness reshaped. Primes will increasingly flow‑down CMMC obligations to subs, meaning even micro‑suppliers handling Controlled Unclassified Information (CUI) must budget for certification.
Timeline at a glance
Date | Milestone |
Now – 30 Sep 2025 | CMMC may appear in solicitations only with Office of the Under Secretary of Defense (A&S) approval; if included, compliance is mandatory at award. |
1 Oct 2025 | Clause 252.204‑7021 becomes ubiquitous—virtually every non‑COTS DoD contract will require a CMMC level specified by the requiring activity. |
Your five‑step readiness checklist
1. Gap‑assess today. Map your current NIST 800‑171 posture to the target CMMC level and create a prioritized POA&M.
2. Lock in an assessor. Authorized C3PAOs are booking months out; reserve a slot early.
3. Update SPRS entries. Ensure your organization and DUNS/UEI records align with your soon‑to‑be‑issued certificate.
4. Flow down requirements. Amend supplier agreements so key subs pursue certification on your timeline, not theirs.
5. Build a sustainment plan. Treat CMMC as an ongoing program—continuous monitoring, evidence collection, and annual internal reviews will keep that certificate current.
Why this matters now
Waiting until the fiscal‑year‑end surge of 2025 is a recipe for blown bid deadlines and lost revenue. The updated DFARS language gives contracting officers zero discretion once a CMMC level is written into a requirement. Early movers will enjoy cleaner proposals, faster awards, and a competitive edge in the $400 billion‑plus defense market.
Final thoughts
CMMC is no longer a future requirement—it’s an active selection criterion hard‑wired into the DFARS. Organizations that invest in certification this year will position themselves as low‑risk, mission‑ready partners when the floodgates open in 2025.Need help decoding the controls, prepping for your assessment, or steering your suppliers toward compliance? Hire A Cyber Pro has walked dozens of businesses through NIST 800‑171 implementations, CMMC gap analyses, and assessor negotiations. Let’s secure your certificate—and your next DoD contract—together. Email contact@hireacyberpro.com or schedule a meeting today for CMMC assistance. Source: https://www.ecfr.gov/current/title-48/chapter-2/subchapter-A/part-204/subpart-204.75
Comments