ARTICLE
20 October 2025

Leveling Up: Will CMMC Contract Obligations Impact Your Organization?

SM
Sheppard, Mullin, Richter & Hampton LLP

Contributor

Sheppard, Mullin, Richter & Hampton LLP logo
Businesses turn to Sheppard to deliver sophisticated counsel to help clients move ahead. With more than 1,200 lawyers located in 16 offices worldwide, our client-centered approach is grounded in nearly a century of building enduring relationships on trust and collaboration. Our broad and diversified practices serve global clients—from startups to Fortune 500 companies—at every stage of the business cycle, including high-stakes litigation, complex transactions, sophisticated financings and regulatory issues. With leading edge technologies and innovation behind our team, we pride ourselves on being a strategic partner to our clients.
Explore Firm Details
Will a final rule issued by the Department of Defense on September 10, 2025 (available here) cause companies to rethink their compliance approach? The rule –relating to the Cybersecurity Maturity Model Certification...
United States Technology
Liisa M. Thomas and Townsend Bourne
Your Author LinkedIn Connections
Liisa M. Thomas’s articles from Sheppard, Mullin, Richter & Hampton LLP are most popular:
  • with readers working within the Consumer Industries industries
Sheppard, Mullin, Richter & Hampton LLP are most popular:
  • within Insolvency/Bankruptcy/Re-Structuring and Cannabis & Hemp topic(s)

Will a final rule issued by the Department of Defense on September 10, 2025 (available here) cause companies to rethink their compliance approach? The rule –relating to the Cybersecurity Maturity Model Certification program or CMMC – will impact how defense contractors engage with the Department of Defense. (We wrote previously (here) about the separate, but related, CMMC rule that addressed substantive CMMC program requirements.)

This final rule will require defense contractors to affirm CMMC compliance on a phased approach, with full implementation by November 2028. The requirement will place a significant hurdle on defense contractors, who will need to affirm their CMMC compliance in order to contract with the Department of Defense. The first implementation phase begins November 10, 2025 and addresses self-assessment and affirmation for entities that handle "FCI" (or basic Federal Contract Information) and "CUI" (or Controlled Unclassified Information). More detail about the requirements are in our sister blog post here.

Performing assessments and obtaining certification will likely require organizational change on many levels. It will include C-suite attestations and flow down obligations to subcontractors. While obligations were already in effect before this rule, we expect CMMC to result in increased exposure under the False Claims Act if attestations are inaccurate.

Putting It Into Practice: Failing to get through the CMMC assessment and certification process can result in defense contractors losing their DoD business. Rushing through the assessment process, failing to involve key stakeholders, or otherwise mis-stepping, however, can expose entities to legal exposure. In the face of this, companies should consider organizational change principles: engage key stakeholders, conduct reviews under privilege, and treat CMMC as a key governance risk, not an IT problem.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Liisa M. Thomas
Liisa M. Thomas
Photo of Townsend Bourne
Townsend Bourne
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More