DoD Mandates Cyber Certs: Contractors, Lock Down Your Systems!
Published Date: 9/10/2025
Rule
Summary
The Department of Defense is updating its rules to make sure contractors follow new cybersecurity standards called the Cybersecurity Maturity Model Certification (CMMC). This change affects companies working with the DoD and helps protect important defense information. Contractors should get ready to meet these new rules soon, which could impact how they do business and spend money on cybersecurity.
Analyzed Economic Effects
1 provisions identified: 0 benefits, 1 costs, 0 mixed.
DoD Requires CMMC for Contractors
If your company contracts with the Department of Defense, the DFARS rule now incorporates contractual requirements from the Cybersecurity Maturity Model Certification (CMMC) program. You will need to implement the CMMC cybersecurity standards in DoD contracts, which could change how you do business and may require spending on cybersecurity.
Your PRIA Score
Personalized for You
How does this regulation affect your finances?
Sign up for a PRIA Policy Scan to see your personalized alignment score for this federal register document and every other regulation we track. We analyze your financial profile against policy provisions to show you exactly what matters to your wallet.
Key Dates
Department and Agencies
Related Federal Register Documents
2026-05935 — Information Collection Requirement; Defense Federal Acquisition Regulation Supplement; Rights in Technical Data and Computer Software
The Department of Defense is renewing its paperwork rules about who owns technical data and software rights in defense contracts. This affects over 46,000 businesses that work with the DoD, requiring them to provide info about their software and data rights. Comments on these rules are open until April 27, 2026, and the paperwork takes about 1.6 hours per response.
2026-03870 — Information Collection Requirement; Defense Federal Acquisition Regulation Supplement; Performance-Based Payments-Representation (OMB Control Number 0750-0001)
The Department of Defense wants to keep collecting info from businesses about performance-based payments to make sure everything runs smoothly. This info collection, affecting about 438 companies, is up for a three-year extension with no big changes or extra costs. Comments on this plan are open until April 27, 2026, so now’s the time to speak up!
2026-00589 — Information Collection Requirement; Defense Federal Acquisition Regulation Supplement; Rights in Technical Data and Computer Software
The Department of Defense wants to keep collecting info from businesses about rights to technical data and software for three more years. They’re asking for your thoughts by March 16, 2026, to make sure this process is useful and not too much work. If you work with DoD contracts involving tech data or software, this affects you and helps keep things clear and fair.
2026-00544 — Information Collection Requirements; Defense Federal Acquisition Regulation Supplement (DFARS); Cyber Incident Reporting and Cloud Computing
If you’re a business working with the Department of Defense, you need to report any cyber incidents and cloud computing issues quickly. This update reminds contractors about the rules and asks for public comments by January 14, 2026. Reporting helps keep defense info safe, and it usually takes less than half an hour per report.
2025-24283 — Information Collection Requirement; Defense Federal Acquisition Regulation Supplement (DFARS); Quality Assurance
The Department of Defense is renewing its rules for collecting quality assurance info from businesses working on defense contracts. This affects over 60,000 companies who must keep detailed records and report safety issues quickly to help keep equipment safe. Comments on these rules are open until February 5, 2026, and the paperwork takes a lot of time—about 64 hours per response!
2025-24266 — Information Collection Requirements; Defense Federal Acquisition Regulation Supplement; Contractors Performing Private Security Functions Outside the United States
The Department of Defense is updating rules for companies that provide private security outside the U.S. These contractors must report certain security incidents more clearly, helping keep everyone safer. About 10 businesses will spend a little extra time on paperwork, with comments open until February 4, 2026.
Previous / Next Documents
Previous: 2025-17320 — Endangered and Threatened Wildlife and Plants; Similarity of Appearance Explanation for the Northern Distinct Population Segment of the Southern Subspecies of Scarlet Macaw
The U.S. Fish and Wildlife Service is explaining why they didn’t do a special look-alike analysis for the northern group of the southern scarlet macaw under the Endangered Species Act. This update affects how these colorful birds are protected and clears up legal questions from a court order. No new costs or deadlines are involved, just a clear and final explanation.
Next: 2025-17360 — Amendment of United States Area Navigation (RNAV) Routes Q-64, T-414, and T-705, and Establishment of United States RNAV Routes T-461 and T-463; Eastern United States
The FAA is updating some flight paths in the eastern U.S. by changing routes Q-64, T-414, and T-705, and adding new routes T-461 and T-463. These changes help pilots fly safer and smoother with modern technology. Airlines and travelers can expect better air traffic flow soon, with no extra costs involved.
Take It Personal
Get Your Personalized Policy View
Start a Free Government Policy Watch to see how policy affects your household, then upgrade to PRIA Full Coverage for year-round monitoring.
Already have an account? Sign in