top of page

Safeguarding CUI Under the Final DFARS Rule: What Prime Contractors and Subcontractors Need to Know

  • brandon9024
  • Sep 10, 2025
  • 4 min read

Updated: Sep 15, 2025

The Department of Defense (DoD) has issued the long-anticipated final DFARS rule that locks the Cybersecurity Maturity Model Certification (CMMC) into defense contracts. Effective November 9, 2025, safeguarding Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) is no longer just best practice—it’s a contractual requirement.


For contractors across the Defense Industrial Base (DIB), this rule is a game-changer. It clarifies exactly when and how CMMC requirements apply to both prime contractors and subcontractors, ensuring that CUI is consistently protected throughout the supply chain.


In this post, we’ll break down what the new rule means, how it affects safeguarding CUI, and what steps your organization should take to stay compliant.


CMMC Is Now a Condition of Doing Business


The DFARS final rule makes it clear: if your information systems will process, store, or transmit FCI or CUI during contract performance, you must achieve and maintain the required CMMC level.


  • Level 1 (Self-Assessment): Applies when only FCI is handled.

  • Level 2 (Self or C3PAO Assessment): Applies when CUI is involved.

  • Level 3 (DIBCAC Assessment): Reserved for the most sensitive cases involving high-value CUI.


Unlike previous iterations, there are no “spot checks” or post-award grace periods. A current CMMC status is required at the time of award, and it must be kept current for the life of the contract.



Subcontractors: When Is CMMC Required?


One of the most significant clarifications in the final rule concerns subcontractors. Many small businesses have been uncertain whether they need to certify under CMMC. The answer now depends on where and how they handle FCI or CUI.


  • No CMMC Requirement: If a subcontractor does not process, store, or transmit FCI or CUI on its own systems, it is exempt. This could be the case if they perform services entirely on a prime contractor’s systems or deliver only commercial off-the-shelf (COTS) products.

  • CMMC Required: If a subcontractor uses its own information systems to handle FCI or CUI, those systems fall under CMMC. In this case, the subcontractor must obtain the appropriate level of certification and keep it current.


This clarification closes a major loophole and ensures that safeguarding CUI is consistent, regardless of where in the supply chain the data is handled.


Flowdown Responsibilities for Primes


The final DFARS rule makes it clear that prime contractors will ultimately bear responsibility for ensuring CMMC requirements flow down the supply chain — but this will phase in over time.

During the three-year rollout (2025–2028):


  • Only select contracts, as determined by DoD program offices, will include CMMC requirements.

  • Primes will need to flow those requirements down to subcontractors only if the subcontract involves handling FCI or CUI.


By November 2028 and beyond:


  • Every subcontractor that processes, stores, or transmits FCI or CUI on its own systems will need to demonstrate a current CMMC status at the level appropriate for the data involved.

  • Subcontractors will also need to post their self-assessments or certifications in SPRS and complete annual affirmations of continuous compliance.

  • Primes may not share FCI or CUI with subcontractors that do not have the required certification.


In other words, primes will increasingly be expected to actively manage safeguarding CUI not only within their own systems, but across their entire supplier network. This phased approach is intended to give the Defense Industrial Base time to adapt, but the ultimate obligation is clear: supply chain cyber hygiene is no longer optional.


Safeguarding CUI in Practice


So what does safeguarding CUI mean under the new rule? At a high level, it requires:


  • Implementing NIST SP 800-171 controls appropriate to your CMMC level.

  • Annual affirmations of continuous compliance in SPRS.

  • Submitting CMMC UIDs for each information system in scope.

  • Maintaining compliance for the full contract term, including when new systems are added.


For subcontractors, safeguarding CUI means putting the same protections in place as primes when they use their own systems. For primes, it also means performing due diligence on every tier of their supply chain.


Why This Matters


The DoD has made safeguarding CUI a central condition of doing business. Noncompliance won’t just mean audit findings—it will mean ineligibility for award.


This final rule is designed to reduce the risk of cyberattacks and data exfiltration across the DIB. According to the Council of Economic Advisors, malicious cyber activity cost the U.S. economy up to $109 billion in 2016 alone. With adversaries actively targeting CUI, ensuring strong safeguards is both a national security and business imperative.


How to Prepare


Here’s how to prepare for compliance:


  1. Map where FCI and CUI flow within your organization and supply chain.

  2. Determine which systems are in-scope for CMMC.

  3. Assess your current posture against NIST SP 800-171 controls.

  4. Schedule third-party assessments if Level 2 or 3 certification will be required.

  5. Engage with subcontractors now to verify their compliance or help them get ready.


Final Thoughts


The DFARS final rule makes one thing clear: safeguarding CUI is no longer optional. Whether you are a prime contractor or a subcontractor, if your systems touch FCI or CUI, you must be CMMC-compliant.


The phased rollout offers time to prepare, but the end state is certain. By November 2028, safeguarding CUI will be a condition of participation in the defense supply chain at every level. The organizations that act now will not only secure their contracts but also strengthen the resilience of the defense industrial base.

Comments

bottom of page