On September 10, 2025, the newly named Department of War made its position clear: cybersecurity is now a battlefield requirement. The long-awaited final Defense Federal Acquisition Regulation Supplement rule amending 48 CFR was issued and published in the Federal Register. In just 60 days, on November 10, 2025, these requirements will begin to phase into new defense contracts. For the Defense Industrial Base, this is no longer theoretical. The nation has declared war on cyber threats and the supply chain is the front line.
Why The Department Of War Matters
The organization has been known as the Department of Defense since 1947, when Congress replaced the historic Department of War with a post–World War II structure. On September 5, 2025, President Trump signed an executive order restoring “Department of War” as a secondary title. The Secretary of Defense has been directed to pursue legislative action to make the change permanent.
The symbolism is deliberate. By reintroducing the War title, the Administration is sending a blunt message and in cyberspace, America is not only defending but also going on the offensive. The timing of the renaming, followed immediately by the release of the 48 CFR rule, underscores that cybersecurity is now treated as a matter of national defense and compliance is the weapon of choice.
What The Rule Requires
Under the new rule, contractors must post the results of Cybersecurity Maturity Model Certification Level 1 or Level 2 self-assessments in the Supplier Performance Risk System before any award or option exercise. They must maintain certification status throughout the life of the contract. An affirming official must attest annually, or whenever compliance changes, that systems handling Federal Contract Information or Controlled Unclassified Information remain compliant. Contractors must also identify and submit unique identifiers for the systems that will process, store or transmit sensitive data.
The rollout is phased over three years. Initially, only contracts designated by program offices will require a certification level. Beginning November 10, 2028, all contracts involving Federal Contract Information or Controlled Unclassified Information will require compliance, except for contracts solely for commercially available off-the-shelf items.
Why This Matters
For years, Defense Federal Acquisition Regulation Supplement clause 252.204-7012 required contractors to self-attest to safeguarding information and reporting incidents. What it did not require was verification. The new rule closes that gap by mandating validated self-assessments and third-party assessments before award decisions.
The stakes are enormous. Malicious cyber activity cost the United States economy up to 109 billion dollars in 2016. In 2021 alone, ransomware caused 886 million dollars in reported losses. Without enforced standards, the Defense Industrial Base has remained one of the most lucrative targets for adversaries.
The Scale And The Stakes
There are more than 41,600 defense contractors in the United States, yet fewer than 4 percent are currently prepared for certification. The Defense Contract Management Agency oversees more than 300,000 contracts worth more than 7.5 trillion dollars, covering over 18,000 contractor locations worldwide. Noncompliance is not a minor risk. It could mean exclusion from a market worth trillions of dollars.
The False Claims Act Risk
The risks of misrepresentation extend beyond lost revenue. The False Claims Act allows the Department of Justice to impose treble damages and significant penalties on companies that knowingly misstate compliance. A false score in the Supplier Performance Risk System or an inaccurate affirmation of compliance can qualify as a false claim.
The precedent has already been set. In 2022, Aerojet Rocketdyne agreed to pay 9 million dollars to settle allegations that it misrepresented cybersecurity compliance on defense and NASA contracts. The case, brought by a whistleblower, showed that cybersecurity misrepresentation would be treated as fraud against the government. With CMMC now codified in the Defense Federal Acquisition Regulation Supplement, the stakes are higher than ever.
Assessment Versus Audit
To be clear, the DoW does not call these audits. The official language is self-assessments and third-party assessments, conducted by accredited assessors. An audit suggests a paperwork review. An assessment goes further. It evaluates whether the contractor has implemented the required security controls and whether those controls are operating effectively. At Level 2, this means demonstrating compliance with all 110 controls in NIST 800-171. Treating this as paperwork will end in failure. Preparing systems, processes and evidence for a full assessment is the only path to success.
The Common Mistake
Too often, contractors panic and try to schedule a third-party assessment before they are ready. That nearly always backfires. An assessment will not cover gaps. Preparation means closing weaknesses, aligning processes and documenting compliance before inviting in an assessor. Companies that build a defensible program succeed. Those that rush fail.
This rule is not about passing a single assessment. It is about creating an enduring cybersecurity program that can withstand both government scrutiny and real-world threats. Companies that view compliance as a one-time project will soon fall behind. Those that integrate continuous compliance into operations will be positioned to win and retain contracts for years to come.
Who Will Be Next
Like in so many other areas, the DoW is the first to hardwire cybersecurity certification into contracts, but it will not be the last. Other agencies that oversee critical infrastructure and sensitive data such as the Department of Energy, the Department of Transportation and the Department of Homeland Security are watching closely. Each has cyber requirements in place today, but none as structured or comprehensive as CMMC. The key question is whether they will adopt CMMC directly, develop parallel frameworks, or rebrand under their own standards. What is clear is that continuous, verified compliance is here to stay and other sectors of government contracting will almost certainly follow.
The Countdown Begins: 48 CFR Final Rule Brings CMMC Into Defense Contracts
The release of this rule is the culmination of years of warnings. Secretary Hegseth has described it as a national defense imperative. Katie Arrington, who is currently performing the duties of Department of War Chief Information Officer, has consistently underscored the vulnerabilities of the supply chain. On November 10, compliance will begin to determine who wins contracts and who is left out.
The Department of War title may still be secondary, but its meaning is clear. America is no longer just defending in cyberspace. It is going to war. The countdown has begun and contractors who fail to act are gambling not only with their government revenue but with the security of the nation’s defense supply chain.