Cybersecurity Maturity Model Certification (CMMC) Program Implementation UPDATE #2

The U.S. Army Corps of Engineers (USACE) issued a special notice updating the Cybersecurity Maturity Model Certification (CMMC) 2.0 program implementation. This update follows the DoD's final CMMC rule published on September 10, 2025, which amends the Defense Federal Acquisition Regulation Supplement (DFARS) to incorporate CMMC requirements. The rule introduces new pre-award solicitation provisions and revises post-award contract clauses. CMMC will be implemented in four phases, starting November 10, 2025, and concluding November 10, 2028. The program mandates specific cybersecurity maturity levels for organizations handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), aligning with NIST SP 800-171. Contractors are advised to align their cybersecurity posture, use the Procurement Integrated Enterprise Environment (PIEE) for self-assessment scores, monitor official updates, and report cyber incidents within 72 hours. This notice is for informational purposes only and does not impose new requirements.

The U.S. Army Corps of Engineers (USACE) issued a special notice regarding the implementation of the Cybersecurity Maturity Model Certification (CMMC) 2.0 program, finalized by the Department of Defense (DoD) on December 16, 2024. CMMC 2.0 will require DoD contractors and government organizations handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) to achieve specific cybersecurity maturity levels. USACE and its Defense Industrial Base (DIB) contractors must comply with these requirements upon publication of the final Defense Federal Acquisition Regulations Supplement (DFARS) rule. Several DFARS cases related to CMMC are pending, with report due dates extended into late 2025. USACE will not include the CMMC DFARS clause in new solicitations or contracts until the new rule is published. Contractors are advised to align their cybersecurity posture with NIST SP 800-171 controls, post self-assessment scores in the Supplier Performance Risk System (SPRS), report cyber incidents, and monitor official updates. This notice is for informational purposes only and does not impose new requirements, as CMMC 2.0 becomes enforceable only upon publication of the final DFARS rule.