Last week, our colleagues Erik Dullea and Luis Hidalgo, writing for the Byte Back blog, reminded us all that the Department of Defense (DoD) is set to implement new cybersecurity requirements for contractors. Beginning November 10, 2025, DoD contracting officers will begin adding Cybersecurity Maturity Model Certification (CMMC) requirements to solicitations, and contracting officers “shall not award a contract, task order, or delivery order to a [contractor] that does not have a current CMMC status at the CMMC level required by the solicitation.”

These requirements potentially impact a wide array of businesses, including prime contractors and the myriad subcontractors subject to flow-down provisions. All enterprises doing business with the government—directly or indirectly as a lower-tier subcontractors—should review the new requirements and anticipate prime contractors adding the requirements to future business agreements.