How New CMMC Requirements Impact SOFGSD and Other RFPs

On September 12, 2025, the government issued a notice for the Special Operations Forces (SOF) Global Services Delivery (SOFGSD) request for proposal, indicating that offerors must pass a CMMC (Cybersecurity Maturity Model Certification) pass/fail requirement as a qualifying criterion for a contract award. In addition, it indicated that all identified team members must meet with the “CMMC Level 1” at the time of proposal submission or risk disqualification.

The SOFGDS RFP notice is an alert to GovCon Defense Industrial Base (DIB) members to obtain CMMC certification if they wish to conduct business with the Department of Defense (DOD) in the future. DOD estimates that 28,164 prime contractors will be affected annually. With an average of two offers per RFP and five subcontractors per offer, the total number of unique entities involved rises to 337,920, of which 68% are small businesses. This blog provides an overview of the CMMC, the pathways to certification, and its impact on proposals.

CMMC Overview

DOD established the CMMC to enhance protection for sensitive government data. With cyberattacks targeting the DIB, the Department must ensure that both prime contractors and subcontractors safeguard information to the same standard. DOD established three primary certification levels:

• Level 1 (Foundational): Requires basic safeguarding of Federal Contract Information (FCI) through 17 practices, such as multi-factor authentication and access control.
• Level 2 (Advanced): Applies to contractors handling Controlled Unclassified Information (CUI) and aligns with NIST SP 800-171. It requires the implementation of 110 practices and typically a third-party assessment.
• Level 3 (Expert): Reserved for the most sensitive programs subject to advanced persistent threats (APTs). These assessments are led by the DOD and built on Level 2 requirements with additional controls.

Pathways to CMMC

The path to CMMC certification depends on the level of sensitivity of the information your company handles, with options ranging from self-certification to third-party and government-led assessments.

• Level 1 Self-Certification: Companies can conduct a self-assessment and submit a senior official’s affirmation of compliance in the Supplier Performance Risk System (SPRS).
• Level 2 Certification (Self or C3PAO): Requires a self or an independent assessment performed by an accredited CMMC Third Party Assessment Organization (C3PAO), authorized by the Cyber Accreditation Body (AB).
• Level 3 Certification: Conducted directly by the DOD’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

New CMMC Ruling Summary

The SOFGSD evaluation criteria change was motivated by the September 10, 2025 change to the Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041). The rule will take effect on November 10, 2025, and will follow a phased implementation approach over the next four years.

As summarized in the ruling,

• Offerors/contractors must post the results of a CMMC Level 1 or Level 2 self-assessment to SPRS prior to award, the exercise of an option, or the extension of a period of performance, if not already posted.
• Contractors must maintain the required CMMC status for the life of the contract.
• An Affirming Official must complete an affirmation of continuous compliance with the security requirements identified at 32 CFR part 170 in the Supplier Performance Risk System (SPRS) for each CMMC:
  • UID (unique identifier) applicable to each of the contractor information systems that will process, store, or transmit
  
  
  • FCI (federal contract information)
  
  
  • CUI (controlled unclassified information)

that will be used in performance of the contract on an annual basis, or when CMMC compliance status changes occur.

• Contractors must fulfill the requirement to identify the contractor information systems that will be used to process, store, or transmit FCI or CUI in performance of the contract prior to award, exercise of an option, or extension of any period of performance. They will provide the government with the CMMC UIDs generated by the SPRS store or transmit FCI or CUI in performance of the contract, prior to award, exercise of an option, or extension of any period of performance, by providing the government with the CMMC UIDs generated by the SPRS store.

CMMC Ruling Phase-In Period

This final DFARS rule will impact certain contracts during a phased-in, three-year implementation period. Afterwards, the requirements will apply to all contracts for which the contractor processes, stores, or transmits FCI or CUI on contractor information systems during the performance of the contract (except for contracts solely for the acquisition of commercial off-the-shelf (COTS) items).

For the first three years, the information collection requirements will only impact an offeror or contractor when the solicitation or contract requires an offeror or contractor to have a specific CMMC level, based on a phased implementation plan, including solicitations and contracts using FAR part 12 procedures for the acquisition of commercial products and commercial services, except for solicitations and contracts solely for the acquisition of COTS items.

By the fourth year, the information collection requirements in the solicitation provision and contract clause will impact solicitations and contracts, task orders, or delivery orders, including those using FAR Part 12 procedures for the acquisition of commercial products and commercial services, when there will be a requirement under the contract to process, store, or transmit FCI or CUI, except for solicitations and contracts, task orders, or delivery orders solely for the acquisition of COTS items.

Conclusion

The SOFGSD RFP is an early signal that CMMC is no longer on the horizon—it is here. With the new DFARS rule taking effect in November 2025 and a phased rollout over the next three years, contractors and subcontractors must be prepared to demonstrate compliance as a pass/fail requirement. Companies that delay certification risk being excluded from DOD opportunities, while those that act promptly will position themselves as reliable partners in a more secure defense supply chain. At Lohfeld Consulting, we help contractors interpret evolving regulations, such as CMMC, and develop winning proposals that meet compliance requirements. Contact us today to align with CMMC standards and prepare your team to compete and succeed under the new regulation.

By Brenda Crist, Vice President at Lohfeld Consulting Group, MPA, CPP APMP Fellow

Lohfeld Consulting Group has proven results specializing in helping companies create winning captures and proposals. As the premier capture and proposal services consulting firm focused exclusively on government markets, we provide expert assistance to government contractors in Capture Planning and Strategy, Proposal Management and Writing, Capture and Proposal Process and Infrastructure, and Training. In the last 3 years, we’ve supported over 550 proposals winning more than $170B for our clients—including the Top 10 government contractors. Lohfeld Consulting Group is your “go-to” capture and proposal source! Start winning by contacting us at www.lohfeldconsulting.com and join us on LinkedIn, Facebook, and YouTube^(TM).