On September 10, 2025, the Department of Defense (As all the documents we address use the Department of Defense naming, we will go by that to prevent confusion.) (DoD) implemented the acquisition rules for the Cybersecurity Maturity Model Certification program at DFARS subpart 204.75. This follows the federal government’s institution of the CMMC program last year (We explored this a bit with a review of the proposed rules some time before that and noted that initial rules have been in place since 2020.) These rules are present at 32 C.F.R. Part 170. Despite these rules having now been in place for a little while, the scope and complexity of the CMMC program can nonetheless be daunting for contractors to deal with. In this first in a series of posts, we will explore the basics of the CMMC program and what it means for you.