CMMC Title 48 DFARS Rule Heads to Final Review – Compliance Deadlines Are Now In Sight for DoD Suppliers

Key Takeaways

• CMMC Rule Final Stage: The DoD’s rule making CMMC mandatory in defense contracts is under final review, with publication expected by late 2025.
• Effective October 1, 2025: CMMC will be required in all applicable DoD contracts starting October 1, 2025.
• Who Must Comply: Contracts involving FCI or CUI must have valid CMMC certification or a self-assessment posted in SPRS.
• Act Now: Around 80,000 companies will need Level 2 certification, but only 76 certified assessors are currently available.
• Assessment Support Available: McKonly & Asbury, a certified C3PAO, offers mock and official assessments—early scheduling is recommended.

The Department of Defense (DoD) is in the final stages of making Cybersecurity Maturity Model Certification (CMMC) a formal requirement in defense contracts. As of July 22, 2025, the proposed DFARS rule (DFARS Case 2019-D041), which mandates the inclusion of CMMC in contracts, was received by the Office of Information and Regulatory Affairs (OIRA) for review. This is the final regulatory step before publication. Once OIRA approves the rule, DoD will publish it in the Federal Register—making its implementation all but certain, likely by the end of 2025.

To put this in context: the pending DFARS rule works alongside 32 CFR Part 170, which went into effect in December 2024, establishing CMMC certification as a contractual requirement. This new DFARS clause is the mechanism that will embed CMMC into DoD contract language.

What to Expect Next

Currently, any solicitation that includes a CMMC requirement before October 1, 2025, must be specifically approved by senior DoD leadership—a built-in “stoplight” to control early adoption. However, beginning October 1, 2025, the new DFARS clause (252.204-7021) becomes mandatory in all applicable defense contracts.

In practical terms, any contract involving Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) will be required to include CMMC certification. Contracting officers will use the DoD’s Supplier Performance Risk System (SPRS) to verify that contractors have either a valid CMMC certificate or a self-assessment posted for each covered information system.

What This Means for Contractors

Now that the rule is under OIRA review, its finalization is imminent. In June, Stacy Bostjanick, Chief of Defense Industrial Base Cybersecurity in the DoD CIO’s office, confirmed that DoD was completing final edits and expected the rule to be published “later this summer.” The July 22 OIRA entry confirms that timeline is on track.

Once the final rule is published in the Federal Register, it will outline official effective dates. However, defense contractors should plan for CMMC clauses to begin appearing in solicitations as early as late 2025. While DoD plans a phased rollout, the direction is clear—CMMC requirements are coming.

What Contractors Should Do Now

CMMC compliance should be treated as a near-term priority. The DoD estimates that approximately 80,000 companies in the Defense Industrial Base will need CMMC Level 2 certification, yet as of July 24, 2025, only 76 certified Third-Party Assessment Organizations (C3PAOs) are authorized to perform these assessments.

McKonly & Asbury is a certified CMMC C3PAO, offering both mock assessments and formal certification assessments. We strongly encourage contractors to schedule their assessments early. Demand will spike once the rule is in effect, and getting on the schedule in advance is the best way to stay compliant and competitive when CMMC becomes a contractual requirement.

To learn more about CMMC, be sure to visit our CMMC page, and don’t hesitate to contact Dave Hammarberg, CPA, CFE, CISSP, GSEC, MCSE, CISA, CCSFP, CHQP, CCA regarding our services.

Sources:

Official OIRA regulatory agenda reginfo.gov

DoD/Federal Register publications federalregister.gov

About the Author