For contractors within the Defense Industrial Base (DIB), the time to ensure compliance with the Department of Defense’s (DOD) Cybersecurity Maturity Model Certification program (CMMC) 2.0 is now. DOD formally sent the final 48 CFR CMMC rule to the Office of Information and Regulatory Affairs (OIRA) for review on July 22, 2025. This is an important step in the rulemaking process that is expected to culminate with CMMC security requirements being inserted in defense contracts at some point in the fall of 2025.
Overview of the 48 CFR CMMC Rule
As background, two regulations govern the CMMC program: 32 CFR Part 170 and 48 CFR Parts 204, 212, 217, and 252:
- 32 CFR Part 170: This regulation sets forth the parameters and obligations of the CMMC Program, such as roles, levels, requirements, policies, waivers, assessments, and so forth. 32 CFR Part 170 has been in effect since December 2024.
- 48 CFR Parts 204, 212, 217, and 252: This set of regulations formally implements CMMC acquisition policy and establishes standardized contract language.
The program features a three-tiered set of “CMMC level requirements” focused on organizational maturity levels. Each level contains its own set of specific compliance requirements:
- CMMC Level 1 (i.e., the FCI Level): Level 1 generally applies to defense contractors and subcontractors who receive only Federal Contract Information (FCI) rather than Controlled Unclassified Information (CUI).
- CMMC Level 2 (i.e., the CUI Level): Level 2 generally applies to defense contractors and subcontractors who are responsible for managing CUI within the scope of their DOD contracts. At CMMC Level 2, contractors and subcontractors must comply with all 110 security measures set forth in NIST SP 800-171, along with all Level 1 obligations.
- CMMC Level 3 (i.e., the “sensitive” CUI Level): Expected to apply only to a limited number of contractors tasked with managing CUI associated with DOD’s most critical program technologies, Level 3 requires meeting all Level 1 and Level 2 security requirements, in addition to the 24 additional security measures set forth in NIST SP 800-172.
In addition, defense contractors and subcontractors designated for CMMC Level 2 or Level 3 must be prepared to undergo a third-party assessment conducted by a CMMC Third Party Assessor Organization (C3PAO).
For context, C3PAOs are organizations authorized by the CMMC Accreditation Body (CMMC-AB) to conduct security assessments designed to evaluate a defense contractor’s cybersecurity maturity. A C3PAO security assessment will identify any vulnerabilities, implement necessary controls, and take steps to ensure the contractor is compliant with the broader CMMC framework.
Projected Timeline for Finalizing the 48 CFR CMMC Rule
As mentioned, the 48 CFR CMMC rule is currently with OIRA for regulatory review. Generally, OIRA is afforded 90 days (and potentially up to 120 days) to complete the review process. Once OIRA provides its stamp of approval, the 48 CFR CMMC rule moves to the Federal Register for final publication, which usually takes between one and three weeks. Once finalized, CMMC will become an enforceable legal requirement in defense contracts.
Impact of 48 CFR CMMC Rule on Defense Contracts
It is important to note that the 48 CFR rule does not have an impact on the CMMC’s core security requirements (they are contained within 32 CFR Part 170). Rather, the impact of the 48 CFR rule will be within the contract drafting process. Specifically, the 48 CFR rule will require the insertion of the DFARS 252.204-7021 clause into defense contracts and obligate contracting officers to include CMMC language in solicitations. Other notable aspects of the 48 CFR CMMC rule include:
- CMMC Requirements Flow Down to All Tiers of Subcontractors: One of the most critical aspects of 48 CFR is the mandatory flow-down of CMMC requirements to all subcontractors at every tier. If a subcontractor will process, store, or transmit FCI or CUI, they must comply with the specified CMMC level. This ensures a consistent cybersecurity standard across the entire supply chain.
- Continual Compliance Requirements: Once the 48 CFR CMMC rule is in place, contractors and subcontractors must maintain the requisite CMMC level throughout the duration of the contract. To achieve continuous compliance, contractors will be obligated to submit DOD unique identifiers (UIDs) that will store, process, or transmit CUI throughout contract performance and provide continuous affirmation of compliance. For context, UIDs are alpha-numeric identifiers that will be assigned to each contractor information system that will be certified or self-assessed.
- Senior Official Affirmations: The required affirmation of compliance must be completed by a senior company official. This official will attest that the organization’s self-assessment or certification remains current and that their systems continue to comply with the CMMC’s security requirements.
- Notice of System Modifications: Once the 48 CFR CMMC rule is in place, contractors will be required to notify the contracting officer of any modifications to systems that process CUI during the performance of the contract. This notice requirement includes submitting new DoD UIDs for any updated systems, allowing the government to review and ensure continued compliance.
- Applicability Across DoD Contracts: After a three-year phase-in period, defense contractor compliance with CMMC will be a formal requirement for all DoD solicitations and contracts, including those involving commercial products or services.
How Contractors Can Prepare for Compliance
Defense contractors and subcontractors must take proactive steps to strengthen their CMMC compliance posture. Failing to meet the security requirements set forth in the CMMC, or taking a lax approach to cybersecurity, will only increase an organization’s legal risk. For example, the Department of Justice, through its Civil Cyber-Fraud Initiative, recently reached sizable settlements with multiple defense contractors over allegations that the organizations “failed to implement required cybersecurity controls” on systems that were used to perform work on certain defense contracts.
To strengthen your organization’s compliance posture, consider taking these actions:
- Identify the correct CMMC Level of certification that will be required for your organization.
- Conduct a gap assessment based upon the applicable security requirements at the appropriate CMMC level to assess the current state of your organization’s compliance with the relevant CMMC level.
- Document any gaps that must be remediated prior to a formal assessment.
- Develop a roadmap for addressing the identified gaps.
- Identify where FCI and CUI data is processed, transmitted, and stored within your systems.
- Develop CMMC program documentation, which typically includes:
- System security plan
- Incident response plan
- Shared responsibility matrix
- Other cybersecurity policies, procedures, and standards
