Key point: CMMC took another step towards reality, with OIRA clearing for publication the DFARS proposed rule that will add CMMC requirements as a condition of award for new contracts.
What happened: On August 25, 2025, the Office of Management and Budget’s Office of Information and Regulatory Affairs (OIRA) completed its review of the DoD’s proposed rule Assessing Contractor Implementation of Cybersecurity Requirements. The proposed rule would amend the DFARS and incorporate the Cybersecurity Maturity Model Certification (CMMC) requirements into new solicitations. OIRA reviews often take 60–90 days, but in this case, the proposed rule was approved in just over 30 days. The speed at which OIRA approved the proposed rule demonstrates the Executive Branch’s prioritization of cybersecurity in the areas of critical infrastructure and national defense.
Next steps: The DFARS rule will now be published in the Federal Register, triggering the first phase of CMMC contractual compliance for DoD contractors and subcontractors. Publication typically takes 1–3 weeks, and we expect the DFARS rule to become effective within the next 60 days. However, since the CMMC program has been in effect since December 2024, it is entirely possible that the DFARS rule will go into effect immediately upon publication.
Practical takeaways: When the final rule goes into effect, CMMC compliance will be a condition of award for DoD solicitations that involve federal contract information (FCI) or controlled unclassified information (CUI). If not already completed, prime contractors, subcontractors, and DoD suppliers will need to complete either a CMMC Level 1 self-assessment or a Level 2 assessment—possibly a Level 2 self-assessment, but more likely a third-party Level 2 certification. Once complete, senior company officials for each of these entities will need to submit an annual compliance affirmation via the Supplier Performance Risk System.
Since there is already a bottleneck for scheduling third-party Level 2 certifications with an approved CMMC Third Party Assessment Organization (C3PAO), contractors, subcontractors, and suppliers who thought CMMC would never come to fruition are now at a competitive disadvantage. These organizations should immediately review their cybersecurity procedures and policies against the CMMC Level 1 and Level 2 assessment guides, complete a Level 1 self-assessment if needed, and ensure all required documentation for a third-party assessment is ready for review. Advance preparation will be critical, as the deadline for compliance is rapidly approaching.
Bottom line: OIRA’s approval signals the end of the hypothetical era for CMMC and the onset of tangible requirements. The next two months will set the tone for enforcement and shape the future of cybersecurity in the defense supply chain.
[View source.]
