48 CFR Rule Hits OIRA Review as DoD Signals "No Question" About Implementation

August 12th, 2025 The moment Defense Industrial Base (DIB) contractors have been waiting for—and perhaps dreading—is finally here. The Cybersecurity Maturity Model Certification (CMMC) is about to become reality. There is no more time for "wait and see."

The Big Milestone: 48 CFR Rule in Final Review

On July 22, 2025, DoD took the one of last steps required to put CMMC requirements into future contracts: formally submitting the final 48 CFR rule to the Office of Information and Regulatory Affairs (OIRA). This rule is the missing piece that empowers contracting officers to insert DFARS 252.204-7021—the CMMC clause—into every new DoD solicitation and contract. Once OIRA review is complete (typically within 90 days) and based on the current classification of the 48 CFR rule as not a major rule, nor economically significant it could be published in the Federal Register and become effective immediately—no 60 day waiting period. That means CMMC requirements could start appearing in contracts as early as October 2025. With delays it could take until February 2026 - but considering the recent activity that doesn’t seems likely.

Historic First: Secretary of Defense Publicly Endorses CMMC

For the first time ever, a statement from the Secretary of Defense in a Memorandum for Senior Pentagon Leadership from July 18^th 2025 mentioned and endorsed CMMC: “[…] the Department will fortify existing programs and processes utilized within the Defense Industrial Base (DIB) to ensure that adversarial foreign influence is appropriately eliminated or mitigated […]. Specifically, the DoD CIO will leverage efforts such as the Cybersecurity Maturity Model Certification, […]." This marks a significant shift from internal policy discussions to official endorsement, underscoring the program's legitimacy and long-term presence in the defense industrial base.

What This Means for Defense Contractors Right Now

Mandatory Compliance is Coming

• DFARS 252.204-7021 will require CMMC certification (or self-attestation during the initial roll-out phase and depending on contract type) before contract award
• The rule could become effective upon publication—no long grace period
• Both, self-assessment requirements and certified audits by C3PAOs, will begin appearing in solicitations

The Specifics of the Level 2 Requirements

• Self-attestation requires implementation of at least 80% of the 110 NIST SP 800-171 Rev 2 controls – which translates to 88 controls
• Any remaining deficiencies must be closed within 180 days
• Third-party certification via C3PAOs will be the standard expectation for CUI contracts after the initial roll-out phase of 6-12 months.

Critical Misunderstanding: Waivers Are Contract-Specific, Not Company-Wide

A key detail contractors often get wrong: waivers or exceptions to CMMC will NOT be granted at the company level. The DoD has made it clear that waivers will be issued only at the contract level, only for a very small percentage (2%), and only when a specific mission-need justifies it. This means:

• You cannot expect a blanket exception for your company
• Even if one program office grants a waiver, another solicitation may still require full CMMC compliance
• Contractors should assume compliance is mandatory across the board unless explicitly told otherwise by the contracting officer for a specific contract

Your Action Plan: No More Delays

The October 2025 timeline gives contractors a clear but short runway. Here's what you need to do now:

• Start or accelerate your CMMC Level 2 readiness plan today.

  Even if you have performed a self assessment for NIST SP 800-171 and submitted your score to SPRS: get a 3rd party assessment that will give you an accurate status of your implementation! Expect your score to drop by ~100 points.

• Ensure your scope is correct.

  One of the biggest issues we see: proper scoping of the CUI environment. If you need help reach out.

• Finalize your NIST SP 800-171 implementation.

  Don't assume you'll get a waiver, because 98% won't. If you are stuck get help!

• Prepare for third-party assessments

  If you are handling Controlled Unclassified Information (CUI) your are looking at CMMC Level 2 requirements. If you think you meet all 110 controls (and 320 assessment objectives !) engage with a 3rd party to confirm.

• Engage stakeholders across your business

  Executive support is probably the most important factor for a successful certification. This transition to CMMC will affect procurement, compliance, HR, and operations. This is not just an IT problem – it impacts business workflows and processes as well.

Key CMMC Timeline at a Glance

• October 2024: CMMC Program established via 32 CFR Part 170
• July 22, 2025: 48 CFR Rule submitted to OIRA
• as early as October, 2025: CMMC clause expected in new DoD solicitations

The final rule signals the definitive end of delays. CMMC will soon be embedded in new DoD contracts, and compliance is about to become the price of admission to the Defense Industrial Base. The question is no longer "if" but "when"—and that when is likely just weeks away. To discuss your organization’s specific cybersecurity & compliance needs or simply to learn more about DFARS, NIST SP 800-171, and CMMC requirements contact us for a 30-minute consultation. Let’s make sure you don’t miss out on new contract awards.