As the Department of Defense (DoD) moves closer to making the Cybersecurity Maturity Model Certification (CMMC) a standard for defense contracts, the finalization of the 48 CFR rule stands out as a pivotal moment. On July 22, 2025, the DoD took an important step by submitting this final rule to the Office of Information and Regulatory Affairs (OIRA), which signals that CMMC requirements could soon become a routine part of new contracts—possibly as early as October 2025. For defense contractors, this means the clock is ticking and now is the time to get ready for a higher bar in cybersecurity within the defense industrial base (DIB). This guide breaks down what the 48 CFR rule means, outlines the upcoming timeline for CMMC integration, explains the structure of the program, and offers practical advice for contractors to reach compliance before the deadline arrives.
The Significance of the 48 CFR Rule
The 48 CFR rule, covering Parts 204, 212, 217, and 252, is at the heart of rolling out the CMMC program. Simply put, this rule sets the official policies and contract language that will make cybersecurity requirements a built-in part of doing business with the Department of Defense. Through this rule, the DFARS clause 252.204-7021 comes into play, requiring contractors to meet CMMC standards whenever they handle sensitive information. This is a companion to the 32 CFR Part 170 regulation, which kicked in back in December 2024 and spells out how the CMMC program works—from its policies and certification levels to who does the assessments.
By submitting the 48 CFR rule to OIRA on July 22, 2025, the DoD has moved one step away from making CMMC mandatory in defense contracts. OIRA will take between 90 to 120 days to review the rule. Once the review wraps up and the rule is published in the Federal Register, it’s expected to take effect right away—usually within just a week or two. That means CMMC clauses could start showing up in contracts as soon as October 2025, although if there are any last-minute delays, the latest expected date is February 2026.
This final push to lock in the 48 CFR rule is a clear sign the DoD is serious about raising the bar for cybersecurity across all its suppliers. For companies hoping to win defense contracts, the message is loud and clear: now is the time to get ready. Soon, proving your CMMC compliance won’t just be an advantage, it’ll be essential to even be considered for DoD opportunities, as cybersecurity becomes a non-negotiable part of the process.
CMMC in Contracts: A Timeline and Expectations
The integration of CMMC into DoD contracts is a structured process with clear milestones. As of October 1, 2025, contracting officers will have the discretion to include CMMC requirements in solicitations and contracts, particularly for those requiring specific certification levels. This applies to all contract types except commercially-off-the-shelf (COTS) acquisitions. For contracts involving Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), compliance with CMMC Level 1, 2, or 3 will be mandatory, depending on the sensitivity of the data involved. By late October 2025, the inclusion of CMMC clauses is expected to become standard practice, marking the start of a four-phase rollout plan designed to phase in compliance requirements across the DIB.
Key Timeline Milestones
- July 22, 2025: The DoD submits the final 48 CFR rule to OIRA for review, initiating a 90–120-day evaluation period.
- October 2025 (Most Likely Scenario): Following OIRA approval and Federal Register publication, CMMC clauses begin appearing in contracts, with contracting officers exercising discretion to include requirements based on the statement of work.
- February 2026 (Conservative Scenario): In the event of delays, CMMC requirements become mandatory in all applicable contracts by this date.
- Ongoing Rollout: The DoD’s four-phase implementation plan will gradually expand CMMC requirements across all relevant contracts, ensuring a comprehensive adoption by the DIB.
The discretion granted to contracting officers before October 1, 2025, allows for early adoption of CMMC clauses, particularly for contracts requiring heightened cybersecurity measures. However, any pre-October inclusion must be approved by the Office of the Under Secretary of Defense for Acquisition and Sustainment. After October 1, 2025, such approvals will no longer be required, making CMMC clauses a standard component of applicable contracts.
Impact on Contractors
The upcoming addition of CMMC requirements in DoD contracts means contractors need to act now because waiting until the last minute simply isn’t an option. With the average Procurement Administrative Lead Time (PALT) clocking in at just 32 days, there’s not enough room to get compliant after a contract hits the street. From October 2025 on, anyone hoping to bid on DoD contracts must already meet the correct CMMC level. That could mean lining up third-party assessments for Level 2 through Certified Third-Party Assessment Organizations (C3PAOs), or undergoing DoD-led assessments for Level 3. Delaying preparation puts contractors at real risk of missing out, since waivers won’t be granted at the last minute—they’re determined ahead of time at the acquisition level.
Understanding the CMMC Framework
CMMC was created in 2020 to help keep sensitive information safe across the Defense Industrial Base. At its core, it’s a way to make sure everyone who works with the Department of Defense is following the same rules to keep data secure. There are two main types of information that CMMC focuses on:
- Federal Contract Information (FCI): This is data that’s shared with contractors but isn’t meant for the public.
- Controlled Unclassified Information (CUI): This is a step up—information that isn’t classified but does need to be protected and handled with care.
CMMC breaks down its requirements into three different levels, depending on how sensitive the information is:
- Level 1: Basic cybersecurity steps to keep FCI safe. There are 17 controls, and companies can usually check themselves to make sure they’re compliant.
- Level 2: This covers CUI and asks for stronger protection,110 controls in all. Depending on the contract, you might need an outside organization to verify that you’re meeting the standards.
- Level 3: For the most sensitive cases, companies need advanced cybersecurity measures, and the DoD itself will conduct assessments.
Getting certified isn’t a one-and-done deal. Contractors must reaffirm their compliance every year to prove they’re sticking with the right security practices. This ongoing effort is designed to keep the DoD’s supply chain resilient and safe from emerging threats.
Evolution of CMMC: From 1.0 to 2.0
CMMC hasn’t stood still since it was first introduced. The original version, CMMC 1.0, was met with pushbacks from smaller contractors, who found its five levels confusing and costly to implement. To address these concerns, the Department of Defense rolled out CMMC 2.0 in 2021. This updated version made things simpler by cutting the framework down to three levels, aiming to make compliance less overwhelming for small and medium-sized businesses, but without sacrificing the strong security protections the DoD requires.
Still, many in the industry worry about the resources needed to stay compliant, especially for smaller companies. The DoD, however, has made it clear that cybersecurity is a top priority. The finalization of the 48 CFR rule only underscores how serious they are about keeping sensitive information safe—and that’s not changing anytime soon.
Why Immediate Action Is Essential
The finalization of the 48 CFR rule makes it clear: CMMC isn’t just something to think about for the future—it’s happening now. If contractors aren’t getting ready, they’re risking their chance to work with the DoD, since being CMMC-compliant will soon be required just to bid on contracts after October 2025. Getting ready for CMMC, especially Level 2 certification, is a lengthy process—it usually takes anywhere from 9 to 12 months to put all the NIST SP 800-171 controls in place, check compliance, and pass a C3PAO assessment. That means starting now is essential for anyone wanting to meet the October 2025 deadline.
Why You Can’t Afford to Wait
Putting off CMMC preparation is a risky bet. There’s simply not enough time to wait for formal solicitations before starting, and the big defense companies, like Lockheed Martin, are already pushing their suppliers to get ready and highlighting how urgent this really is. Missing compliance doesn’t just mean losing out on contracts—it could also make your company a target, since complaints about CMMC’s complexity could be seen as signs of weak cybersecurity.
Experts in the industry stress starting early. Cybersecurity leaders agree: waiting for the final Federal Register release is a dangerous move, because the runway for compliance is already short. The DoD has made it clear—if you’re not compliant, you’re out. Public grumbling about requirements is seen as admitting your company isn’t ready, which can hurt your reputation and chances in the defense world.
Don’t Count on Waivers
Some companies might be hoping for an easy out through waivers, but that’s just not how it works. Waivers are determined ahead of time at the acquisition level, and they aren’t handed out to subcontractors or late bidders. Banking on a waiver isn’t a strategy—it’s a risk. The only way forward is to start planning and investing in cybersecurity now to make sure you’ll be ready when CMMC becomes a requirement.
Steps to Achieve CMMC Compliance
With the October 2025 deadline approaching, contractors need a clear, organized plan to get ready for CMMC. Here’s a practical roadmap to help you prepare, certify, and stay compliant:
- Review Where You Stand Today
Start with a gap analysis to see how your current cybersecurity setup compares to the NIST SP 800-171 controls that underpin CMMC Level 2. Look for weak spots—like access control, incident response, or data encryption—that need attention. This will give you a clear picture of what needs to be fixed or improved. - Build Your Action Plan
Create a step-by-step plan to close those gaps. That might mean upgrading your IT systems, adding multi-factor authentication, tightening network security, or creating better incident response procedures. Assign a budget, set timelines, and make sure you have the right people involved. If you don’t have in-house expertise, consider bringing in outside cybersecurity pros. - Schedule Your C3PAO Assessment Early
If your contracts require CMMC Level 2 (especially if you handle CUI), you’ll likely need an assessment from a Certified Third-Party Assessor Organization (C3PAO). Book your spot early—demand will spike as the deadline nears. Work closely with your assessor to ensure all controls are met and your documentation is complete. - Train Your Team and Make Cybersecurity Part of the Culture
Your people are your first line of defense. Train them on spotting phishing emails, protecting sensitive data, and following access rules. Keep cybersecurity top-of-mind by weaving it into everyday work and making it clear that it’s vital to the company’s success. - Keep Compliance Going
Once you’re certified, the work isn’t over. Run regular internal audits, keep detailed records, and be ready for your annual affirmation. Stay up to date with changes to CMMC and NIST requirements so you can adjust quickly. - Use Outside Help When Needed
If resources are tight, partnering with cybersecurity firms or experienced C3PAOs can make a big difference. They can guide you through the process, run pre-assessments, and help you avoid costly mistakes. Some larger prime contractors even provide tools and support to their suppliers to help everyone stay compliant.
Addressing Common Misconceptions
Several misconceptions about CMMC persist among contractors, which can hinder preparation efforts. Addressing these myths is essential for a clear understanding of the requirements:
- Misconception: Waivers Will Be Widely Available: As noted, waivers are rare and pre-determined at the acquisition level. Contractors should not rely on waivers as a substitute for compliance.
- Misconception: Self-Assessments Are Sufficient for Level 2: While self-assessments are permitted for some Level 2 contracts, many will require C3PAO validation, particularly for those involving CUI. Contractors should plan for third-party assessments to avoid surprises during the bidding process.
- Misconception: Compliance Can Be Achieved Post-Solicitation: The 32-day PALT window is insufficient for achieving CMMC certification. Contractors must begin preparation well in advance to meet contract requirements.
- Misconception: CMMC Is Too Complex for Small Businesses: While CMMC 2.0 streamlined requirements, compliance remains a challenge for SMEs. However, with proper planning and support, small businesses can achieve certification and remain competitive.
The Broader Implications of CMMC
As CMMC becomes part of DoD contracts, it’s clear that cybersecurity isn’t just a box to check—it’s now front and center in protecting national defense. The Defense Industrial Base (DIB) plays a huge role in supporting the DoD, and any gap in the supply chain can have serious consequences. Countries like China, Russia, and North Korea are constantly on the lookout for weak points in contractor systems to get their hands on sensitive data. By rolling out CMMC, the DoD wants to make sure the supply chain is tough enough to handle even the most advanced cyber threats.
For contractors, meeting CMMC requirements is more than just following rules—it’s a chance to stand out. Those who show they’re serious about cybersecurity will have a better shot at winning contracts and earning the trust of primes and the DoD itself. On the flip side, contractors who fall short could find themselves shut out of the defense market. Not keeping up with compliance sends a clear message: you’re not ready to protect sensitive information, and that could cost you big opportunities.
The Path Forward
The approval of the 48 CFR rule is a major milestone for CMMC. With new requirements landing in contracts as soon as October 2025, contractors have no time to waste—the clock is already ticking. Starting early is the best way to avoid stressful, last-minute scrambles, and it shows primes and the DoD that you’re a reliable partner.
It’s smart to tap into all available resources: cybersecurity experts, certified C3PAOs, and guidance from industry leaders. The demand for real cybersecurity isn’t going away—it’s here to stay. Contractors who treat CMMC as a real chance to boost their cyber defenses are not only checking a box, but also helping keep our country’s defense systems secure.
If you’re ready to get started—or want a trusted partner to guide you through the process—contact Intech Hawaii today. Our team can help assess your current cybersecurity posture, close compliance gaps, and prepare you for a smooth CMMC certification process. The sooner you begin, the better positioned you’ll be to meet the deadline with confidence.
