On July 22, 2025, something important happened with CMMC. The Department of Defense sent the final 48 CFR rule to a government office called OIRA for final review. This is the last step before CMMC becomes required in defense contracts.
If you work for a defense company, this news means CMMC is about to become real. Here's what you need to know about what happens next.
Why Are There Two Different CMMC Rules?
CMMC works through two different government rules. Think of it like building a house - you need both the blueprint and the building permit.
The first rule (32 CFR) was like the blueprint. It became official in December 2024. This rule created the CMMC program and explained how it works.
The second rule (48 CFR) is like the building permit. This rule tells government contract officers that they can now require CMMC in contracts. Without this rule, they can't make CMMC a requirement for getting contracts.
That's why this second rule going to OIRA is so important. Once it's approved, CMMC requirements can start showing up in real contracts.
What Is OIRA and Why Does It Matter?
OIRA is a government office that reviews rules before they become final. Think of them as the final editors who check everything before it gets published.
This review usually takes about 90 days, but it can take up to 120 days. Based on what the government has said, here's what will probably happen:
- August-October 2025: OIRA finishes their review
- Late October 2025: The rule gets published (this takes 1-3 weeks after OIRA says yes)
- Right away: The rule becomes active as soon as it's published
- October-November 2025: CMMC requirements start showing up in contracts
Don't Wait for Phase 2 - Level 2 Certification Might Be Required Right Away
Some companies think they can wait because Phase 1 only needs self-assessments. This is wrong and dangerous thinking.
While some contracts might allow self-assessments, the rule gives contract officers the choice to require full third-party assessments from day one. This means some contracts might require CMMC Level 2 certification right from the start.
If your company handles sensitive government information, waiting could mean you can't bid on new contracts or extend existing contracts right away.
The Time Problem Is Real
Here's the math that should worry you. Most companies need 9-12 months to get ready for CMMC Level 2. With contracts possibly requiring CMMC in October 2025, companies just starting now are already behind schedule.
There's another problem - not enough assessors. About 220,000 companies will need CMMC certification, but there aren't many approved assessors. Getting an assessment appointment is getting harder and more expensive. Companies that wait will join long waiting lists that could stretch into late 2026 and beyond.
Smart Companies Are Getting Ready Now
Some defense companies aren't waiting. Big companies like Lockheed Martin are already helping their suppliers get ready for CMMC. This creates opportunities for certified subcontractors and problems for those who wait.
The government usually only gives companies about 32 days between when a contract is announced and when bids are due. This isn't enough time to get CMMC certification. Smart companies are getting certified before they need it.
Don't Count on Waivers
Some companies hope they can get waivers to avoid CMMC requirements. This is risky thinking. Waivers are rare and decided ahead of time. They're not given to companies who simply aren't ready.
The government has made it clear that waivers will be exceptions, not the normal way to handle CMMC.
What You Should Do Right Now
Because time is running short, companies should start these steps immediately:
- Check Your Current Security: See how your current security compares to NIST SP 800-171a requirements
- Talk to Assessors: Start conversations with approved assessment companies to understand timelines and costs
- Fix Basic Security: Focus on the most important security controls first
- Document Everything: Start creating the security plans and documents you'll need
- Check Your Suppliers: Make sure companies you work with are also getting ready for CMMC
The Bottom Line
Sending the 48 CFR rule to OIRA isn't just paperwork - it's the signal that CMMC is about to become required. With the rule expected to take effect by October 2025 and preparation taking 9-12 months, the time to get ready is running out fast.
