On July 22, 2025, something important happened with CMMC. The Department of Defense sent the final 48 CFR rule to a government office called OIRA for final review. This is the last step before CMMC becomes required in defense contracts.
If you work for a defense company, this news means CMMC is about to become real. Here's what you need to know about what happens next.
CMMC works through two different government rules. Think of it like building a house - you need both the blueprint and the building permit.
The first rule (32 CFR) was like the blueprint. It became official in December 2024. This rule created the CMMC program and explained how it works.
The second rule (48 CFR) is like the building permit. This rule tells government contract officers that they can now require CMMC in contracts. Without this rule, they can't make CMMC a requirement for getting contracts.
That's why this second rule going to OIRA is so important. Once it's approved, CMMC requirements can start showing up in real contracts.
OIRA is a government office that reviews rules before they become final. Think of them as the final editors who check everything before it gets published.
This review usually takes about 90 days, but it can take up to 120 days. Based on what the government has said, here's what will probably happen:
Some companies think they can wait because Phase 1 only needs self-assessments. This is wrong and dangerous thinking.
While some contracts might allow self-assessments, the rule gives contract officers the choice to require full third-party assessments from day one. This means some contracts might require CMMC Level 2 certification right from the start.
If your company handles sensitive government information, waiting could mean you can't bid on new contracts or extend existing contracts right away.
Here's the math that should worry you. Most companies need 9-12 months to get ready for CMMC Level 2. With contracts possibly requiring CMMC in October 2025, companies just starting now are already behind schedule.
There's another problem - not enough assessors. About 220,000 companies will need CMMC certification, but there aren't many approved assessors. Getting an assessment appointment is getting harder and more expensive. Companies that wait will join long waiting lists that could stretch into late 2026 and beyond.
Some defense companies aren't waiting. Big companies like Lockheed Martin are already helping their suppliers get ready for CMMC. This creates opportunities for certified subcontractors and problems for those who wait.
The government usually only gives companies about 32 days between when a contract is announced and when bids are due. This isn't enough time to get CMMC certification. Smart companies are getting certified before they need it.
Some companies hope they can get waivers to avoid CMMC requirements. This is risky thinking. Waivers are rare and decided ahead of time. They're not given to companies who simply aren't ready.
The government has made it clear that waivers will be exceptions, not the normal way to handle CMMC.
Because time is running short, companies should start these steps immediately:
Sending the 48 CFR rule to OIRA isn't just paperwork - it's the signal that CMMC is about to become required. With the rule expected to take effect by October 2025 and preparation taking 9-12 months, the time to get ready is running out fast.