CMMC Rulemaking Advances: What Now?

September 5, 2025 Uncategorized

across the defense industrial base (DIB). The Office of Information and Regulatory Affairs (OIRA) has cleared the final Defense Federal Acquisition Regulation Supplement (DFARS) rule – DFARS Case 2019-D041 – related to the Cybersecurity Maturity Model Certification (CMMC) program. This rule is now awaiting final approval from the DoD before publication in the Federal Register.

This development marks a pivotal moment for defense contractors, as it sets the stage for mandatory cybersecurity assessments across all tiers of the supply chain. Here’s what contractors need to know about the rule, its implications, and the phased rollout of CMMC requirements.

What is the CMMC Program?

The CMMC program is designed to safeguard Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) on nonfederal information systems. It introduces a tiered model of cybersecurity requirements, ranging from basic self-assessments to rigorous third-party certifications, depending on the sensitivity of the information involved.

  • Level 1: Basic safeguarding of FCI (self-assessment).
  • Level 2: Protection of CUI (self-assessment or third-party certification)
  • Level 3: Enhanced protection of mission-critical CUI (DoD-led certification).

The final rule codifies CMMC in Title 32 CFR Part 170 and is implemented via Title 48 CFR DFARS clauses.

Final Rule Status: What’s Happening Now

  • OIRA Clearance: On August 25, 2025, OIRA cleared the final DFARS rule.
  • Next Step: Publication in the Federal Register. There are 60 days to do so, but it is expected to be done within 1-3 weeks.
  • Effective Date: The rule is not classified as a “major rule”, so it is expected to become effective immediately upon publication.

This means CMMC requirements could begin appearing in DoD solicitations as early as October 2025.

Updated Phased Implementation Timeline

According to 32 CFR § 170.3(e), the rollout begins on the effective date of the final rule, which we estimate to be October 2025. The timeline below reflects Ardalyst’s projected dates based on that assumption:

Phase 1 – Starts: October 2025

  • Requirement: All contracts involving FCI must include CMMC Level 1 (Self-Assessment).
  • Action: Contractors must submit self-assessments to the Supplier Performance Risk System (SPRS).

Phase 2 – Starts: October 2026

  • Requirement: Contracts involving CUI must include CMMC Level 2:
    • Self-assessment for non-critical CUI.
    • Third-party certification for CUI within the Defense Organizational Index Grouping.
  • Action: Engage with Certified Third-Party Assessment Organizations (C3PAO) for certification.

Phase 3 – Starts: October 2027

  • Requirement: Contracts involving mission-critical or advanced technologies must include CMMC Level 3 (Certification).
  • Action: Prepare for DoD-led assessments and ensure proper segregation of CUI across the supply chain.

Phase 4 – Starts: October 2028

  • Requirement: Full implementation. All applicable contracts and option periods must meet the required CMMC level.
  • Action: Ensure all certifications are current and properly documented. Maintain ongoing compliance and readiness for re-assessment.

Waiver Process and Exceptions

While CMMC requirements will be broadly applied, the DoD has outlined a waiver process for exceptional cases:

  • Waivers must be approved by Service or Component Acquisition Executives (SAEs/CAEs).
  • CMMC Level 1 and Level 2 (Self-Assessment) waivers are unlikely to be granted due to existing minimum requirements.
  • Level 2 and Level 3 (Third-Party Certification) waivers may be considered in rare cases, such as when seeking competition from non-traditional sources.

Waivers do not exempt contractors from underlying cybersecurity obligations under FAR 52.204-21 or DFARS 252.204-7012.

What Contractors Should Do Now

With the final DFARS rule for CMMC cleared by OIRA and publication in the Federal Register imminent, defense contractors must take proactive steps to ensure compliance and readiness. Here’s a comprehensive checklist to guide your next moves:

  1. Determine Your CMMC Level based on contract scope and data sensitivity.
  2. Implement the Requirements for either NIST SP 800-171 or SP 800-172.
  3. Submit Self-Assessments to SPRS for Level 1 and Level 2 (if applicable).
  4. Engage a C3PAO for Level 2 certification if handling critical CUI.
  5. Prepare for Level 3 if supporting mission-critical technologies.
  6. Train Your Team on CMMC requirements and data handling protocols.
  7. Monitor the Federal Register and DoD updates for rule publication.
  8. Coordinate with Subcontractors to ensure supply chain compliance.

The CMMC program is no longer a distant requirement—it’s here. With the final rule cleared and publication imminent, contractors must be ready to meet cybersecurity standards or risk losing eligibility for future DoD contracts.

Tesseract is here to help. As a trusted partner in cybersecurity and compliance, Tesseract offers tailored solutions to guide your organization through every phase of CMMC readiness—from risk assessments to certification support.

👉 Contact Ardalyst today to schedule a free consultation and ensure your business is prepared for the future of federal contracting.

Related articles