The Department of Defense has taken its final step toward making Cybersecurity Maturity Model Certification a binding requirement in defense contracts. On September 10, 2025, the 48 CFR final rule entered public inspection in the Federal Register. That means it will take effect on November 10, 2025, and contracting officers can require CMMC certification in solicitations and awards starting this fall.
Table of Contents
What is the 48 CFR Rule?
The 48 CFR rule amends the Defense Federal Acquisition Regulation Supplement (DFARS) to include CMMC in official contract language. Specifically, it covers 48 CFR Parts 204, 212, 217, and 252.
- 32 CFR Part 170, effective since December 2024, created the structure and requirements of the CMMC program.
- 48 CFR is the enforcement mechanism.
With this step finalized, the transition from policy to practice begins.
Why it Matters for DoD Contractors
The publication of the 48 CFR rule brings several changes for defense contractors:
- 1. The four-phase rollout of CMMC will officially begin this fall.
Source: Four-phase rollout of CMMC from dodcio.defense.gov
- 2. DFARS Clause 252.204-7021 will begin appearing in DoD contracts, mandating the required CMMC level.
- 3. Contracting officers gain the authority to include CMMC in solicitations.
3 Reasons You Need to Act Now
The timeline leaves little room for hesitation.
1. Phase 1 starts immediately.
Contracting officers will have discretion to require CMMC Level 2 certification in Phase 1. That means some contracts this fall may already demand third-party verification by a C3PAO.
2. Waivers will be extremely limited.
They are determined at the acquisition level, not granted on a case-by-case basis to late bidders or subcontractors.
3. Procurement Administrative Lead Time (PALT) is short.
On average, contractors have about 32 days between a solicitation’s release and award. That’s not nearly enough time to complete a certification process.
CMMC Readiness Takes Time
Most organizations require nearly a year to fully implement NIST SP 800-171 controls, remediate gaps, and complete a C3PAO assessment.
That means anyone handling Controlled Unclassified Information should already be well into their readiness process.
Primes are already screening their supply chains for CMMC readiness, and once Phase 1 hits, non-compliant companies will quickly find themselves locked out of contract opportunities.
However, if your team hasn’t started its CMMC assessment, don’t worry. It’s not too late. Begin the process now so you’ll be positioned to compete for the contracts you want in the near future.
Empower your company with CMMC knowledge. This guide covers the process, benefits, maturity levels, and how to prepare for your CMMC audit.
48 CFR Rule FAQ
Is the 48 CFR rule finalized?
Yes. The DoD formally completed the rulemaking process by sending the final rule to Office of Information and Regulatory Affairs (OIRA) in July 2025.
After OIRA’s review, the rule was prepared for publication. Once published in the Federal Register on September 10, 2025, the 48 CFR rule became official, and contracting officers can require CMMC certification in awards beginning November 10, 2025.
What is the status of the 48 CFR rule?
On July 22, 2025, the Department of Defense submitted the final 48 CFR rule to the Office of Information and Regulatory Affairs (OIRA) for review.
This was a decisive step in the rulemaking process, signaling that CMMC requirements would soon start appearing in DoD contracts. After OIRA review and clearance, the rule moved to public inspection on September 10, 2025.
The rule becomes effective on November 10, 2025.
What’s the difference between 32 CFR and 48 CFR?
Together, these rules establish both the program framework and the contractual enforcement mechanism for CMMC.
32 CFR Part 170
Defines the structure of the CMMC program, including levels, assessments, and requirements.
48 CFR (DFARS changes)
Makes CMMC enforceable by inserting official clauses into contracts and giving contracting officers authority to require certification.
