Rule 48 CFR:  Where it Stands Now in the CMMC Rollout. What Defense Contractors Need to Know.

CMMC Rule 48 CFR Update

CMMC Advances: Rule 48 CFR Marks the Final Step in DoD Cyber Compliance

As of August 2025, the final regulatory piece needed to activate CMMC 2.0 in Department of Defense (DoD) contracts, the 48 CFR rule is in the final stages of review. This rule officially allows contracting officers to include CMMC certification requirements in solicitations and awards.

What’s Happening Now?

  • On July 22, 2025, the DoD submitted the finalized rule to the Office of Information and Regulatory Affairs (OIRA) for formal review.
  • This submission marks the last major hurdle before CMMC becomes a contractual requirement.
  • The rule itself doesn’t introduce new certification standards, those were already established under 32 CFR Part 170, which took effect in December 2024. Instead, Rule 48 enables enforcement through acquisition regulations.

What Comes Next?

OIRA typically takes up to 90 days to complete its review. Once approved:

  • The rule will be published in the Federal Register.
  • It will become effective immediately—no waiting period.
  • DoD contracting officers will begin inserting CMMC clauses into contracts, starting with a phased rollout.

What This Means for Contractors

If your company handles Controlled Unclassified Information (CUI) or Federal Contract Information (FCI), you’ll need to be certified at the appropriate CMMC level to remain eligible for future DoD work.

  • Level 1: Contractors handling FCI require annual self-assessment.
  • Level 2: Contractors handling CUI require third-party certification.
  • Level 3: Those performing critical national security work require government-led assessment.

Final Thoughts

CMMC isn’t just a checkbox—it’s a requirement in order to do business with the DoD. Hiring an RPO (Registered Practitioner Organization), or RP (Registered Practitioner) before engaging a C3PAO (Certified Third-Party Assessor Organization) is more than a smart financial move; it’s a strategic investment in your company’s future.

  • With an estimated nearly 80,000 companies needing certification and only 77 C3PAOs and 1,837 RPs available, and while these numbers are growing, the math is clear: demand will outpace supply. Early preparation with the right support can mean the difference between a smooth certification and a costly setback.
  • Ready to take the next step?
    Explore The Cyber AB Marketplace to find a reputable RPO or RP with experience in your industry. Your future contracts and your bottom line will thank you.

With the Rule 48 CFR expected to go live in Q4 2025, now is the time to ensure your cybersecurity program is aligned with CMMC requirements and your documentation is audit ready.

CMMC compliance isn’t optional—are you ready? We can help you meet the CMMC compliance requirements with expert support to ensure you are prepared for certification.

Posted in CMMC Cybersecurity Cybersecurity Advisories IT Consulting IT Managed Services Managed IT Managed Service Provider Managed Services News Technology Vulnerability ManagementTags