Date: September 4, 2025
The Cybersecurity Maturity Model Certification (CMMC) acquisition rule—codified in 48 CFR—has officially completed regulatory review by the Office of Information and Regulatory Affairs (OIRA) on August 25, 2025. This was the final step before publication in the Federal Register, marking the point when CMMC requirements will become enforceable in Department of Defense (DoD) contracts.
This milestone carries significant implications for defense contractors preparing to meet cybersecurity compliance requirements. Below, we break down the key updates, enforcement timeline, and preparation steps that organizations must take seriously.
Enforcement Timeline: When Will CMMC Take Effect?
The final rule is expected to be published as early as October 2025. Unlike most federal rules that carry a 60-day delay, this one may take effect almost immediately.
That means contractors can expect CMMC requirements to begin appearing in DoD solicitations by the end of 2025. Defense organizations that have not already started their compliance efforts may find themselves at risk of falling behind.
Authority to Include CMMC Clauses
While the initial CMMC framework was previously established in 32 CFR Part 170, this new 48 CFR rule formally grants contracting officers the authority to include CMMC requirements in both solicitations and awarded contracts.
This closes the loop between policy and enforcement, ensuring that CMMC is no longer just guidance—it is a contractual obligation.
Phased Implementation of CMMC
The DoD is taking a phased approach to rolling out requirements:
- Level 1 and Level 2 self-assessments will lead the way.
- Third-party assessments may still be required at Level 2, at the discretion of contracting officers.
This gradual approach balances compliance oversight with operational realities, but contractors should prepare for the possibility of stricter requirements on critical contracts.
Preparation Timeline: Why Contractors Must Act Now
Compliance with CMMC—and completion of the required assessments—can take several months. Given that enforcement is expected to begin in Q4 2025, time is already running short.
Contractors who have not yet launched their CMMC readiness programs should start immediately. Early movers will avoid last-minute bottlenecks and be better positioned to win new defense opportunities.
Certification Is Required at the Time of Award
One of the most important takeaways: CMMC certification must be in place at the time of contract award.
Unlike some compliance frameworks, certification cannot be deferred until after execution. Organizations without proof of certification at award time will simply not be eligible to receive contracts.
Recognizing Our Clients’ Progress
At Brea Networks, we want to congratulate our clients who are ahead of the curve. Many across the defense industry are just beginning their journey, but several of our clients are already well-prepared to move directly into assessments after we complete our own.
This proactive approach reflects both foresight and commitment. By investing in readiness now, these organizations are positioning themselves for long-term success as CMMC enforcement begins.
Final Thoughts
The CMMC final rule marks a turning point for the defense industry. With publication and enforcement just around the corner, contractors cannot afford to wait.
Organizations that start their compliance journey today will have a clear competitive advantage when the first DoD solicitations with CMMC clauses go live at the end of 2025.
If you haven’t started your CMMC preparations yet, now is the time.
- The Brea Networks Compliance Team