The Cybersecurity Maturity Model Certification (CMMC) Final Rule has reached the Office of Management and Budget (OMB) — the final regulatory step The long-awaited Cybersecurity Maturity Model Certification (CMMC) Final Rule has officially reached the Office of Management and Budget (OMB) for review — one of the final steps before becoming law. Publication is expected in October 2025, and the phased rollout will begin immediately in Q4 2025.
Once finalized, CMMC requirements will start appearing in new DoD contracts — including those requiring Level 1 (Foundational) or Level 2 (Advanced) compliance.
This is your signal: now is the time to finalize your readiness.
What the Final Rule Means for You
Contractors handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) will need to demonstrate cybersecurity compliance before contract award:
- CMMC Level 1: Self-assessment for FCI (15 practices from FAR 52.204-21)
- CMMC Level 2: Third-party certification (C3PAO) based on NIST SP 800-171
- Subcontractors must also meet the same requirements under flow-down clauses
The Final Rule will not be delayed by a 60-day waiting period, so enforcement begins immediately upon publication.
Immediate Action Items
To stay competitive for future DoD contracts, you should take these steps now:
1. Assess and Close NIST SP 800-171 Gaps
Level 2 certification requires full implementation of all 110 controls. POA&Ms are only permitted under certain conditions and must be closed within 180 days.
2. Update SSPs and POA&Ms
Ensure your System Security Plans and Plans of Action and Milestones are aligned with the final rule’s requirements and formatting.
3. Engage Subcontractors
CMMC compliance must flow down. Ensure your vendors are preparing and understand their responsibilities.
4. Prepare for C3PAO Assessment
If you require Level 2 certification, begin preparing for an independent third-party review. Assessment availability will be limited once demand increases.
Don’t Wait Until It’s Too Late
The publication of the Final Rule marks the start of real enforcement. DoD has made it clear: no certification, no contract award. By acting now, you avoid last-minute scrambles, costly delays, and lost opportunities.
Brea Networks supports organizations across the Defense Industrial Base in preparing for CMMC readiness. Contact us today to schedule a gap assessment or readiness review.
- The Brea Networks Compliance Team
