Learn about the latest CMMC compliance deadline updates and requirements. Start your journey now to avoid the upcoming rush.
JUNE 2025 UPDATE: THE CMMC PROGRAM FINAL RULE HAS BEEN PUBLISHED. PHASED ROLLOUT IS EXPECTED Q3 2025.
On October 15th, 2024, the CMMC ruling – known formally as the 32 CFR Part 170 ruling, or the “Program Rule” for CMMC – was published. It became legally effective 60 days later, on December 16, 2024
This CMMC Program Rule mandates that all contractors in the Defense Industrial Base who handle Controlled Unclassified Information or Federal Contract Information must comply with strict cybersecurity standards. While the government’s phased rollout will take time, prime contractors are already expecting CMMC requirements to be met by subcontractors. We encourage you to act now, as the demand for compliance services will grow and strain available resources.
Here's what you need to know about when CMMC compliance will be required:
- The CMMC Program Final Rule was published on October 15, 2024.
- CMMC assessments have been available since Q1 2025.
- It takes a 50 person company an average of 6-12 months to prepare for a CMMC assessment.
- The phased rollout of CMMC as a contractual requirement is expected to begin once the 48 CFR final rule is published, with the window for publication between July and October of 2025.
How long does it take to get CMMC compliant?
It typically takes organizations anywhere from 6-18 months to prepare for an assessment.
How do I know if I need to be CMMC compliant?
Check your existing contract requirements to determine your appropriate level of CMMC. If you have existing DFARS 7012 requirements and you handle CUI, it is likely that you'll need to be CMMC Level 2 compliant.
What should I do next to become CMMC compliant?
Speak with an expert here at Summit 7 to get clear next steps for your organization.
Then, download our CMMC Readiness Brief for an overview of the steps required for CMMC compliance.
What is the CMMC Compliance Deadline Update for 2025?
As of September 2024 Department of Defense the 48 CFR CMMC Proposed rule has been published. This milestone allows us to estimate the timeline for the implementation of CMMC regulations. The delays have been addressed, signaling that contractors need to start preparing for the upcoming CMMC roll-outs—yes, there are two distinct roll-outs to anticipate.
Are There Two CMMC Rules?
Indeed, there are two separate CMMC rules. (For more details, check out our webinar)
What is the 32 CFR CMMC Rule?
The first rule, known as the "32 CFR CMMC," codifies the CMMC program. This rule, published as a final rule on October 2024, officially makes certification assessments available on the market. National Security programs like CMMC are codified in Title 32 of the Code of Federal Regulations.
What is the 48 CFR CMMC Rule?
The second rule updates the DFARS contract clause 252.204-7021, which outlines the CMMC requirements, to align with the 32 CFR CMMC program details. This clause, originally published in 2020, needs revisions to reflect changes from CMMC 1.0, including the reduction from five to three levels, allowances for temporary findings (POAMs), and the introduction of a waiver process.
As of May/June 2025, the window for publication of the 48 CFR final rule is now June to October 2025.
Once both rules are finalized and effective, contractors will know the required CMMC certification level for specific contracts based on their 7021 clause. The procedures for assessment, including requirements and allowances for temporary deficiencies, are detailed in 32 CFR.
When Will CMMC Be In Defense Contracts?
Short answer: CMMC will be in defense contracts starting in October of 2025.
On October 15th, 2024, the CMMC ruling – known formally as the 32 CFR Part 170 ruling, or the “Program Rule” for CMMC – was published.
As of September 2024, the 48 CFR CMMC Proposed rule has been published. This milestone allows us to estimate the timeline for the implementation of CMMC regulations.
As of June 2025, the window for final publication of the 48 CFR CMMC rule is between July and October 2025.
The Pressure is Coming: Two CMMC Rollouts
With two distinct CMMC rules on separate publication schedules, the CMMC program will undergo two different roll-outs. The "market roll-out" has begun now that the 32 CFR CMMC rule is effective, allowing early adopters and competitors to seek certification voluntarily starting in Q1 2025, even before the DoD requires it in contracts.
The official "phased roll-out" will start once the 48 CFR CMMC rule is finalized, enabling the DoD to include specific CMMC level requirements in contracts and solicitations.
Many large prime contractors are requiring their suppliers to get certified early, accelerating the market roll-out. Over 100 companies have already become certified as of June 2025, with Summit 7 clients making up around 30% of all successful assessments. 
