On August 25, 2025, the DoW issued Class Deviation 2025-O0006. It states, “Effective immediately, contracting officers shall not use the contract clause at Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7021, Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirement, in new solicitations and contracts.”
Which has led some to question: Is CMMC delayed?
Here’s what happened. On September 10, 2025, the Department of Defense published the second of two final rules that fully implement the CMMC program. That rule becomes effective November 10, 2025. That date marks the beginning of phase one of the rollout.
From then on, all new solicitations and contracts will carry the right CMMC level based on the type of data being handled.
Class Deviation 2025-O0006 was issued by the DoW to clarify that DFARS 7021 should not appear in contracts until November 10. The deviation was needed because under the old CMMC 1.0 Program, the rollout was slated to be complete by October 1st, 2025.
The Class Deviation was there to let the contracting officers know not to use it because it was “old information” while they were waiting on the final 48CFR CMMC Rule. The only intention of the deviation is to keep contracting officers from jumping the gun before the start date, not to delay CMMC.
Some of the confusion around this stemmed from the fact that the memo said contracting officers were “indefinitely” prohibited from using 7021. Many read that as a permanent suspension. In reality, “indefinitely” meant “until the rule goes live (on November 10).”
This is another example of why it's important to not skim or skip through the details of rulemaking. Details like these are easy to miss. Not everyone can be as reader friendly as your favorite DIB-centered blog.
We recently experienced the same confusion from the industry when language from the text of the old interim rule from 2020 describing a phased rollout ending October 1, 2025.
The industry jumped on October 1 as the go-live date without understanding that the implementation path from the old interim rule was never fully followed though. So, it created a mismatch between the DFARS text on the books and what was happening in practice.
It’s important to know that class deviations aren’t unusual, and this is not the first class deviation tied to CMMC.
Past deviations were issued when new rules were in flux. The DoW used them to stop contracting officers from applying outdated language or clauses that weren’t yet authorized.
When the final rules became effective, those deviations automatically expired. In other words, they served as temporary guardrails. This deviation works the same way. It’s a bridge between old DFARS text and the official start of the new final rule.
Deviations are a normal part of the acquisition process. They don’t override final rules. They just manage the in-between periods so everyone is working off the same playbook.
The CMMC rollout is not delayed. DoW Class Deviation 2025-O0006 was about timing and clarity. Just like past deviations, it will expire when the new rule becomes effective.
November 10, 2025, is the date that matters. That’s when CMMC requirements officially enter contracts. If your team isn’t preparing for that, you’re already behind. Get started implementing CMMC today.