Final Rule Update: 48 CFR and the CMMC Contract Clause Are Officially in Motion

Update: The U.S. Department of War has published the long-awaited 48 CFR Final Rule, officially making the Cybersecurity Maturity Model Certification (CMMC) a binding requirement in defense contracts. The rule was published in the Federal Register on September 10, 2025. A 60-day window follows before clauses begin appearing in contracts, meaning contractors could see DFARS 252.204-7021 requirements starting November 10, 2025.

###

On July 22, 2025, the Department of Defense (DoD) officially sent the final 48 CFR rule to the Office of Information and Regulatory Affairs (OIRA) for review. This critical move clears the path for CMMC requirements to appear in defense contracts as early as October 2025.  

 In this blog, we'll break down:  

• What the 48 CFR final rule is and why it matters  
• The timeline for CMMC showing up in contracts  
• What defense contractors need to do now  
• Common misconceptions about waivers and self-assessments  
• Summit 7's guidance and resources to help you navigate what's next   

What Is the 48 CFR Rule?  

Two regulations govern the Cybersecurity Maturity Model Certification (CMMC) program:  

• 32 CFR Part 170: Outlines the CMMC Program including department policy, roles, levels, requirements, waivers, and assessments.  
• 48 CFR Parts 204, 212, 217, and 252: Implements CMMC acquisition policy and standardized contract language.  

While 32 CFR Part 170 has been in effect since December 2024, the 48 CFR rule was required to formally authorize the inclusion of CMMC language in solicitations and contracts.  

The final 48 CFR rule was submitted to OIRA for regulatory review, putting it at the second-to-last step before it becomes official and CMMC is enforceable in contracts.  

Timeline: When Will CMMC Show Up in Contracts?  

Here's what we know as of July 2025:  

• July 22: DoD sends the final rule to OIRA.  
• OIRA has 90 days (potentially up to 120) to complete the review.  
• Once approved, the rule moves to the Federal Register for final publication (1–3 weeks).  
• The rule's effective date is immediate upon publication (no 60-day delay expected). 

Most Likely Case Scenario:  

• CMMC contract requirements begin showing up by late October 2025.  

Most Conservative Scenario:  

• With maximum review delays and classification changes, CMMC appears in contracts by February 2026. 

Regardless, Halloween to Super Bowl is the window. Most likely? Q4 of 2025.  

What's Changing?  

This new 48 CFR rule does not change the core CMMC requirements. Those were locked in by 32 CFR Part 170. Instead, it:  

• Inserts the DFARS 252.204-7021 clause into contracts  
• Authorizes contracting officers to include CMMC language in solicitations  
• Kicks off the four-phase CMMC rollout  

Don't Wait: Why You Must Act Now  

If your organization plans to bid on or receive DoD contracts after October 2025, your CMMC Level 2 certification may be a requirement. 

Key Deadlines to Consider:  

• CMMC Level 2 (C3PAO assessments) can be required starting in Phase 1 — yes, in 2025. This is due to the language stating the contracting offices “discretion” on certifications.  
• Waivers? Not likely. Waivers are pre-determined at the acquisition level and are not granted ad hoc to subcontractors or late bidders.  
• The time between solicitation and contract award (Procurement Administrative Lead Time or PALT) is typically not long enough to start your CMMC journey after a solicitation drops (~32 days according to a GSA report).  

How to Get Ready (If You're Not Already)  

Preparing for CMMC takes time because most organizations need 9–12 months to fully implement NIST SP 800-171, validate compliance, and pass a C3PAO assessment.  

If your organization:  

• Handles Controlled Unclassified Information (CUI)  
• Is a prime or subcontractor in the defense industrial base  
• Plans to bid on contracts in 2026 or earlier  

Then you need to be in the implementation and assessment phase now.  

Even ahead of the final rule, major defense primes like Lockheed Martin have been actively preparing their supply chains for CMMC requirements. Their recent communications to suppliers emphasize the urgency of cybersecurity readiness.  

Get Ready for CMMC with Confidence  

Summit 7 has helped dozens of organizations achieve CMMC Level 2 certification, and we're scaling fast. Just last week, our team supported four concurrent C3PAO assessments.  

Free Resources to Get You Started:  

• Secure the DIB Webinar Series  
• Sum IT Up Podcast and YouTube 
• CUI Hotline: Friday FAQ 
• CMMC Readiness Blogs  

The Bottom Line  

CMMC is no longer a "future initiative." The 48 CFR rule is happening. The timeline is October 2025. And the era of cybersecurity assurance in DoD contracts is here.  

If you need to be CMMC certified by Q1 2026, you have no time to delay.