CMMC Final Rule Nears Completion: Actions for Compliance Readiness

NEW CMMC RULE UPDATE: Final DFARS CMMC Rule CLEARED by Office of Information & Regulatory Affairs (OIRA) - (9/2/2025)

The White House’s OIRA has finished its review of DoD’s CMMC DFARS rule (48 CFR CMMC Acquisition Rule) Friday, Aug. 25, 2025. This is the last big step before DoD publishes the final rule in the Federal Register. When it’s published, the notice will list the effective date, and you can expect to start seeing CMMC level requirements called out in new solicitations and awards soon after. Publication could happen within the next week to a month.

The DoD’s CMMC site notes that the CMMC Program implementation date is 60 days after publication of the final Title 48 CFR CMMC acquisition rule. 

Once this rule becomes effective, this will begin CMMC Phase 1

• CMMC Level 1 (Self-Assessment) – Federal Contract Information (FCI) only. 17 of 110 NIST SP 800-171 Revision 2 Security Controls must be met.
• CMMC Level 2 (Self-Assessment) – Controlled Unclassified Information (CUI). All 110 NIST SP 800-171 Revision 2 Security Controls must be met.
• Phase 1 must be met within 1 year of effective date according to the CMMC Phased roll-out plan.

Of note: The DoD reserves the right to require CMMC Level 2 Certification Assessment by a Certified 3^rd-party Assessing Organization (C3PAO) instead of a Level 2 Self-Assessment after the effective date or during Phase 1.

Please contact your Contracting Officer (CO), government Program Manager (PM), or your prime contractor’s contract liaison for additional information on upcoming CMMC contractual requirements—they may have additional insight on specific expectations and timelines.

What does this mean to you?

• Complete a CMMC Gap Assessment with Peerless
• If you’ve already been assessed, engage Peerless for remediation to address any deficiencies identified.

Contact us today!

🚨 NEW CMMC RULE UPDATE: Final DFARS CMMC Rule Sent to OMB – Last Stop Before It Becomes Law (7/22/2025)

The wait is nearly over.

As of July 22, 2025, the Department of Defense (DoD) has officially submitted the final version of the CMMC Acquisition Rule (DFARS Case 2019-D041) to the Office of Management and Budget (OMB) for regulatory review. This is the final step before the CMMC Acquisition Rule is published in the Federal Register and becomes contractually binding across the defense industrial base (DIB).

This rule will formally integrate the Cybersecurity Maturity Model Certification (CMMC) requirements into 48 CFR and DFARS, making cybersecurity compliance not just a best practice but a condition of contract award and performance.

What Does This Mean?

The CMMC Acquisition Rule being under OMB review means DoD has completed its internal regulatory development process and is now seeking final approval. Once OMB clears the rule, likely Fall 2025, it will be published, triggering the official 3-year CMMC phased rollout timeline.

Under this phased implementation:

• Phase 1: CMMC Level 1 and Level 2 Self-Assessment (Gap Assessments)
  • Level 1 required if you process Federal Contract Information (FCI).
    Only 17 of the 110 NIST SP 800-171 Revision 2 Security Controls are required.
  • Level 2 required if you process Controlled Unclassified Information (CUI).
    Requires compliance with all 110 NIST SP 800-171 Revision 2 Security Controls.

• Phase 2: CMMC Level 2 Certified 3^rd Party Assessing Organization (C3PAO) Certification Assessments (based on contract)
  • Note: Some contracts may only require a Level 2 self-assessment instead of a C3PAO assessment.

• Phase 3: CMMC Level 3 Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) (Only required if delineated in contract)
  • Must meet all 110 NIST SP 800-171 Revision 2 Security Controls plus 24 additional security controls within the NIST SP 800-172.

• Phase 4: CMMC Certified

The final rule will also revise DFARS 252.204-7021, establish enforcement mechanisms, and clarify timelines, flow-down requirements, and penalties for noncompliance.

CMMC as a “Program” is established and codified under 32 CFR Part 170 which became effective December 2024. However, the 48 CFR DFARS CMMC Acquisition Rule is what will enforce CMMC in your contracts. This rule is at its final stage and projected to become effective Fall 2025.

In the meantime, FAR 52.204-21 provides the contractual regulatory requirement to protect FCI, while DFARS 252.204-7012, 7019, 7020 are contractually required when processing CUI. The upcoming DFARS CMMC Acquisition Rule will introduce a new contractual requirement for CMMC, ensuring the protection of both FCI and CUI.

If You’re Not Ready… You’re Already Behind

If your organization:

• Has only completed a CMMC Gap Assessment, and
• Still has open POA&M items that have not been remediated…

You may be at risk of losing eligibility to bid or maintain DoD contracts once the rule takes effect.

*** Don’t Wait. Prepare Now. ***

The clock is ticking. This is the final warning bell before enforcement begins.

Whether you're a prime contractor, subcontractor, or MSP supporting DoD clients, you must treat this as a go/no-go moment for your CMMC compliance journey. By the time the final rule hits the Federal Register, the expectation is clear: you should already be in motion.

If you haven’t:

• Built or updated your System Security Plan (SSP)
• Started remediating POA&M items
• Validated your implementation with objective evidence
• Implemented cybersecurity governance policies
• Prepared your SPRS score updates or Level 2 readiness package...

… then it’s time to act NOW!!!

👇 Need Help?

Contact Peerless, we specialize in helping defense contractors assess, remediate, and prepare for CMMC Level 2 certification. Whether you're starting from scratch or need support finalizing your evidence and artifacts, we can help you navigate this final stretch before the rule hits.

Contact us today to start your compliance journey—or get back on track before the door closes on non-compliant contractors.