Menu
Get Support
Free Discovery Session
Compliance | CMMC | NIST SP 800-171 | SPRS | Policy | 48 CFR | 32 CFR Part 170 | CUI | DFARS |
3 min read

CMMC Final Rule Nears Completion: Actions for Compliance Readiness

Ismail McCowin (Director of Cybersecurity & Compliance)
Written by Ismail McCowin (Director of Cybersecurity & Compliance)
July 28, 2025

🚨 NEW CMMC RULE UPDATE: Final DFARS CMMC Rule Sent to OMB – Last Stop Before It Becomes Law

The wait is nearly over.

As of July 22, 2025, the Department of Defense (DoD) has officially submitted the final version of the CMMC Acquisition Rule (DFARS Case 2019-D041) to the Office of Management and Budget (OMB) for regulatory review. This is the final step before the CMMC Acquisition Rule is published in the Federal Register and becomes contractually binding across the defense industrial base (DIB).

This rule will formally integrate the Cybersecurity Maturity Model Certification (CMMC) requirements into 48 CFR and DFARS, making cybersecurity compliance not just a best practice but a condition of contract award and performance.

What Does This Mean?

The CMMC Acquisition Rule being under OMB review means DoD has completed its internal regulatory development process and is now seeking final approval. Once OMB clears the rule, likely Fall 2025, it will be published, triggering the official 3-year CMMC phased rollout timeline.

Under this phased implementation:

  • Phase 1: CMMC Level 1 and Level 2 Self-Assessment (Gap Assessments)
    • Level 1 required if you process Federal Contract Information (FCI).
      Only 17 of the 110 NIST SP 800-171 Revision 2 Security Controls are required.
    • Level 2 required if you process Controlled Unclassified Information (CUI).
      Requires compliance with all 110 NIST SP 800-171 Revision 2 Security Controls.
  • Phase 2: CMMC Level 2 Certified 3rd Party Assessing Organization (C3PAO) Certification Assessments (based on contract)
    • Note: Some contracts may only require a Level 2 self-assessment instead of a C3PAO assessment.
  • Phase 3: CMMC Level 3 Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) (Only required if delineated in contract)
    • Must meet all 110 NIST SP 800-171 Revision 2 Security Controls plus 24 additional security controls within the NIST SP 800-172.
  • Phase 4: CMMC Certified

The final rule will also revise DFARS 252.204-7021, establish enforcement mechanisms, and clarify timelines, flow-down requirements, and penalties for noncompliance.

CMMC as a “Program” is established and codified under 32 CFR Part 170 which became effective December 2024. However, the 48 CFR DFARS CMMC Acquisition Rule is what will enforce CMMC in your contracts. This rule is at its final stage and projected to become effective Fall 2025.

In the meantime, FAR 52.204-21 provides the contractual regulatory requirement to protect FCI, while DFARS 252.204-7012, 7019, 7020 are contractually required when processing CUI. The upcoming DFARS CMMC Acquisition Rule will introduce a new contractual requirement for CMMC, ensuring the protection of both FCI and CUI.

If You’re Not Ready… You’re Already Behind

If your organization:

  • Has only completed a CMMC Gap Assessment, and
  • Still has open POA&M items that have not been remediated…

You may be at risk of losing eligibility to bid or maintain DoD contracts once the rule takes effect.

*** Don’t Wait. Prepare Now. ***

The clock is ticking. This is the final warning bell before enforcement begins.

Whether you're a prime contractor, subcontractor, or MSP supporting DoD clients, you must treat this as a go/no-go moment for your CMMC compliance journey. By the time the final rule hits the Federal Register, the expectation is clear: you should already be in motion.

If you haven’t:

  • Built or updated your System Security Plan (SSP)
  • Started remediating POA&M items
  • Validated your implementation with objective evidence
  • Implemented cybersecurity governance policies
  • Prepared your SPRS score updates or Level 2 readiness package...

… then it’s time to act NOW!!!

👇 Need Help?

Contact Peerless, we specialize in helping defense contractors assess, remediate, and prepare for CMMC Level 2 certification. Whether you're starting from scratch or need support finalizing your evidence and artifacts, we can help you navigate this final stretch before the rule hits.

Contact us today to start your compliance journey—or get back on track before the door closes on non-compliant contractors.

SPEAK WITH A COMPLIANCE EXPERT TODAY!

Don't Miss an Article!

Previous Story
← DoD Retires DIBNet: Introducing the New ICF Reporting Portal

You May Also Like

These Stories on Compliance

Compliance

DoD Retires DIBNet: Introducing the New ICF Reporting Portal

June 13, 2025 |
3 min read
Compliance

48 CFR CMMC Acquisition Rule: What It Means for Your DoD Contracts

May 10, 2025 |
6 min read
Compliance

Guide to Compliant SIEM for DoD and Federal Contractors

April 8, 2025 |
11 min read

Subscribe by Email

Get The Latest From Peerless Right in Your Inbox
SOLUTIONS
RESOURCES
Customer Support
ABOUT

 

New Peerless Logo_White_No Tech

 

Copyright © 2024 Peerless Tech Solutions, LLC. All Rights Reserved.

Privacy Policy