NEW CMMC RULE UPDATE: Final DFARS CMMC Rule CLEARED by Office of Information & Regulatory Affairs (OIRA) - (9/2/2025)
The White House’s OIRA has finished its review of DoD’s CMMC DFARS rule (48 CFR CMMC Acquisition Rule) Friday, Aug. 25, 2025. This is the last big step before DoD publishes the final rule in the Federal Register. When it’s published, the notice will list the effective date, and you can expect to start seeing CMMC level requirements called out in new solicitations and awards soon after. Publication could happen within the next week to a month.
The DoD’s CMMC site notes that the CMMC Program implementation date is 60 days after publication of the final Title 48 CFR CMMC acquisition rule.
Once this rule becomes effective, this will begin CMMC Phase 1
Of note: The DoD reserves the right to require CMMC Level 2 Certification Assessment by a Certified 3rd-party Assessing Organization (C3PAO) instead of a Level 2 Self-Assessment after the effective date or during Phase 1.
Please contact your Contracting Officer (CO), government Program Manager (PM), or your prime contractor’s contract liaison for additional information on upcoming CMMC contractual requirements—they may have additional insight on specific expectations and timelines.
What does this mean to you?
Contact us today!
🚨 NEW CMMC RULE UPDATE: Final DFARS CMMC Rule Sent to OMB – Last Stop Before It Becomes Law (7/22/2025)
The wait is nearly over.
As of July 22, 2025, the Department of Defense (DoD) has officially submitted the final version of the CMMC Acquisition Rule (DFARS Case 2019-D041) to the Office of Management and Budget (OMB) for regulatory review. This is the final step before the CMMC Acquisition Rule is published in the Federal Register and becomes contractually binding across the defense industrial base (DIB).
This rule will formally integrate the Cybersecurity Maturity Model Certification (CMMC) requirements into 48 CFR and DFARS, making cybersecurity compliance not just a best practice but a condition of contract award and performance.
What Does This Mean?
The CMMC Acquisition Rule being under OMB review means DoD has completed its internal regulatory development process and is now seeking final approval. Once OMB clears the rule, likely Fall 2025, it will be published, triggering the official 3-year CMMC phased rollout timeline.
Under this phased implementation:
The final rule will also revise DFARS 252.204-7021, establish enforcement mechanisms, and clarify timelines, flow-down requirements, and penalties for noncompliance.
CMMC as a “Program” is established and codified under 32 CFR Part 170 which became effective December 2024. However, the 48 CFR DFARS CMMC Acquisition Rule is what will enforce CMMC in your contracts. This rule is at its final stage and projected to become effective Fall 2025.
In the meantime, FAR 52.204-21 provides the contractual regulatory requirement to protect FCI, while DFARS 252.204-7012, 7019, 7020 are contractually required when processing CUI. The upcoming DFARS CMMC Acquisition Rule will introduce a new contractual requirement for CMMC, ensuring the protection of both FCI and CUI.
If You’re Not Ready… You’re Already Behind
If your organization:
You may be at risk of losing eligibility to bid or maintain DoD contracts once the rule takes effect.
*** Don’t Wait. Prepare Now. ***
The clock is ticking. This is the final warning bell before enforcement begins.
Whether you're a prime contractor, subcontractor, or MSP supporting DoD clients, you must treat this as a go/no-go moment for your CMMC compliance journey. By the time the final rule hits the Federal Register, the expectation is clear: you should already be in motion.
If you haven’t:
… then it’s time to act NOW!!!
👇 Need Help?
Contact Peerless, we specialize in helping defense contractors assess, remediate, and prepare for CMMC Level 2 certification. Whether you're starting from scratch or need support finalizing your evidence and artifacts, we can help you navigate this final stretch before the rule hits.
Contact us today to start your compliance journey—or get back on track before the door closes on non-compliant contractors.
These Stories on Compliance