The Department of Defense (DoD) has signalled that Cybersecurity Maturity Model Certification (CMMC) may be required in nearly all new DoD contracts starting October 1, 2025.

On July 23, 2025, the DoD submitted the 48 CFR rule to the Office of Management and Budget (OMB), with clause 204.7503 stating that CMMC certification must be included in all applicable solicitations and contracts awarded after that date.

In other words, CMMC may be going into contracts in less than 3 months. Here’s what that means for the Defense Industrial Base (DIB).

What happened?

By submitting the 48 CFR CMMC Acquisition rule to the OMB on July 23, the DoD provided the clearest and most definitive milestone in the CMMC rulemaking process to date. 

The 48 CFR rule includes contract clause 204.7503, which states that CMMC will be a requirement for virtually all DoD contracts starting in October.

Specifically, Clause 204.7503(b) states that the DFARS clause 252.204-7021 must be included:

“…in all solicitations and contracts or task orders or delivery orders… except for solicitations and contracts or orders solely for the acquisition of commercially available off-the-shelf (COTS) items.”

Previously, CMMC was only required for contracts approved by OUSD(A&S) during the interim rollout phase. That phase will likely end on September 30, 2025.

What’s required?

Starting October 1, 2025, most organizations in the DIB will likely need to be certified at CMMC Level 1 or Level 2 to bid on new contracts 

• Level 1 for FCI only: 15 basic safeguarding requirements and a self-assessment.
• Level 2  for CUI or SPD: 110 NIST 800-171 controls and 320 assessment objectives. Requires a third-party certification from a C3PAO for most contracts, including all with CUI.

Certification must be achieved before contract award. There is no grace period.

What should you be doing right now?

Here are five actions you should take immediately if you’re a DoD contractor, subcontractor, or service provider—or want to be:

1. Determine your required CMMC level

Know whether you handle Federal Contract Information (FCI), Security Protection Data (SPD), or Controlled Unclassified Information (CUI). If you're unsure, review your contract language and speak with your prime contractor.

2. Determine your scope

Identify systems, users, vendors, and processes that store or touch CUI, SPD, or FCI. Getting your assessment scope wrong is one of the most common and costly mistakes. If you might need to create an enclave, this is the time to decide if that will need to happen.

3. Start implementing controls

For Level 1, that means all controls needed to meet the 15 requirements based on FAR 52.204-21 and assessment objectives. For Level 2, that means fully implementing the 110 controls and 320 assessment objectives from NIST SP 800-171— not just policies, but full technical implementation and documentation.

4. Leverage automation

Manual compliance efforts can take months if not years. With certification now required before award and a finite number of assessors, leveraging compliance automation is one of the most effective ways to reduce risk and accelerate readiness.

5. Prepare your SSP, POA&M, and evidence

Document your control implementation in a detailed System Security Plan (SSP). This will likely be hundreds of pages long. 

You'll also need to track gaps and document remediation plans in a Plan of Action and Milestones (POA&M), and compile evidence to support every requirement and assessment objective.

You can find an SSP, POA&M, and more than 30 other templates in the Resources Library.

6. Book your C3PAO early

CMMC auditor capacity is limited, with many are already booking into 2026. If you wait, you risk missing the window. 

Find a C3PAO now that has certified assessors, strong CMMC experience, clear communication processes, and availability aligned with your certification timeline. If using a compliance automation platform, then your C3PAO should be familiar with that platform.

Why you shouldn’t wait

Given this announcement, the time to act is now. Here’s five reasons you shouldn’t wait:

1. The deadline has been announced. While the 48 CFR rule still has to pass OMB and Congressional review, it's expected to quickly because it's simply implementing the 32 CFR Rule, which went into effect in December 2024. In other words: you now have a fixed date and a shrinking runway to get certified or risk losing contract eligibility.
2. CMMC is complex. CMMC is more demanding than SOC 2 or ISO 27001, especially around documentation and scope, so you’ll need to plan for more time and resources.
3. The ecosystem is strained. There are already more organizations seeking certification than there are assessors available. This strain is only expected to worsen with this deadline announcement.
4. You may be in scope even without a CMMC clause or CUI in your contract. Service providers supporting other contractors can be pulled into their audit boundaries and must be able to provide evidence of their control implementation to every customer undergoing an audit—or be compliant themselves.
5. Compliance will be a competitive advantage. Early movers, like Manufacturing Consulting Concepts (MCC), are already seeing opportunities open up due to their proactive compliance.

Bottom line: The 48 CFR rule has been submitted so CMMC enforcement is happening sometime this year. Whether you’re a small subcontractor or a major DoD supplier, now is the time to prepare.