CMMC 2.0 enforcement just crossed its most significant threshold yet.

On August 25, the 48 CFR CMMC Acquisition Rule officially cleared review by the Office of Information and Regulatory Affairs (OIRA). The rule now awaits final publication in the Federal Register, the last step before the Department of Defense (DoD) begins requiring CMMC certification in contracts.

Once published, CMMC will be enforceable 60 days later, at most. Contract officers will begin including certification requirements as soon as it goes into effect, starting with self-assessments and some Level 2 third-party assessments. 

Source: Open DFARS Cases as of 8/29/2025

Why this changes the CMMC 2.0 timeline

This milestone is different from earlier steps in the CMMC rulemaking process. 

Unlike the 32 CFR rule, which defined the program, the 48 CFR rule operationalizes it, giving the DoD authority to include CMMC requirements in solicitations and contracts.

By clearing regulatory review, this latest milestone in the 48 CFR rulemaking process means CMMC 2.0 enforcement is no longer theoretical—it’s imminent.

Once the rule goes into effect:

• DFARS clause 252.204-7021—also known as the CMMC clause—becomes mandatory in most new contracts.
• Phase 1 of the CMMC rollout begins, starting with Level 1 and Level 2 self-assessments.
• DoD acquisition offices may require Level 2 third-party assessments at their discretion.
• There is no grace period. Certification must be achieved before award.

What contractors should expect in their defense contracts

If your organization touches FCI, CUI, or SPD, assume you’ll need to demonstrate at least:

• CMMC Level 1 (Self) for contracts involving FCI only
• CMMC Level 2 (Self) for contracts involving CUI or SPD

We say “at least” because the DoD can require CMMC Level 2 (C3PAO) for select contracts involving sensitive CUI or SPD during this phase.

According to DoD estimates, the self-assessment requirements alone in Phase 1 could impact 65% of the Defense Industrial Base.

This isn’t limited to defense contractors either—subcontractors, service providers, and other organizations in the defense supply chain may be pulled into scope via flow-down or assessment boundary requirements.

What’s next in the CMMC 2.0 timeline?

The next public milestone will be the Federal Register publication, which will specify:

• The official effective date
• How the rule applies to new vs. existing contracts
• Any exceptions (e.g., classified contracts or non-IT services)

Once that’s live, the countdown to enforcement will officially begin.

What to do if you’re not CMMC ready yet

The rule that will bring CMMC requirements into DoD contracts has cleared its final hurdle. With publication in the Federal Register expected as soon as next week and enforcement possible shortly after, contractors are nearly out of runway.

If you haven’t finalized your CMMC scope, implemented controls, or booked your C3PAO, now is the time.

You can drastically simplify and speed up CMMC 2.0 certification with automation and expert guidance.

Secureframe, along with their C3PAO partner Coalfire Federal, is the most comprehensive and efficient solution for defense contractors and other members of the DIB to navigate CMMC 2.0 requirements and achieve certification fast. strategic partnership with Coalfire, the leading provider of federal cybersecurity advisory and assessment services. Contact a product expert to learn more. 

We’ll continue tracking developments and break down the final rule language as soon as it’s published. Check out the CMMC.com newsroom for more coverage of the latest CMMC updates, CyberAB Town Hall recaps, and other expert insights.