Support: 800-699-0925 Sales: 800-481-1984

SysArc

IT Company

48 CFR Rule: CMMC Will Be In Contracts As Early As October 2025

by

The Department of Defense (DoD) officially submitted the final 48 CFR rule to the Office of Information and Regulatory Affairs (OIRA) for review. This important step paves the way for CMMC requirements to be incorporated into defense contracts as early as October 2025.

What Is the 48 CFR Rule?

The rule covers 48 CFR Parts 204, 212, 217, and 252 and establishes CMMC acquisition policies along with standardized contract language. While 32 CFR Part 170 has been effective since December 2024, the 48 CFR rule is necessary to formally authorize the inclusion of CMMC language in solicitations and contracts.

The final rule’s submission to OIRA marks the second-to-last stage before it becomes official, enabling CMMC to be enforceable in defense contracts. OIRA has 90 days to review and it could take one to three weeks for the final rule to be published in the Federal Register.

Therefore, we expect to see CMMC requirements in contracts starting in late October 2025.

What Is the Significance?

CMMC requirements remain unchanged—they were established by 32 CFR Part 170. However, the 48 CFR rule:

  • Adds the DFARS 252.204-7021 clause to contracts
  • Grants contracting officers the authority to include CMMC language in solicitations
  • Initiates the four-phase rollout of the CMMC program

The Four Phases:

Why You Need to Act Now

If your organization plans to bid on or receive DoD contracts after October 2025, obtaining CMMC Level 2 certification could be mandatory. 

Key points to keep in mind:

  • CMMC Level 2, verified through C3PAO assessments, can be required starting in Phase 1 (i.e., in 2025), since contracting officers have discretion regarding certification requirements.
  • Waivers probably won’t happen, as they are pre-determined at the acquisition level and are not typically granted to subcontractors or late bidders.
  • The time between solicitation release and contract award—known as the Procurement Administrative Lead Time (PALT)—is usually short (around 32 days), leaving little room to begin CMMC compliance after a solicitation is issued.

Next Steps…

CMMC compliance takes time. Most organizations need 9 to 12 months to fully implement NIST SP 800-171 controls, validate compliance, and successfully pass a C3PAO assessment.

If your organization handles Controlled Unclassified Information (CUI), is a prime contractor or subcontractor within the defense industrial base, and plans to bid on contracts in 2026 or sooner, then you should already be in the CMMC assessment and implementation phase.

SysArc is has helped DoD contractors like FN America, Honeycomb Company of America, and 2 Circle prepare for CMMC. To learn how we may help your organization prepare for CMMC, get a free consultation.

  • Contact Us for a Free Cybersecurity Consultation

    Learn how we can protect your company's data and help you become compliant.

    Free Consultation