Update – September 2025
On September 9, 2025, the 48 CFR CMMC Final Rule went out for public inspection to be officially published in the Federal Register on September 10, 2025. November 10, 2025 the official phased rollout of CMMC requirements in Department of Defense (DoD) contracts begins.
This development confirms that CMMC enforcement is imminent. If you have not yet reviewed your SSP, validated your POA&M, or mapped your scope, now is the time to act!
Edwards has championed CMMC from the beginning. Click here to schedule your free consultation.
July 25, 2025
The long-anticipated CMMC Assessment Requirement Rule has officially landed at the Office of Management and Budget (OMB), the final stop before publication in the Federal Register. This marks a major turning point for Department of Defense (DoD) contractors, as CMMC compliance begins shifting from theory to enforceable policy.
Demand for CMMC professionals is about to spike. Edwards training prepares future CCPs and CCAs to step into their roles with the knowledge and tools to succeed under the new contract rules. Visit our Training Schedule to get more information and reserve your seat.
___
Why the OMB Review Matters for CMMC Compliance
- Publication is likely imminent
Now that OMB is reviewing the rule, many industry experts anticipate official publication by October 2025. - No waiting period
Because the rule isn’t classified as “economically significant,” it’s expected to take effect immediately once published. - Contracts will change quickly
New DoD solicitations will begin to include CMMC clauses requiring either a self-assessment or full certification depending on the data sensitivity.
_____
How CMMC Becomes Law: Understanding 32 CFR and 48 CFR
To understand how CMMC becomes legally binding, it helps to know how the rule is structured across two distinct parts:
32 CFR – The Program Rule
This section of the Code of Federal Regulations outlines how the CMMC program is governed within the Department of Defense. It establishes the CMMC Program Office, defines the roles of authorized assessors and third-party organizations, and sets expectations for how assessments are conducted. These elements form the operational backbone of CMMC implementation, providing structure and oversight in advance of contract-level requirements.
- Establishes governance and timelines.
- Sets the operational framework for CMMC.
- Defines roles for C3PAOs and assessors.
48 CFR – The Contract Rule
This section of the Code of Federal Regulations governs how CMMC requirements are formally incorporated into the acquisition process. It integrates CMMC into the Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS), enabling contracting officers to include CMMC as a condition of award. Now under final review at the Office of Management and Budget, this rule represents the final step in making CMMC contractually enforceable across the defense industrial base.
- Enables CMMC requirements in new DoD contracts.
- Allows for flow-down obligations to subcontractors.
- Defines when and how compliance must be demonstrated.
In short:
32 CFR = Outlines how the CMMC program is organized and implemented
48 CFR = Determines when CMMC requirements must appear in contracts
CMMC Enforcement: DFARS Clauses Contractors Must Understand
Once the CMMC rule is finalized, three specific DFARS clauses will play a critical role in contract language and compliance enforcement:
DFARS 252.204-7012
“Safeguarding Covered Defense Information and Cyber Incident Reporting”
- Requires implementation of NIST SP 800-171.
- Mandates reporting of cyber incidents.
- Applies to any contractor handling Covered Defense Information (CDI).
Still in effect and forms the foundation of CMMC Level 2.
DFARS 252.204-7019
“Notice of NIST SP 800-171 DoD Assessment Requirements”
- Requires self-assessment against the 110 NIST controls.
- Contractors must upload scores to SPRS (Supplier Performance Risk System).
- Serves as a pre-certification benchmark and accountability layer.
DFARS 252.204-7020
“NIST SP 800-171 DoD Assessment Requirements”
- Authorizes DoD to validate contractor assessments and review SSPs.
- Supports official oversight and audit capabilities.
DFARS 252.204-7021 (Pending Update)
“Cybersecurity Maturity Model Certification Requirements”
- Will be updated to reflect the final CMMC rule.
- Expected to require certification at time of award.
- Mandates flow-down of CMMC requirements to subcontractors.
Summary Table: How CMMC Rules and DFARS Clauses Align
| 32 CFR (CMMC Program Rule) | Establishes how the CMMC program operates—framework, assessments, and governance |
| 48 CFR (Contract Rule) | Embeds CMMC into FAR/DFARS, making it contractually enforceable |
| DFARS 252.204-7012 | Requires protection of Covered Defense Information and cyber incident reporting |
| DFARS 252.204-7019 | Requires NIST SP 800-171 self-assessment and SPRS score submission |
| DFARS 252.204-7020 | Authorizes DoD to review and validate contractor SSPs and compliance efforts |
| DFARS 252.204-7021 (Pending Update) | Will formally require CMMC certification and flow-down to subcontractors |
Preparing for CMMC Compliance: What Contractors Should Do Now
Whether publication happens in September, October, or slightly later, one thing is clear: CMMC is no longer hypothetical. Once the rule goes live, DoD contracting officers will be required to include it in solicitations, and contractors must comply before award.
If you haven’t already, now is the time to:
- Review your SSP for accuracy and completeness.
- Map out your POA&M timeline.
- Validate that your scope is appropriate and well-documented.
Delaying could put you at risk of missed opportunities, or worse, a failed assessment.
Need Help Getting Ready?
Let Edwards Performance Solutions guide you from uncertainty to certification.
We’ll help you strengthen your documentation, close compliance gaps, and prepare for what’s next. Our team brings deep expertise across the full CMMC assessment process – from scoping and gap analysis to final readiness.
Contact us today to schedule a readiness review or talk through your CMMC strategy.