On July 22, 2025, the Department of Defense submitted the final rule for DFARS Case 2019‑D041 to the Office of Information and Regulatory Affairs (OIRA). This rule amends Title 48 CFR and enables the inclusion of the CMMC clause (DFARS 252.204‑7021) in nearly all DoD solicitations and contracts, possibly starting in October 2025.
What Is the 48 CFR Rule and Why Does It Matter
There are two core regulations that govern the Cybersecurity Maturity Model Certification (CMMC) Program:
- 32 CFR Part 170: Establishes the CMMC Program framework, including DoD policy, certification levels, assessment requirements, roles and responsibilities, and waiver conditions.
- 48 CFR Parts 204, 212, 217, and 252: Implements CMMC acquisition policy, enabling standardized contract language and enforcement across DoD solicitations and awards.
While 32 CFR Part 170 has been in effect since December 2024, establishing the CMMC Program framework, the 48 CFR rule is required to formally authorize the use of CMMC clauses in DoD solicitations and contracts.
On July 22, 2025, the final 48 CFR rule was submitted to OIRA for regulatory review. This is the penultimate step before publication in the Federal Register, after which CMMC will become contractually enforceable.
| Milestone | Description |
|---|---|
| Submission to OIRA | Final rule sent July 2025 for DFARS Case 2019‑D041 |
|
OIRA Review Period (90-120 Days) |
OIRA has up to 90 days to review an agency-submitted rule, with the option to extend its review by one additional 30‑day period. |
| Federal Register Publication | Expected Q4 2025; rule effective immediately upon publication. |
| CMMC Contract Mandate Begins | Use of DFARS clause 252.204‑7021 in solicitations/contracts is likely by October 2025 |
Current Requirements: NIST SP 800‑171 Under DFARS 252.204‑7012
DoD already requires contractors to comply with NIST SP 800‑171 via DFARS clause 252.204‑7012, which is included in all contracts involving Controlled Unclassified Information (CUI).
Key points:
-
Mandatory Now: Compliance with NIST SP 800-171 is not optional or future-dated. It is already a current requirement for contractors and subcontractors that handle CUI.
-
Contract Clause: DFARS 252.204-7012 must be flowed down to subcontractors if they are expected to handle CUI.
-
Cyber Incident Reporting: This clause also includes obligations for reporting cyber incidents to the DoD within 72 hours.
What’s Changing with the 48 CFR Rule
The 48 CFR acquisition rule does not alter the core CMMC security requirements established under 32 CFR Part 170. Instead, it governs how those requirements are implemented in DoD contracts. Specifically, the 48 CFR rule:
- Mandates inclusion of DFARS clause 252.204‑7021 in applicable DoD contracts.
- Authorizes contracting officers to include CMMC requirements in solicitations and awards.
- Initiates the phased rollout of CMMC enforcement, bringing certification into effect contractually over several years.
Why Contractors Should Act Immediately
CMMC Level 2 certification could become mandatory for DoD contract eligibility starting October 2025. Certification can take 9–12 months, and primes are already demanding it. With limited PALT windows, readiness must come before the solicitation, not after.
-
CMMC certification typically takes 9–12 months, so a delay reduces your buffer before contract deadlines.
-
Procurement Administrative Lead Time (PALT) offers limited time, from solicitation release to award, so CMMC readiness should precede contract opportunities.
-
Prime contractors increasingly demand certified suppliers ahead of official rule enforcement.
Key Compliance Timing to Watch
-
CMMC Level 2 (C3PAO assessments) may be required as early as Phase 1 in 2025, as contracting officers have discretion to include certification requirements from the start.
-
Waivers are rare and pre-defined; they are not available on request or for subcontractors lacking certification.
-
The window between a DoD solicitation and contract award, known as Procurement Administrative Lead Time (PALT), is typically too short to begin your CMMC compliance process after a solicitation is released. According to a Government Accountability Office report, the average PALT is about 32 days.
Prepare Now. Don't Delay.
CMMC readiness isn’t instant - most organizations need time to implement NIST SP 800-171, validate compliance, and complete a C3PAO assessment.
If you:
-
Handle Controlled Unclassified Information (CUI).
-
Are a DoD prime or subcontractor.
-
Plan to bid on contracts in 2026 or sooner.
You should already be in the implementation or assessment phase (Yes, already!)
How StratoKey Can Help
StratoKey helps defense contractors to meet key NIST SP 800-171 and CMMC requirements by protecting Controlled Unclassified Information (CUI) in systems like NetSuite, Pipedrive, Salesforce, Jira and Confluence (among others).
The StratoKey Cloud Data Protection Platform delivers:
-
Field-level FIPS-validated 140-3 encryption and field-level tokenization to secure CUI.
- Data residency and sovereignty enforcement through tokenization to help you keep CUI within your defined FedRAMP-authorized environment,
-
Access controls, audit logging, and analytics to support compliance with 3.1, 3.3, and 3.6 control families.
With CMMC timelines tightening, StratoKey provides fast, proven solutions to help organizations close compliance gaps, before they delay your bids.
CMMC Compliance FAQs
What is the CMMC Final Rule?
The CMMC Final Rule, published as 32 CFR Part 170, are a set of requirements and guidelines set by the DoD. This rule establishes a tiered certification framework (Levels 1–3) to protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) across the defense supply chain.
Is CMMC compliance currently required for DoD contracts?
CMMC will be required in most new DoD contracts starting October 1, 2025, under clause 204.7503 of the 48 CFR Acquisition Rule. While implementation will follow a phased rollout, contractors must prepare now to meet the CMMC requirements.
Has CMMC 2.0 been finalized and released?
Yes. The CMMC 2.0 Final Rule was published in October 2024 and became effective in December 2024 under 32 CFR Part 170. It simplifies the original model while maintaining core cybersecurity protections and enables a phased enforcement via DoD contracts starting in late 2025.
What is the deadline for CMMC certification?
The effective deadline for most contractors is October 1, 2025, when CMMC certification will begin appearing in new DoD solicitations and contracts. This requirement is driven by the pending 48 CFR Final Rule, submitted ton July 22, 2025, and includes DFARS clause 252.204-7021 mandating CMMC compliance.
Final Thoughts
The July 2025 submission to OIRA marks a critical regulatory milestone. Once the revised 48 CFR rule is published, CMMC Level 2 certification will be contractually mandatory. With enforcement likely starting in October 2025, defense contractors must act now to maintain eligibility.
CMMC is no longer a future initiative; it’s here. StratoKey has limited Q4 availability for projects. Act now to prioritize your project.