The clock is ticking for contractors to comply with the Department of Defense’s (DoD) long-anticipated cybersecurity compliance policy. By Oct. 1, the Cybersecurity Maturity Model Certification (CMMC) clause could start appearing in all applicable DoD contracts.
On July 22, DoD sent 48 CFR – the final regulatory piece that outlines how CMMC will be applied in contracts – to the Office of Management and Budget for final review. While the final rule hasn’t yet been published in the Federal Register, the Electronic Code of Federal Regulations (eCFR) has already been updated with the final language.
According to the updated documents, before Oct. 1 CMMC requirements can already be included in solicitations and contracts if the statement of work calls for a specific certification level. This applies to all types of contracts, except for commercially-off-the-shelf only acquisitions. However, any inclusion of CMMC during this period must be approved by the Office of the Under Secretary of Defense for Acquisition and Sustainment.
On or after Oct. 1, the inclusion of the CMMC clause becomes mandatory in all applicable contracts, with no further approvals required.
The CMMC program – first introduced in 2020 – requires defense industrial base (DIB) contractors to implement cybersecurity measures for Federal Contract Information (FCI) and introduces new requirements for Controlled Unclassified Information (CUI). Level 1 covers FCI, Level 2 applies to CUI with self- or third-party assessments, and Level 3 involves high-risk CUI reviewed by DoD assessors. An annual affirmation is also required to ensure ongoing compliance.
DoD released the final CMMC rule in October 2024 – exactly one year before it’s set to begin appearing in contracts.
CMMC’s Regulatory Journey: DoD VS Industry
CMMC’s original rollout was met with pushback, particularly from smaller firms concerned about compliance costs. In response, the DoD released a streamlined version — CMMC 2.0 — in 2021, which reduced the number of certification levels from five to three and attempted to lower the burden without sacrificing critical protections.
Despite the revisions, some industry leaders still argued the requirements are too demanding for smaller businesses. But with the eCFR update and 48 CFR nearing finalization, it’s clear: ready or not, CMMC is here to stay.
Dr. Thomas Graham, Chief Information Security Officer at Redspin — one of the first authorized CMMC Third Party Assessment Organizations — warned that delaying preparation is no longer a safe option.
“The proposed rule currently states that on or after October 1, 2025, the CMMC requirement becomes language that can be included in contracts released by the Department, and enforcement will scale from there. Contractors still waiting for a final published rule to start preparing are gambling with their future business. Now is the time to act,” he said in a statement sent to MeriTalk.
Katie Arrington, the Pentagon’s Acting Chief Information Officer and original leader of the CMMC program, has also been blunt in her message to industry.
“Complaining to the world that the CMMC is too hard … you’re – and I want to say with the most respect I can to anybody – you’re foolish in what your statement is,” she said during an Intelligence and National Security Alliance Coffee Series webinar. “What you’re saying is you’re noncompliant.”
Arrington argued that public complaints about the program give adversaries like China, Russia, and North Korea a roadmap for targeting vulnerabilities.
“The business of defense is not something we should take lightly,” she said. “If it’s too hard, get out of the business.”