The U.S. Department of Defense (DoD) just signaled that CMMC may be required for nearly all contracts starting October 1, 2025.

On July 22, 2025, the DoD submitted the 48 CFR rule to the Office of Information and Regulatory Affairs (OIRA), a part of the Office of Management and Budget (OMB). Included in the submission was clause 204.7503, which states that CMMC certification will be required for most federal contracts starting in October.

Let’s break down what this means for the Defense Industrial Base (DIB) and how Secureframe can help you get assessment-ready in time.

What’s the 48 CFR rule and clause 204.7503 specifically?

To understand the significance of this announcement, it’s helpful to be familiar with the rulemaking process behind CMMC 2.0.

CMMC 2.0 is already final and here to stay. The 32 CFR rule, which governs the overall structure and policy of the CMMC program, went into effect in December 2024. But so far, CMMC hasn’t actually appeared in DoD contracts. That’s because it takes a second rule — the 48 CFR CMMC Acquisition rule — to implement CMMC in defense contracts.

The 48 CFR rule will implement the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7021, Cybersecurity Maturity Model Certification Requirements, to formally require CMMC certification as a condition for contract award. It will do so with clause 204.7503, the Contract clause, which outlines exactly how and when those requirements must be included. 

Here’s what clause 204.7503(b) says:

“On or after October 1, 2025, [the clause at 252.204-7021 shall be used] in all solicitations and contracts or task orders or delivery orders… except for solicitations and contracts or orders solely for the acquisition of commercially available off-the-shelf (COTS) items.”

In plain terms, this says that CMMC will be required in virtually all new DoD contracts starting October 1, 2025 instead of at the discretion of DoD program managers.

What happens next in the phased rollout?

The July 22 submission to the OIRA is a major milestone in the CMMC rulemaking process. Here’s what comes next.

Once the 48 CFR rule becomes final after undergoing OIRA review, the CMMC phased rollout will officially begin.

CMMC will be implemented across DoD contracts in four distinct phases, with each kicking off one year after the preceding phase:

• Phase 1 (2025): Requires CMMC Level 1 or Level 2 self-assessments on select contracts. Begins on the effective date of the 48 CFR rule.
• Phase 2 (2026): Requires third-party assessments for Level 2 certifications for new contracts. 
• Phase 3 (2027): Requires CMMC Level 2 certifications to exercise option periods on applicable contracts awarded after the effective date of the CMMC rule and introduces Level 3 certifications. 
• Phase 4 (2028): Full implementation of CMMC requirements across all applicable DoD contracts. 

While the full rollout will extend through 2028, organizations cannot wait until then. With Level 1 and Level 2 requirements likely appearing in all applicable contracts as soon as October, most of the DIB will have to implement CMMC as soon as possible.

What this CMMC deadline means for the Defense Industrial Base

If you handle Federal Contract Information (FCI), Security Protection Data (SPD), or Controlled Unclassified Information (CUI) and plan to bid on DoD contracts after October 1, 2025, or want to remain a subcontractor for prime contractors doing so, you’ll need to be CMMC certified.

The DoD estimates that over 220,000 entities will get CMMC certified, and 99% will be at Levels 1 and 2 (63% for L1 and 36% for L2).

• CMMC Level 1: For organizations handling FCI, Level 1 requires implementation of 15 basic safeguarding requirements from FAR 52.204-21 and a self-assessment.
• CMMC Level 2: For organizations handling CUI or SPD, Level 2 requires implementation of all 110 requirements and 320 assessment objectives from NIST 800-171 and a C3PAO-led assessment for most contracts (self-assessments are limited to select non-critical contracts).

To meet Level 1 requirements, contractors should:

• Understand what FCI is and where it resides in your environment
• Implement controls to meet the 15 requirements from FAR 52.204-21
• Maintain documentation and evidence showing these practices are in place and operating effectively
• Ensure access controls, device protections, and data handling procedures align with the CMMC scoping guide for Level 1
• Perform and submit a self-assessment, including an affirmation from a senior company official

While Level 1 is less complex than Level 2, organizations should not underestimate the effort required. Self-assessments can still be time-consuming, especially without tools to help track and document control implementation across teams and systems.

To meet Level 2 requirements, contractors should:

• Identify your assessment scope by mapping where CUI and/or SPD resides and what systems, users, and vendors interact with it
• Fully implement the 110 controls and 320 assessment objectives from NIST SP 800-171
• Document your control implementation in a detailed System Security Plan (SSP) and Plan of Actions and Milestones (POA&M)
• Inventory in-scope vendors, assets, and data flows and confirm vendor compliance
• Conduct a gap assessment to validate implementation and readiness
• Select a C3PAO with certified assessors, clear communication processes, and audit availability aligned with your timeline

CMMC Level 2 compliance is much more complex and time-intensive, especially compared to other frameworks like SOC 2 and ISO 27001. 

Since these steps must be completed before contract award and demand for assessment services will surge, the time to get ready is now.

Are you just getting started with CMMC? Check out our Pocket Guide to CMMC for a high-level overview of the CMMC 2.0 history, levels, and requirements to help orient your compliance journey.

Why now is the time to start preparing for the CMMC deadline

With the 48 CFR rule now submitted, pressure to achieve CMMC certification is at an all-time high, especially for small and midsize contractors who may be new to CMMC 2.0. 

Here are five of the most compelling reasons to get started on your compliance journey now:

1. The deadline is now official—and soon

Even with a phased rollout, CMMC will be required for nearly all new DoD contracts starting October 1, 2025. If you wait until Q1 2026 to begin, you may already be out of the running. 

Preparing for CMMC certification, especially for a Level 2 certification, can take several months—or longer—depending on your current posture, resource availability, and assessment readiness. The earlier you start, the more options you’ll have.

2. CMMC is significantly more complex than other frameworks

Many organizations mistakenly assume that CMMC will be similar to frameworks they’ve already achieved, like SOC 2 or ISO 27001. But that’s not the case.

“Coming from an organization that has gone through SOC 2 and ISO 27001 certification — and as an auditor who has performed hundreds of PCI audits — I can say that CMMC is on another level,” said Marc Rubbinaccio, Head of Security and Compliance at Secureframe, said in a recent IQT GPA webinar.

That complexity shows up in every stage of the process — from defining your scope and implementing 110 NIST 800-171 controls, to developing extensive documentation like your System Security Plan (SSP), which can stretch well beyond 150 pages. Waiting too long to prepare means you’re not just racing against the clock — you’re doing so with one of the most demanding federal compliance frameworks out there.

3. The CMMC ecosystem is already showing signs of strain

Demand is already outpacing supply in the CMMC ecosystem, and that pressure will only grow now that the deadline has been finalized:

• There are more Organizations Seeking Certification (OSCs) than authorized assessors available
• C3PAO waitlists and costs are rising as demand for assessors grows
• Primes putting pressure on subcontractors to prove CMMC readiness ahead of contract flow-downs

The longer you wait, the harder (and more expensive) it may be to get on an auditor’s calendar before the deadline.

4. You may be in scope even if CMMC or CUI isn’t in your contract

For some service providers, CMMC certification is the most efficient way to meet their responsibilities, even if they’re not directly under contract with the DoD.

Cloud platforms, SOCs, and MSSPs that support defense contractors are often pulled into CMMC assessments as part of the contractor’s boundary and/or as part of flow-down requirements. These providers are then responsible for supplying evidence of their control implementation to every customer undergoing an audit.

Getting CMMC compliant yourself can reduce the burden of participating in each of your customers’ assessments, and strengthen your security posture and competitive advantage.

5. CMMC certification will be competitive advantage

While some view CMMC compliance as a cost of doing business, others see it as an opportunity to stand out in a crowded market.

Secureframe customer Manufacturing Consulting Concepts (MCC) has already achieved CMMC Level 2 compliance and is able to provide that assurance when customers reach out for proof.

Getting CMMC certified will open doors if you’re planning to work directly with the DoD or their contractors.

Whether you’re a subcontractor handling FCI, SPD, or CUI or a prime bidding on major defense contracts, starting your compliance journey now is the best way to avoid a last-minute scramble—or worse, losing eligibility for new business.

How Secureframe can help you hit the 2025 CMMC deadline

With this rulemaking milestone and enforcement imminent, the window for preparation is closing fast. If you’re a defense contractor, your organization needs to be ready for a third-party assessment sooner rather than later. 

Secureframe can help you fast-track your assessment readiness with everything needed to meet CMMC requirements in one centralized platform:

• Automatically assess compliance gaps and collect and organize evidence from across your tech stack to support all 110 requirements and 320 assessment objectives
• Generate your SSP, POA&M, and SPRS score without relying on spreadsheets and manual formatting
• Continuously monitor controls for misconfigurations and failures across 300+ integrations
• Get guided support from former federal auditors with FedRAMP and CMMC expertise — including our own first-hand experience navigating both frameworks
• Map CMMC controls to over 40+ other frameworks including FedRAMP, GovRAMP, and NIST 800-53 
• Access pre-built policy templates mapped to NIST 800-171 and CMMC 2.0
• Collaborate seamlessly with Coalfire Federal or your chosen C3PAO within the platform to streamline the assessment process

CMMC is happening. Whether you’re just getting started or need to accelerate in the final stretch, Secureframe gives you the tools and support to get assessment ready fast. Don’t wait until the last minute. 

Schedule a demo to see how Secureframe can help you hit the deadline with confidence.