CMMC 2.0 represents a significant overhaul of the Department of Defense’s (DoD) cybersecurity framework for defense contractors. 

After receiving feedback from the defense industry, Congress, and other stakeholders, the DoD moved away from its original CMMC framework (known as CMMC 1.0) toward a more streamlined model (known as CMMC 2.0).

Introduced in November 2021, CMMC 2.0 introduced key changes to the original framework to meet three key objectives: 

• reducing costs, particularly for small businesses
• increasing trust in the CMMC assessment ecosystem
• clarifying and aligning cybersecurity requirements to existing federal requirements and commonly accepted standards

To ensure continued alignment with federal regulations input from industry stakeholders, CMMC 2.0 underwent a rigorous rulemaking process. It will be complete on November 10, 2025, nearly four years after CMMC 2.0 was first introduced.

Let's dive into what happened in those four years below.

Key stages in the CMMC 2.0 rulemaking process: How the 32 CFR CMMC Program Rule was finalized

The CMMC 2.0 rulemaking process followed a structured approach to ensure clarity, transparency, and industry engagement. However, because of the length of the rulemaking process, it may not seem so clear. Below we’ll break down the process into the most important milestones so you can better understand how the program has evolved over time. 

This section will cover the rulemaking process for the 32 Code of Federal Regulations (CFR) CMMC Program rule, which officially established the CMMC 2.0 program. The next section will cover the separate rulemaking process for the 48 CFR CMMC Acquisition rule, which will actually implement CMMC requirements in DoD contracts starting November 10, 2025.

December 2023: Release of the CMMC 2.0 Proposed Final Rule (32 CFR rule)

On December 26, 2023, the DoD published the 32 CFR CMMC Program Rule, the much-anticipated proposed rule change for the CMMC program. Dubbed CMMC 2.0, the proposed rule change revised certain aspects of the program to address public concerns in response to DoD's initial vision for the CMMC 1.0 program published back in 2020.

Most notably, CMMC 2.0 streamlined and simplified the process for small and medium-sized businesses by reducing the number of assessment levels from five to three. These levels aligned cybersecurity requirements to the sensitivity of unclassified information to be protected. It also added a self-assessment requirement to affirm implementation of applicable cybersecurity requirements and a certification requirements to verify implementation of cybersecurity requirements. These elements were added to ensure accountability while minimizing barriers to compliance with DoD requirements.

February 2024: End of public comment period for the CMMC 2.0 Proposed Final Rule

The rule change was open for comment for 60 days. During this period, industry stakeholders submitted feedback on the proposed rule. Nearly 800 comments were received before the public comment period closed on February 26, 2024 at 11:59 p.m. These comments informed the Final Rule. 

October 2024: Release of the CMMC 2.0 Final Rule

The DoD reviewed comments and made adjustments to improve the feasibility and effectiveness of the final 32 CFR rule. Because of the number of comments, this took most of 2024. They published this final rule, also known as the updated 32 CFR rule, in the Federal Register on Tuesday, October 16 for a 60-day congressional review period.

December 2024: Effective date of the CMMC 2.0 Final Rule

CMMC 2.0 completed its 60-day congressional review period without any changes on December 16, 2024. At this point, rulemaking was complete and the CMMC 2.0 program went into effect. 

While assessments were available at this time, CMMC requirements were not included in DoD contracts yet. Let’s look at why below.

The rulemaking process for the 48 CFR CMMC Acquisition Rule

While the 32 CFR rule finalized the program structure, a separate rule — the 48 CFR Acquisition Rule — is required to mandate CMMC in DoD contracts by updating the Defense Federal Acquisition Regulation Supplement (DFARS).

Let’s walk through the key milestones of this second rule.

September 2020: Release of the 48 CFR CMMC Acquisition interim final rule

On September 9, 2020, DoD published the 48 CFR CMMC interim final rule, Defense Federal Acquisition Regulation Supplement (DFARS): Assessing Contractor Implementation of Cybersecurity Requirements. This implemented the DoD’s vision for the initial CMMC Program and outlined the basic features of the framework, including the five-tiered model, required assessments, and implementation through contracts, to protect FCI and CUI. 

This interim rule was open for public comment for 60 days. During this period, they received approximately 750 comments. These comments highlighted a variety of industry concerns related to:

• the costs for a C3PAO certification
• the costs and burden associated with implementing, prior to award, the required process maturity and 20 additional cybersecurity practices that were included in the CMMC 1.0 Program
• interpretations of the CMMC framework implementation requirements and control objectives
• the impact the rule would have on small businesses in the DIB

November 2020: Effective date of 48 CFR interim final rule

The 48 CFR CMMC interim final rule became effective on 30 November 2020. Designed to increase compliance with its cybersecurity regulations and improve security throughout the defense industrial base (DIB), this rule introduced one new provision and two new clauses:

• DFARS provision 252.204-7019: Requires contractors to conduct a NIST SP 800-171 self-assessment and submit scores via the Supplier Performance Risk System (SPRS) for contract eligibility.
• DFARS clause 252.204-7020: Ensures subcontractors have SPRS scores on file before contract award.
• DFARS clause 252.204-7021, also known as 48 CFR 252.204-7021: Mandates contractors achieve and maintain the required CMMC certification level and flow down requirements to subcontractors.

This rule kicked off the five-year phase-in period. 

March 2021: Start of DoD’s internal review of CMMC’s implementation

Because they received so much feedback on the 48 CFR CMMC interim final rule, the DoD decided to pause the planned CMMC rollout and initiate an internal review of CMMC’s implementation in March 2021. This review involved cybersecurity and acquisition leaders within DoD to refine policy and program implementation based on input from the industry and the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) received relating to the initial CMMC Program.

August 2024: Release of proposed rule change to 48 CFR 

On August 15, 2024, The Department of Defense (DoD) published for public comment the DoD’s proposed amendments to the 48 Code of Federal Regulation (CFR) rule. These amendments were focused on incorporating contractual requirements related to the CMMC 2.0 program requirements proposed in 32 CFR part 170. 

The most notable changes included:

• Requiring contractors to prove CMMC compliance at the level included in a given solicitation and contracting officers to verify the results in the SPRS.
• Requiring contractors to obtain certifications or perform self-assessments under the CMMC program before contract award by adding a new provision, DFARS 252.204-7YYY.
• Requiring contractors to maintain compliance at the specified CMMC level throughout contract performance and notify contracting officers if lapses or changes in CMMC certification levels occur.
• Removing the Non-Federal Organization (NFO) control requirements

October 2024: End of public comment period

The public comment period closed on October 15, 2024 at 11:59 p.m. At this point, the DoD had to review this feedback and make any final changes to the rule before submitting it to the Office of Information and Regulatory Affairs (OIRA) for regulatory review. The rule was expected to go before Congress in mid-October, but this did not happen. 

July 22, 2025: 48 CFR Rule Submitted to OIRA

On July 22, 2025, the DoD submitted the final 48 CFR Acquisition Rule to the Office of Information and Regulatory Affairs (OIRA), a part of the Office of Management and Budget (OMB), for review. Included in the submission was clause 204.7503, which stated that CMMC certification must be included in all applicable solicitations and contracts awarded after October 1, 2025. 

This turned out to be an old reference from CMMC 1.0 and has officially been removed. While the exact date remained pending at this time, the CyberAB’s August Town Hall said that this rule would likely be published in the Federal Register by end of September and that CMMC would become enforceable before the end of 2025. This was in line with an earlier estimate from the July CyberAB Townhall, which said it could appear as early as the fall.

Spoiler's alert: they were right.

August 25, 2025: 48 CFR Rule Clears Regulatory Review

As of August 25, 2025, OIRA cleared the final 48 CFR rule and began preparing it for final publication in the Federal Register.

Source: Open DFARS Cases as of 8/29/2025

September 10, 2025: 48 CFR Rule Published as Final in Federal Register

On September 9, 2025, the Department of Defense’s 48 CFR rule was submitted to the Office of the Federal Register (OFR) and released for public inspection. The next day, on September 10, 2025, it was officially published in the Federal Register. 

This rulemaking milestone was the most important to date. Until now, every CMMC update came with caveats: “when the rule is finalized,” “after publication in the Federal Register,” “once enforcement begins.” By clearing regulatory review and being published in the Federal Register, the enforcement deadline finally became real.

Sixty days after the publication date, the 48 CFR rule will take effect and the CMMC phased rollout will begin.

November 10, 2025: Effective date of the CMMC Acquisition Rule, which implements the program

On November 10, 2025, both the Title 32 CFR CMMC Program rule and the Title 48 CFR CMMC Acquisition Rule will be effective and the contractual requirements in DFARS clause 252.204-7021 revised. Meaning, the DoD will start implementing CMMC requirements contractually on November 10—but not all at once. It will follow a phased rollout plan that will implement requirements in four phases over a three-year period, starting with self-assessments and ending with full implementation of all CMMC program requirements.

In Phase 1, starting on November 10, 2025, DoD contracting offers will begin inserting CMMC Level 1 and Level 2 self-assessment requirements (which DoD estimates will apply to 65% of the DIB) into new solicitations and contracts. At this time, they do have the discretion to insert CMMC Level 2 Certification Assessment (C3PAO) requirements for select contracts involving sensitive information.

There is no grace period. If your organization is not certified at the required level, you will be ineligible for the contract award.

In short: CMMC is no longer a future possibility. It will be a contractual requirement for most defense work starting this year.

2026-2028: Phases 2, 3, and 4 of the rollout will kick off

Phase 2 will kick off one year after Phase 1, with Phases 3 and 4 kicking off each subsequent year.

By the end of Phase 4, all solicitations and resulting defense contracts involving the processing, storing, or transmitting of FCI or CUI on a nonfederal system will have a CMMC level and assessment type requirement that a contractor must meet to be eligible for a contract award.

Impact of the rulemaking process on defense contractors

The rulemaking process influences how and when defense contractors must comply with CMMC 2.0. 

Key considerations include:

• Compliance is no longer optional: CMMC will be enforced in most new DoD contracts starting on November 10, 2025 with Level 1 and Level 2 self-assessment requirements (although DoD has discretion to require third-party certification for Level 2 during this phase).
• Time is limited: Contractors seeking CMMC certification will need time to define scope, implement controls, complete documentation, and either complete a self-assessment or engage with a C3PAO.
• Early action is critical: Demand for assessors is already rising. Waiting risks missing the deadline or losing contract eligibility.

This post was originally published in March 2025 and has been updated on September 10, 2025 for accuracy and comprehensiveness based on recent updates across the CMMC ecosystem.