WASHINGTON, Sept. 5 — The White House Office of Information and Regulatory Affairs has cleared a long-anticipated Defense Department acquisition rule that will allow the Pentagon to begin requiring Cybersecurity Maturity Model Certification, or CMMC, in new contracts once the regulation is published in the Federal Register. The clearance, recorded on Aug. 25, moves the rule—an amendment to Title 48 of the Code of Federal Regulations covering Defense Federal Acquisition Regulation Supplement (DFARS)—into the final administrative steps before it takes effect.
According to industry and legal notices tracking the process, the Defense Department submitted the final version of the acquisition rule to OIRA on July 22, after which OIRA review typically lasts 90 to 120 days. In this case, clearance followed roughly a month later, signaling urgency to complete implementation. The next step is publication in the Federal Register, a step that often occurs within one to three weeks of OIRA approval, though the government will set the official effective date in the notice.
The 48 CFR/DFARS action is the enforcement mechanism that shifts CMMC from policy to procurement. While the CMMC “program rule” in Title 32 took effect earlier, it did not by itself authorize contracting officers to include certification requirements in solicitations. The newly cleared DFARS rule enables that contracting language, allowing DoD to condition eligibility for award on contractors’ demonstrated cybersecurity practices and, over time, third-party certifications at levels tied to the sensitivity of information handled.
Contractor advisories issued in recent days indicate the department could begin phasing CMMC language into solicitations soon after Federal Register publication. Multiple firms following the rulemaking expect an initial phase that relies on self-assessment for some awards, followed by increasing use of third-party assessments for contracts involving controlled unclassified information. Several observers said CMMC terms could start appearing in select solicitations as early as October if publication occurs in early September, though the exact timing and scope will be defined by the department’s phased rollout plan.
CMMC sets out three maturity levels mapped to existing federal cybersecurity standards. For most contractors that handle sensitive but unclassified defense data, compliance centers on implementing and maintaining the NIST SP 800-171 controls, with periodic affirmation and, for many, independent validation by certified third-party assessor organizations. Industry estimates suggest that tens of thousands of companies in the Defense Industrial Base will ultimately need to reach Level 2, placing a premium on planning, remediation, and scheduling assessments as capacity ramps.
The rule’s progression comes amid broader changes in federal cybersecurity policy during President Trump’s second term. A June executive order adjusted several Biden-era mandates, affecting how software security attestations and other federal requirements are applied. Separately, analysts have noted potential shifts in regulatory posture at agencies such as the SEC and evolving questions about the future operating model for CISA. Those developments form the backdrop to the Pentagon’s push to anchor cyber requirements directly in contracting rules through CMMC.
For contractors, the immediate implications are operational. Once the DFARS rule is published and effective, solicitations can begin to require CMMC at the level designated by program managers. That will translate into near-term tasks: finalizing system security plans, closing gaps against 800-171 controls, documenting plans of action with bounded timelines, and preparing for assessments where applicable. Firms that have delayed remediation may face compressed schedules to qualify for opportunities or maintain eligibility during option periods, depending on how program offices structure the rollout.
Legal and compliance advisors also point out that the DFARS rule will clarify enforcement levers long discussed by the department. By tying cyber requirements to award decisions, option exercises, and potential contractual remedies, DoD is moving from voluntary attestations toward consequences that are more immediate and commercial in nature. Companies that cannot credibly demonstrate the required practices risk exclusion from competitions involving sensitive data until deficiencies are resolved, a change many observers argue will rebalance incentives across the supply chain.
Attention now turns to the Federal Register for publication and to the department for the specifics of phasing. Advisories tracking the rulemaking suggest the effective date could be immediate upon publication; others note the notice may set a short interval before effectiveness. Either approach would be consistent with the department’s messaging over the past year that CMMC is no longer a future-tense initiative but an active requirement that will be embedded in solicitations in the coming months.
As the acquisition rule moves toward publication, defense contractors are being urged to assume that CMMC obligations will arrive on a contract-by-contract basis rather than with a single government-wide “switch-on” date. That means readiness—measured by documented, implemented controls and evidence that stands up to assessment—will be the determinant for participation in many defense opportunities through the rest of 2025 and into 2026.