Substantial CMMC News
After 11 months and 8 days, the 48 CFR CMMC rule just hit its second-to-last milestone - Clearance by the Office of Information and Regulatory Affairs (OIRA).
That means it’s headed next to the Office of the Federal Register, and I expect to see it published before October. Maybe sooner, maybe a little later - but not much!
CMMC IS HAPPENING
48 CFR CMMC final rule was published on September 10, 2025, and takes effect November 10, 2025. This kicks off Phase 1 of the CMMC rollout. From this date, all new DoW (formerly DoD) contracts will require some level of CMMC compliance, and CMMC Level 2 certification assessments may be required during Phase 1.
- Phase 1 CMMC Level 1 and Level 2 self-assessments appear *immediately* in new solicitations. Again, Phase 1 begins on the effective date of the 48 CFR rule. In this Phase DoD will include Level 1 (Self) and Level 2 (Self) CMMC status as a pre-award condition in solicitations and contracts. At DoD’s discretion, Level 2 (C3PAO) assessments may also be required in this phase.
- Phase 2 (November 2026) most DiB Contractors handling CUI must undergo a third-party Level 2 (C3PAO) assessment, and Level 3 (DIBCAC) kicks in for high-priority programs.
- Phase 3 (around November 2027) Begins one year after Phase 2. All contracts and solicitations must include Level 2 (C3PAO) and Level 3 (DIBCAC) as conditions of award (or for option periods, at DoD discretion).
- Phase 4 (Full Implementation) hits (around November 2028), CMMC certification will be required in all applicable DoD contracts. This commences one year after Phase 3. At this point, all applicable DoD solicitations, contracts, and option periods will require compliance with CMMC Levels 1–3 based on scope. This includes contracts awarded prior to Phase 4 where CMMC may be added retroactively.
If you’re handling CUI, you should be in active preparation now to hit Phase 2 timelines.
CMMC is coming to a DiB contract near you!
Quick CMMC final rule update points:
- The rule isn’t classified as major or economically significant, it becomes effective immediately upon publication—no 60-day waiting period.
- CMMC will take effect immediately upon publication—no waiting period.
- This finalizes CMMC activation via DFARS.
- Defense contractors should expect self-assessment requirements in new solicitations as early as November 2025. If the 48 CFR rule is published in late September, phased implementation kicks off as stated above.
CorpInfoTech, a Managed Service Provider (MSP) with over 25 years in the SMB space, is a trusted partner for business pursuing compliance and cybersecurity. We are anCMMC Level 2 (C3PAO) certified MSP and a Cyber AB Registered Provider Organization (RPO). Also, as the first CIS accredited organization, we help organizations implement the CIS controls as it pertains to CMMC and your overall cybersecurity posture. CorpInfoTech is your trusted partner for secure, compliant growth in every changing digital landscape.
