Substantial CMMC News
After 11 months and 8 days, the 48 CFR CMMC rule just hit its second-to-last milestone - Clearance by the Office of Information and Regulatory Affairs (OIRA).
That means it’s headed next to the Office of the Federal Register, and I expect to see it published before October. Maybe sooner, maybe a little later - but not much!
CMMC IS HAPPENING
Since it’s not a major or economically significant rule, there’s no 60-day wait! Meaning, it’ll be effective immediately on publication. This is the final move that fully activates CMMC through DFARS clauses. If you're in the DIB and not ready, you're already behind. Thinking that CMMC would be delayed or not happen at all? This says otherwise https://lnkd.in/eJMAexDJ
DIB Contractors can expect to begin seeing CMMC self-assessment requirements in new solicitations as early as October 2025
If we go with the (reasonable) time frame that 48 CFR CMMC rule is published in late September, the DoD’s phased implementation officially begins—starting with Phase 1,
- Phase 1 CMMC Level 1 and Level 2 self-assessments appear *immediately* in new solicitations. Again, Phase 1 begins on the effective date of the 48 CFR rule. In this Phase DoD will include Level 1 (Self) and Level 2 (Self) CMMC status as a pre-award condition in solicitations and contracts. At DoD’s discretion, Level 2 (C3PAO) assessments may also be required in this phase.
- Phase 2 (around March 2026) most DiB Contractors handling CUI must undergo a third-party Level 2 (C3PAO) assessment, and Level 3 (DIBCAC) kicks in for high-priority programs.
- Phase 3 (around March 2027) Begins one year after Phase 2. All contracts and solicitations must include Level 2 (C3PAO) and Level 3 (DIBCAC) as conditions of award (or for option periods, at DoD discretion).
- Phase 4 (Full Implementation) hits (around March 2028), CMMC certification will be required in all applicable DoD contracts. This commences one year after Phase 3. At this point, all applicable DoD solicitations, contracts, and option periods will require compliance with CMMC Levels 1–3 based on scope. This includes contracts awarded prior to Phase 4 where CMMC may be added retroactively
If you’re handling CUI, you should be in active preparation now to hit Phase 2 timelines.
CMMC is coming to a DiB contract near you!
Quick CMMC final rule update points:
- The rule isn’t classified as major or economically significant, it becomes effective immediately upon publication—no 60-day waiting period.
- CMMC will take effect immediately upon publication—no waiting period.
- This finalizes CMMC activation via DFARS.
- Defense contractors should expect self-assessment requirements in new solicitations as early as October 2025. If the 48 CFR rule is published in late September, phased implementation kicks off as stated above.
CorpInfoTech, a Managed Service Provider (MSP) with over 25 years in the SMB space, is a trusted partner for business pursuing compliance and cybersecurity. We are anCMMC Level 2 (C3PAO) certified MSP and a Cyber AB Registered Provider Organization (RPO). Also, as the first CIS accredited organization, we help organizations implement the CIS controls as it pertains to CMMC and your overall cybersecurity posture. CorpInfoTech is your trusted partner for secure, compliant growth in every changing digital landscape.
