CMMC 48 CFR Clears Regulatory Review: What Defense Contractors Need to Know
Executive Brief
The long-anticipated CMMC 48 Code of Federal Regulations (CFR) rule has cleared regulatory review. It is now expected the final rule and effective date will be published the week of September 1, 2025. Here's what defense contractors need to know:
- Now that the rule has cleared regulatory review, the final version of the rule can now be published into the Federal Register
- The published rule will provide an effective date, which will officially kick off the government's phased rollout of CMMC contractual requirements
- This rule does not have a 60-day hold
- Contractors should expect CMMC certification requirements to be in their contracts by the end of the year, either by the phased rollout timeline or via prime contractor flow downs
Dig deeper and continue reading below!
What Is the 48 CFR CMMC Rule?
The CMMC 48 CFR rule is the enforcement portion of the CMMC program. It is the second and final rule of the CMMC 2.0 rulemaking process. Whereas the CMMC 32 CFR rule set forth the CMMC program, requirements, and ecosystem, the 48 CFR rule will require DoD solicitations to include CMMC certification requirements to all applicable contracts.
Why It Matters for Defense Contractors
Now that the rule has cleared regulatory review, the final version of the CMMC 48 CFR rule can be published into the Federal Register. This is important to defense contractors for the following reasons:
- The final rule will include an effective date. Unlike 32 CFR, this rule will not have a mandatory 60-day hold
- On this effective date, the government's phased rollout will officially begin. The rollout will technically begin with Level 1 and Level 2 (Self) certifications
- However, Contract Officers have the right to flow down requirements to their supply chain ahead of the phased rollout schedule. This means Level 2 (C3PAO) certification requirements can end up in your contracts much earlier than anticipated
- The revised CMMC standards and certification requirements will also be applied to contracts with option years that come up for discussion during the phased rollout
Bottom line: Certification = competitive edge. As of August 2025, just 0.35% of the DIB is certified. Schedule your assessment now to secure your advantage—before the "Level 2 rollout rush" begins.
WHAT DOES the PHASED ROLLOUT LOOK LIKE
- Phase I: Begins on the effective date listed in the final 48 CFR rule. Applies to contracts that will include CMMC Level 1 and CMMC Level 2 (Self) certification levels
- Phase II: Begins 12 months after the start date of Phase I. Applies to new contracts that will include Level 2 (C3PAO) certification requirements. These requirements can be flowed down sooner by primes
- Phase III: Begins 12 months after the onset of Phase II. Applies to contracts requiring Level 3 (DIBCAC) certification requirements
- Goal: The DoD wants all DIB contractors to be certified at the appropriate CMMC maturity level by the end of 2028
What to do Next
If you’re unsure how to proceed, here are the next steps to protect your DoD contract eligibility:
- Review your current contracts. What clauses are currently being flowed down or placed in your contracts? This will help you feel confident in which CMMC maturity level you'll need to achieve. That said, Level 2 (C3PAO) is going to be the safest bet for current and future contracts.
- If you have not heard from your primes about their CMMC plans, reach out to them. Since they have the right to flow down requirements ahead of the phased rollout, you will want to know whether they plan on following the rollout schedule or working ahead of it
- Conduct a gap assessment to benchmark against the appropriate cybersecurity standard. This step is critical for determining your path to compliance, estimating remediation timelines, and preparing for your Level 2 assessment
- Determine if outside help is needed. CMMC assessments are unique—and the learning curve can be steep. Do an honest and thorough review of your IT team to assess their ability to do the work. If you're not 100% confident, consider bringing in some help
- Engage a C3PAO early. C3PAOs are already scheduling out into Q1 2026. Assess how long remediation is going to take and schedule your assessment around your internal timeframe. ISI Insight: Don't rush to an open spot. It's more important to get it right than to rush and increase your risk of failing
ISI Insight: We're expecting to see an assessment bottleneck beginning sometime in Q1 or Q2 in 2026. Once you identify your scope and remediation timeline, schedule your assessment to keep your compliance journey on track!
CMMC Levels and Requirements
Depending on the type of data you handle, you may be subject to one of three certification levels:
- Level 1 (Foundational): For organizations handling FCI. Requires 17 basic cyber hygiene practices and an annual self-assessment reported in the Supplier Performance Risk System (SPRS)
- Level 2 (Advanced): For contractors handling CUI. Requires implementation of all 110 controls and 320 objectives from NIST SP 800-171 and a triennial third-party assessment by a certified CMMC Third-Party Assessment Organization (C3PAO) and annual self-affirmations
- Level 3 (Expert): Reserved for contractors on the most sensitive programs. Requires government-led assessments and compliance with NIST SP 800-172
Partner with ISI for CMMC Level 2 Readiness
CMMC compliance doesn’t just safeguard sensitive information—it also protects your business. At ISI, we specialize in helping defense contractors prepare for CMMC Level 2 certification, including documentation, gap analysis, and long-term compliance planning.
We don’t just help you meet the minimum—we help you compete with confidence.
FAQs
Do all contractors need to be CMMC certified now?
No, but early adopters are going to enjoy a greater competitive advantage. As of August 2025, fewer than 300 companies had achieved CMMC Level 2 certification. Don't mistake that as a reason to green-light delaying; see it as a motivator to accelerate your compliance journey.
Can I self-assess for CMMC Level 2?
Yes. However, less than 5% of Level 2 contractors will be able to self-assess. Level 2 (Self) heavily depends on what type of CUI you handle. If you have any CUI in the Defense Index Grouping of the CUI Registry, a C3PAO assessment is going to be required. If not, a self-assessment may suffice. But counting on self-assessments to move your business forward is a risky proposition.
What if I fail a CMMC audit?
The most immediate concern is you will further delay your company's ability to accept award of new defense contracts. Additionally, from a budget perspective, you are going to have to spend more to at least pay for another assessment (roughly $30-45k). On top of that, depending on which controls you failed, you may need to invest in additional tools that weren't budgeted for. Last, you could face some reputational damage, hurting your ability to win contracts even if you do eventually achieve certification.
What does SPRS submission involve?
It involves uploading your self-assessment score based on NIST SP 800-171 implementation along with basic supporting details into DoD's SPRS. While not required to initiate a CMMC assessment, completing this step is a key part of Level 2 readiness and may already be required under current DFARS clauses in your contracts.
