CMMC Rulemaking Update: How 48 CFR Will Reshape the DoD Contracting Game

Christopher Souza | CEO

If you’re a defense contractor or just part of the complex network of suppliers supporting the Department of Defense, July 22, 2025, marks a turning point. On this date, the DoD submitted the final 48 CFR CMMC rule to the Office of Information and Regulatory Affairs (OIRA) for its last round of regulatory review.

This isn’t just a bureaucratic box-checking exercise. It’s the last stop before the rule is published in the Federal Register and instantly becomes enforceable law. For contractors who work with Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), the game is quickly about to change.

At Technical Support International (TSI), we are a CISSP lead security compliance team with proven experience supporting DoD contractors and have over 37 years in the industry. We’re also CMMC 1.0 LVL 3 certified-ready by a CMMC accredited C3PAO. We practice what we preach, and we put this article together to explain what your organization should be doing right now.

Why 48 CFR is the Missing Link

To understand the importance of this rule, you must see how it connects the dots.

The 32 CFR Part 170 rule, finalized in December 2024, created the CMMC framework, which outlines levels of certification, security controls, and assessment models. But without 48 CFR, that framework was like a building without a front door.

The 48 CFR rule integrates CMMC requirements into the Defense Federal Acquisition Regulation Supplement (DFARS) through DFARS 252.204-7021, making certification a key contractual consideration. Contractors must have the appropriate CMMC level before award to remain eligible for contracts. While prime contractors aren’t explicitly mandated to certify every subcontractor, they are responsible for ensuring that their supply chain is meeting contractual obligations, including DFARS and CMMC requirements. In practice, primes enforce these standards by requiring subcontractor self-assessments or third-party certifications, reviewing System Security Plans (SSPs), conducting periodic audits, and including compliance clauses in subcontract agreements to ensure accountability across the supply chain.

The Timeline: Faster Than You Think

OIRA’s review can take up to 90 days (sometimes extended to another 30), but once approved, the rule is expected to be published in the Federal Register within weeks and could possibly take effect immediately.

Here’s what this could look like:

• Most likely scenario: CMMC requirements start appearing in solicitations as early as October 2025.
• Conservative scenario: If the review drags, clauses could begin showing up by February 2026. However, that’s the latest likely start.

Either way, any contractors handling CUI have very little time left to prepare. The industry average time to become CMMC ready takes approximately 12-18 months.

New Contract Language: No Room for Guesswork

When DFARS 252.204-7021 takes effect, the margin for error disappears. Contractors will need to have the correct CMMC level in place before they can even be awarded a contract. There’ll be no more conditional wins based on promises to comply later. This requirement doesn’t stop at the award stage either. Compliance will need to be maintained throughout the life of the contract, meaning ongoing oversight, regular checks, and documented proof of adherence to security controls. Prime contractors will also be responsible for ensuring that every subcontractor in their supply chain meets the same standards, making CMMC readiness a shared and enforceable responsibility.

How the Rollout Will Happen

The DoD isn’t flipping the CMMC switch overnight. The rollout is phased, but it ramps up quickly:

• 2025: Level 1 or Level 2 self-assessments begin appearing in contracts.
• 2026: Level 2 certification through a Certified Third-Party Assessment Organization (C3PAO) becomes mandatory for certain contracts.
• 2027: Level 2 and Level 3 requirements expand to new awards and option periods.
• 2028: Full CMMC integration into all DoD solicitations and contracts.

Don’t think you can wait until the later phases. By the time Level 2 C3PAO certification is required in 2026, many opportunities will already be gated behind compliance walls.

What You Should Be Doing Now

If your organization hasn’t already begun preparing, then the bad news is that you’re already behind. This preparation should start with a complete and accurate System Security Plan (SSP) that reflects your current operational realities and not just what you hope to achieve. Any gaps identified in your Plan of Action & Milestones (POA&M) need to be addressed quickly, and every NIST SP 800-171 control should be reviewed to ensure there is no misalignment between policy and practice. For those handling Controlled Unclassified Information, Level 2 assessment readiness should be a top priority. Many prime contractors are already setting CMMC readiness as a prerequisite for doing business, so waiting for the official rule to drop could mean losing out on opportunities before they even make it to the bidding stage.

The Bottom Line

The submission of the 48 CFR CMMC rule to OIRA is the final green light before CMMC becomes a mandatory contractual requirement. By the fall of 2025, non-compliant contractors may find themselves shut out of bidding opportunities.

The DoD’s message is clear: If you want to keep competing, you need to be CMMC-ready now.

How TSI Can Help You Cross the Finish Line

At TSI, we understand that CMMC compliance is not a one-time task, but an ongoing operational commitment. Our team works closely with defense contractors to assess their current posture, develop the necessary policies and documentation, and implement targeted technical and procedural fixes. We guide clients through every step of the CMMC process, from initial readiness assessments to final certification support with Certified Third-Party Assessment Organizations. More importantly, we help organizations maintain compliance long after they’ve achieved it, ensuring that they remain competitive and eligible for future contracts. With the 48 CFR CMMC rule on the brink of enforcement, now is the time to act. By partnering with TSI, you can move from uncertainty to readiness before the new rules leave you on the outside looking in. To learn more, please visit our NIST 800-171 and CMMC webpages for more information about how we can help.

Contact TSI today to schedule your CMMC readiness evaluation and keep your business in the fight for tomorrow’s contracts.

About Technical Support International

TSI is 37-year old cybersecurity (MSSP) and IT support (MSP) company specializing in helping DIB organizations address their NIST 800-171 and CMMC compliance obligations. As a CMMC-AB Registered Provider Organization (RPO), TSI offers a complete NIST 800-171 and CMMC support solution to help guide our clients toward a successful certification audit and provide the assurance that they’re adhering to these expansive compliance requirements.