BD Emerson joins
Andersen Consulting
as a Collaborating Firm

READ THE PRESS RELEASE

Home

Consulting Services

Audit Services

Industries

Cases

About

Clients

Blog

Trust center

Contact

OfficesGet a quoteEmail us
LinkedIn
In this article:
Heading

On July 22, 2025, the final 48 CFR rule–updated regulations concerning the Cybersecurity Maturity Model Certification (CMMC) program–was sent to the Office of Information and Regulatory Affairs (OIRA) by the Department of Defense (DoD). This means that defense contractors could start seeing CMMC contract requirements put in place as early as October 2025.

This guide  will explain what the 48 CFR final rule is, how long its review may last, how your organization can prepare for CMMC contract requirements, and the resources we provide to help along the way so you can meet 2026 CMMC deadlines.

What is the 48 CFR Final Rule?

48 CFR is short for “Title 48 of the Code of Federal Regulations” and is part of the Federal Acquisition Regulation System (FAR). 48 CFR outlines acquisition standards for defense-related activities, and its final rule adapts CMMC 2.0 requirements to the FAR framework. In essence, the final rule establishes how government contractors prove their compliance with cybersecurity frameworks like NIST SP 800-171. 

There are two regulations that govern the CMMC Program:

  • 32 CFR Part 170: Lays out various elements of the CMMC Program, including department policy, roles, levels, requirements, waivers, and assessments.  
  • 48 CFR Parts 204, 212, 217, and 252: Put forth acquisition policy and standardized contract language.  

While 32 CFR establishes CMMC as a policy, 48 CFR integrates its requirements into the FAR system, which gives them practical applications for defense contractors.

Now that the final 48 CFR rule has been handed off to OIRA for review, it could become official and render CMMC enforceable in contracts in fewer than 90 days. If you’re a government defense contractor or even a subcontractor and aren’t compliant with CMMC, the alarm bells should be going off.

Once the rule enters into effect, subcontractors will have to demonstrate compliance at the relevant CMMC levels to bid on or retain national defense contracts. Other government agencies that are not within the Defense Industrial Base (DIB) may also follow suit and adopt these provisions in the future.

How Long Will the Review of the 48 CFR Final Rule Take?

Now that OIRA has begun its review of 48 CFR, it has 90 days (or up to 120) to complete its regulatory review and approve the rule. Then, the rule will move to the Federal Register for final publication, a process of 1-3 weeks. Once published, the final rule will go into immediate effect.

Taking these final steps into account, the earliest that the CMMC final rule will be published is around October 2025 barring any delays. At the latest, if there are the maximum number of possible delays and classification changes, the final rule could be pushed back to February 2026.

What the Latest Rule Update Means for You

The 48 CFR rule doesn’t change main CMMC requirements; it clarifies them. Here are the most important updates:

1. The rule inserts the DFARS 252.204-7021 clause into contracts. DFARS 252.204-7021 dictates:

Contractors must 1) Pass CMMC assessment and gain certification 2) Certification must be present at time of contract award 3) Certification assessment must be completed every three years

  • DoD contractors must maintain the appropriate CMMC level with respect to each contract, while also ensuring any subcontractors are compliant to the same CMMC level (Flowdown) for the duration of the contract.
  • Suppliers must include DFARS 7021 language in their subcontract agreements and documentation. 

2. The rule authorizes contracting officers to include CMMC requirement language in solicitations.

3. The rule’s effective date marks the first part of the CMMC phased  rollout. 

  • Phase 1: Beginning on the effective date of the 48 CFR final rule, the DoD will start requiring CMMC Level 1 and CMMC Level 2 self-assessments for specific contracts. This includes an up-to-date score in the DoD’s Supplier Performance Risk System (SPRS) database along with confirmation from a senior leader that the organization’s score is accurate.
  • Phase 2: One year after Phase 1, the DoD will start requiring CMMC Level 2 certification based on third-party assessments.
  • Phase 3: One year after Phase 2, the DoD will start requiring CMMC Level 3 certification for specific contracts that demand higher security protocols.
  • Phase 4: One year after Phase 3, CMMC requirements will be fully established across all DoD contracts.

How to Prepare

CMMC certification is structured into three primary levels, reflecting progressively stringent cybersecurity standards based on NIST SP 800-171. Most organizations need from 9-12 months to implement NIST SP 800-171 controls, validate their compliance, and pass a C3PAO assessment.

If your organization is part of the DIB and processes, stores, or transmits Controlled Unclassified Information (CUI), it must achieve at least CMMC 2.0 Level 2, which consists of all 110 security controls (320 control objectives) from NIST SP 800-171, plus all CMMC Level 1 requirements. Level 2 C3PAO assessments can be required as early as October 2025 or before the CMMC certification deadline. 

If your organization handles CUI and plans to bid on contracts in 2026, you should be well into the control implementation and assessment process in order to stay ahead of the DoD CMMC compliance deadline. Is your team running behind? BD Emerson’s CMMC Advisory Services can get you back on track and winning business by cutting your CMMC ramp time in half while ensuring you stay competitive in the marketplace.

BD Emerson’s CMMC Consulting Services

BD Emerson offers a holistic, streamlined, and expert-led approach to achieving CMMC compliance. Leveraging advanced tools and a global network of cybersecurity professionals, our services ensure your cybersecurity program satisfies contract requirements and scales as you grow.

In order to streamline the CMMC compliance process, we have partnered with Paramify, a cloud-based platform that makes risk management accessible to everyone. Together, we offer the fastest and most affordable way for organizations to achieve CMMC certification. 

The technical experience of our security consultants combined with Paramify’s automated compliance platform enables organizations to perform a thorough gap analysis, rapidly implement necessary controls, and produce audit-ready documentation so that they fulfill government contract requirements well before CMMC requirements are enforced.

Talk to our CMMC Experts and Get Audit-Ready by October 

We know that building out cybersecurity controls to fulfill rigid government regulations can be daunting. Our cybersecurity experts are here to help so that the CMMC deadline doesn’t sneak up on you. 

Book your CMMC Readiness Assessment Today

CMMC Compliance Deadlines Are Coming: How to Get Certified Before You Lose DoD Contracts

About the author

Name

Danielle Mason

Role

Marketing Manager

About

As Marketing Manager at BD Emerson, Danielle drives revenue growth through strategic marketing initiatives that amplify brand visibility, attract high-value clients, and strengthen partnerships. She oversees the planning, research, and creation of compelling content—including blog articles, social media campaigns, website optimization, and digital/print collateral—that not only engage audiences but also convert leads into long-term clients.

Contact us

FAQs

No items found.

You may like

We strive to deliver high-quality articles and news

Cloud Firewall Cost Analysis: Native vs Enterprise Solutions

Cloud Firewall Cost Analysis: Native vs Enterprise Solutions

Compare firewall costs between native and enterprise cloud solutions. Discover pricing, threat protection, and ROI to choose the best option for your business.

Read

Comprehensive Guide to Cybersecurity Standards and Frameworks

Comprehensive Guide to Cybersecurity Standards and Frameworks

Explore essential cybersecurity standards and frameworks for 2025 to protect data, manage risks, and ensure compliance with industry and regulatory security requirements.

Read

The Best GRC Software for Modern Businesses: A Practical Evaluation

The Best GRC Software for Modern Businesses: A Practical Evaluation

Discover the best GRC tools of 2025. Learn how top businesses streamline compliance, reduce risk, and scale governance with modern software solutions.

Read

All articles

HomeConsulting ServicesAudit ServicesIndustriesCase Studies
AboutBlogClientsTrust centerContact

© 2024 BD Emerson

Privacy PolicyTerms of Service
Website made by Foursets