For contractors within the Defense Industrial Base (DIB), the time to ensure compliance with the Department of Defense’s (DOD) Cybersecurity Maturity Model Certification program (CMMC) 2.0 is now. DOD formally sent the final 48 CFR CMMC rule to the Office of Information and Regulatory Affairs (OIRA) for review on July 22, 2025. This is an important step in the rulemaking process that is expected to culminate with CMMC security requirements being inserted in defense contracts at some point in the fall of 2025.
Overview of the 48 CFR CMMC Rule
As background, two regulations govern the CMMC program: 32 CFR Part 170 and 48 CFR Parts 204, 212, 217, and 252:
32 CFR Part 170: This regulation sets forth the parameters and obligations of the CMMC Program, such as roles, levels, requirements, policies, waivers, assessments, and so forth. 32 CFR Part 170 has been in effect since December 2024.
Read More