CMMC is really happening: Final rule enters OMB review

We’re officially in the last stretch. The CMMC rule is in its final review phase - and it could be live as soon as October.

The CMMC rule under 48 CFR has officially entered the Office of Management and Budget’s (OMB) final review process. That’s the last stop before it’s published - and when it is, it’s likely going to be effective immediately.

This rule is what will make CMMC certification a contractual requirement for defense contractors. If your organization handles Controlled Unclassified Information (CUI) and does business with the Department of Defense, this is the moment we’ve all been preparing for.

“Why is this such a big deal?”

OMB review typically takes up to 90 days. Because the rule has been deemed not financially significant, it won’t have a 60-day waiting period like the 32 CFR rule did. That means as soon as the rule is published, it’s real.

If timing stays on track, the final 48 CFR rule could be published - and go into effect - as early as October 2025. And almost certainly before the end of the year.

In other words: this isn’t a drill. This is the real beginning of enforceable CMMC.

“What does this mean for me right now?”

If your organization isn’t ready for CMMC, you’re out of time for slow planning. Level 1 will be required first - but Level 2 is right around the corner, and getting caught unprepared could mean losing contract opportunities.

You should already be:

• Finalizing your System Security Plan (SSP)

• Mapping out POAMs with dates and budgets

• Reviewing each NIST 800-171 control for completeness

• Working with a Registered Practitioner (RP) or a C3PAO to prep for assessment

Still early in your CMMC journey? We’ve got you. You can download our CMMC 101 Guide or reach out to our team for help navigating what comes next.

“As a C3PAO, what’s your take on this?”

Hey that’s true - we are an accredited C3PAO! We’ve said it before, and we’ll say it again: this is a wake-up call for the entire Defense Industrial Base. The DoD has spent years laying the groundwork for CMMC, and now it’s clear that the era of self-attestation is ending.

We don’t expect a soft landing. If your contract requires CMMC Level 2 certification, you’ll need to work with a C3PAO and achieve at least a conditional certification to keep working with the DoD. And with only a limited number of authorized assessors, those who wait could be stuck in a very long line.

This rule being published is not a hypothetical. It’s real. It’s happening. And we’re helping clients get ahead of it every day. Book our team of accredited CMMC assessors to come and complete a gap assessment of your environment to check your readiness for the real deal!

Follow us - stay ahead.