The State of CMMC Rulemaking: What’s Next After 48 CFR

The Cybersecurity Maturity Model Certification (CMMC) has been years in the making, evolving from draft concepts to the rulemaking stage. With the publication of the interim rule in 48 CFR (which formally embeds CMMC 2.0 into the Defense Federal Acquisition Regulation Supplement, or DFARS), many in the Defense Industrial Base (DIB) are asking the same question: What happens next?

The short answer: enforcement is coming, and the clock is ticking. Let’s unpack what the rulemaking milestone means and how contractors should prepare for the next phase.

From Policy to Practice: Why 48 CFR Matters

The inclusion of CMMC into Title 48 of the Code of Federal Regulations (48 CFR) signals that the Department of Defense (DoD) has locked in CMMC as part of acquisition law. No longer just a framework or set of guidelines, CMMC is now tied directly to federal contracting regulations.

This step gives contracting officers the authority to insert CMMC requirements into contracts. It also clarifies that compliance is no longer “voluntary”, it’s mandatory for doing business with DoD once the rollout begins.

What Happens After Rule Publication

Once published in the Federal Register, the rule goes through a public comment period (typically 60 days). During this time, contractors, industry groups, and stakeholders can provide feedback. The DoD may refine the final rule based on this input, but the core structure of CMMC 2.0 is unlikely to change.

Following the comment period, DoD will set an effective date for enforcement. That date starts the countdown for when CMMC requirements will begin appearing in Requests for Proposals (RFPs) and contract clauses. Analysts project this could begin showing up in early 2026 contracts, depending on the speed of the rule’s finalization.

Phased Rollout: What to Expect

DoD has signaled a phased implementation strategy to ease contractors into compliance:

• Year 1 (Initial Rollout): A small percentage of contracts will require CMMC Level 1 or Level 2 certification. This allows DoD to validate processes and give C3PAOs time to scale.

• Year 2–3: More contracts will include certification requirements, particularly those involving Controlled Unclassified Information (CUI). Level 2 assessments will become more common.

• Year 3–5: Full enforcement. By this stage, nearly all contracts handling FCI or CUI will require proof of certification at the appropriate level.

The Role of C3PAOs and Assessments

With the rule now codified, Certified Third-Party Assessor Organizations (C3PAOs) will become busier than ever. Level 2 certifications, in particular, require a formal C3PAO assessment. Early adopters who schedule assessments now will be ahead of the inevitable bottleneck once thousands of contractors seek certification at the same time.

Key Challenges Contractors Face

Even with the rule finalized, contractors face several hurdles:

• Backlog of Assessments: Limited numbers of C3PAOs may cause scheduling delays.

• Documentation Gaps: Many organizations lack fully developed System Security Plans (SSPs) and Plan of Actions & Milestones (POA&Ms).

• Vendor Risk: Subcontractors must also comply, adding complexity to supply chain oversight.

• Cost Concerns: Implementing and maintaining compliance requires investment in both technology and process.

How Contractors Should Prepare Now

1. Conduct a Gap Assessment: Identify where you stand against NIST 800-171 (the foundation of CMMC Level 2).

2. Prioritize Remediation: Close gaps in high-risk areas like access control, incident response, and system monitoring.

3. Engage Subcontractors: Ensure flow-down compliance requirements are in place.

4. Leverage GRC Tools: Use platforms to centralize evidence, automate reporting, and streamline audit readiness.

5. Plan for Continuous Monitoring: CMMC is not a one-time exercise; compliance must be sustained.

The Bigger Picture: Beyond DoD

While CMMC is a DoD initiative, the rulemaking process has broader implications. Civilian agencies, critical infrastructure sectors, and even international partners are watching closely. The adoption of CMMC-like frameworks across government and industry could set a new baseline for cybersecurity expectations worldwide.

Bottom Line

The codification of CMMC into 48 CFR is the turning point contractors have been waiting for. It transforms CMMC from a concept into enforceable law. What comes next is a phased rollout, growing demand for assessments, and increased scrutiny on supply chains.

For the DIB, the message is clear: the time for waiting is over. Contractors that take proactive steps now conducting gap analyses, investing in compliance tools, and engaging with assessors will not only meet the requirements but also gain a competitive advantage in winning contracts in the years ahead.