CMMC Final Rule Has Entered the Home Stretch!
- Triumvirate Cyber
- Jul 25, 2025
- 2 min read
With OIRA beginning their review of the CMMC final rule, we're one step closer to the program being enforced for defense contractors.
TL;DR – CMMC is one step closer to being a requirement, with enforcement expected to begin as soon as late 2025.
CMMC Final Rule at OIRA
As of July 22, 2025, the DoD’s proposed DFARS rule (RIN 0750‑AK81) titled “Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019‑D041)” has entered Final Rule status and is now under review by the Office of Information and Regulatory Affairs (OIRA).
This DoD acquisition rule will make CMMC requirements contractually enforceable via the DFARS clause 252.204‑7021—complementing the existing 32 CFR Part 170 Final Rule which formally established the CMMC program last December.
What This Stage Means
OIRA review under Executive Order 12866 is a standard step for significant rules, often taking up to 90 days. During this period, interagency feedback, legal checks, and regulatory impact analyses are finalized. Upon conclusion, the rule’s official status and edits are finalized and it will be published in the Federal Register and become effective—though it’s possible that will trigger a Congressional Review, giving Congress 60 days to review or disapprove.
What Lies Ahead
Stage | Estimated Timeline | Description |
OIRA Review of DFARS Rule | In progress (as of July 22, 2025) | Technical clearance and inter-agency input |
Federal Register Publication | ~90 days after submission (likely late 2025) | DFARS clause becomes officially added |
Congressional Review | 60 days post-publication | Possible delay, though not automatic |
Contractual Enforcement | Late 2025/early 2026 | Solicitations will begin requiring CMMC status |
Impact on DoD Contractors & Subcontractors
Once the DFARS case is finalized, solicitations will start explicitly requiring contractors to have achieved the specified CMMC status as a condition of contract award.
DoD contractors will have to provide evidence of (i) a passing certification at the required level (or self-assessment for Level 1) and (ii) annual affirmation of compliance in the Supplier Performance Risk System (SPRS).
Flow-down requirements will also cascade to subcontractors—requiring them to maintain appropriate CMMC status based the sensitivity of information they access and the prime’s contract level.
What Defense Contractors Should Do to Prepare
If you haven’t already, determine how your company’s security stature currently aligns to the requirements by performing a gap assessment. From there, take steps to close any identified gaps as soon as possible and contact a C3PAO to schedule an audit—many assessors are already scheduling into early 2026!
As a CyberAB RPO founded by the IT security & compliance lead for one of the first 50 organizations to achieve certification under the early-adopter JSVA program, Triumvirate Cybersecurity can provide guidance and assistance with CMMC compliance based on firsthand experience. Contact us to schedule a free consultation and determine the best path for your company!
