+1 240 331 6256

[email protected]

Support Center
Support Center

Data Migration

Turn-key email, data, and workflow migration to cloud-based and hybrid solutions.

Configuration Services

M365, GCC and GCCH configuration services

Managed IT Services

Manage your IT infrastructure and ensure optimal performance

IT Consulting

Optimize your infrastructure to align IT strategies with business objectives

VIEW ALL SERVICES

Back to Blog

Read Article

Read Article

Discussion – 

0

Compliance & Risk Management

48 CFR CMMC Final Rule is with OMB – Are You Ready?

By Kyle Kiider

July 24, 2025
48 CFR CMMC Final Rule

Update to 48 CFR CMMC Final Rule

Big news for the Defense Industrial Base: the long-awaited Cybersecurity Maturity Model Certification (CMMC) Final Rule under 48 CFR has officially reached the Office of Management and Budget (OMB) for review. This marks the second-to-last step before the rule is published in the Federal Register and becomes enforceable.

So, What’s the Big Deal?

CMMC is the Department of Defense’s (DoD) way of making sure its contractors have proper cybersecurity in place. The program is designed to protect two main types of information:

  1. Federal Contract Information (FCI)
  2. Controlled Unclassified Information (CUI)

Once published, 48 CFR CMMC final rule will require contractors to meet certain CMMC levels (1 or 2, depending on the contract) before they can be awarded new work—or even have an existing contract extended.

48 CFR Rule Media

Key Points:

  • The rule is with OMB as of July 23, 2025.
  • Expected publication is October 2025, with enforcement beginning shortly after.
  • No 60-day delay will follow publication because the rule isn’t classified as economically significant.
  • All non-COTS (Commercial-Off-The-Shelf) contracts will include CMMC requirements by default after October 1, 2025.
  • CMMC certifications must be current (within 3 years) and visible in SPRS (Supplier Performance Risk System) at the time of award or renewal.

What Contractors Need to Do:

If you’re a contractor or subcontractor supporting the DoD, here’s how you can prepare:

  • Determine your required CMMC level based on whether you handle FCI (Level 1) or CUI (Level 2).
  • Complete a self-assessment or schedule a C3PAO audit depending on your level.
  • Develop and maintain your System Security Plan (SSP).
  • Map your practices to NIST SP 800-171 assessment objectives.
  • Ensure you’re ready to prove compliance before your next contract cycle.

Bottom Line

This is not a drill. The 48 CFR CMMC final rule’s journey through the regulatory process is nearly complete. CMMC will soon be a contractual requirement—not just a best practice.

If you haven’t started preparing, now’s the time. Waiting could mean delays, missed opportunities, or even lost contracts.

Stay informed, stay secure, and stay ahead.

 

Need help getting CMMC-ready? Our experts at inDirect IT can guide you through scoping, documentation, and gap assessments. Reach out anytime.

 

Tags: 48 CFR CMMC

Kyle Kiider

IT Risk and compliance expert with 15+ years of experience helping companies manage risk, navigate change, and implement control programs. Passionate about delivering regulatory compliant, optimized control suites while minimizing financial and operational impacts on the business.

You May Also Like