The Department of Defense (DoD) is moving one step closer to fully implementing the Cybersecurity Maturity Model Certification (CMMC) program.
On September 11, 2025, the Office of Information and Regulatory Affairs (OIRA) completed its review of the long-awaited CMMC 48 CFR rule, clearing the way for the next stages of adoption.
This update is significant for any organization that currently holds — or plans to bid on — DoD contracts.
Here’s what you need to know.
What Just Happened?
The OIRA clearance means that the DoD’s proposed rule — governing how CMMC requirements will be incorporated into the Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS) — has passed one of its final administrative hurdles.
In simpler terms:
- ✅ The rule has been reviewed and approved by OIRA.
- 📰 It’s been published in the Federal Register.
- 💬 Once published, a public comment period will open, allowing industry feedback before the rule becomes final.
Why Is This Important?
The CMMC framework is designed to protect Controlled Unclassified Information (CUI) and strengthen the Defense Industrial Base (DIB) against cyber threats.
With this clearance:
- 🛡️ Contractors are closer to seeing CMMC requirements appear in DoD contracts.
- 📋 Organizations will need to prove compliance with the appropriate CMMC level before they can win or keep DoD work.
- ⚠️ Non-compliance will mean lost opportunities — a reality that many contractors cannot afford.
What’s Next?
- The DoD will publish the rule in the Federal Register.
- Contractors, subcontractors, and stakeholders will have the chance to review and submit comments.
- After the comment period, the DoD will finalize the rule, setting the stage for enforcement
What Should Contractors Do Now?
Even though the final rule isn’t published yet, time is running out to get prepared.
Here are some immediate steps:
1. Assess Your Current Cybersecurity Posture
Identify gaps against NIST SP 800-171, since it remains the foundation of CMMC.
2. Develop a System Security Plan (SSP)
Documentation is critical for proving compliance.
3. Close Open POA&Ms
Plans of Action and Milestones (POA&Ms) should be realistic, funded, and on track.
4. Engage a C3PAO Early
Certified Third-Party Assessment Organizations will be in high demand once assessments begin.
The OIRA clearance of the CMMC 48 CFR rule signals that the DoD is serious about moving forward.
Contractors that act now will be in the best position to:
- Maintain eligibility
- Avoid delays
- Stay competitive in the defense supply chain
Now is the time to get prepared — before CMMC becomes a contractual requirement.
How can we help you now that the final rule has been published?
StrategicIT Solutions is a CMMC Certified Third-Party Assessor Organization, that has been guiding contractors through CMMC compliance for over four years.
Based in Northern Virginia, we’ve successfully supported companies of all sizes, from all over the USA, on their journey to certification. Our team collaborates with more than 20 Certified CMMC Assessors and Certified CMMC Professionals, bringing a wealth of proven expertise to every engagement.
We will help you and your colleagues understand the requirements, achieve certification, and position your business to confidently compete for—and win—Department of Defense contracts.
If you’re interested to get a proposal according to your needs, don’t hesitate to book a Discovery Call with us. If you don’t see a time that fits your schedule, write to cmmc@strategicit-solutions.com and we’ll make sure to make time for you.