Amid the current administration’s growing security concerns related to potential supply chain interruptions and cyber attacks by China and Russia, among others, the Cybersecurity Maturity Model Certification (CMMC) 2.0 program is thrusting forward with resounding support from major Defense Industrial Base (DIB) contractors and U.S. Department of Defense (DoD) leadership.
In a recent Secretary of Defense (SECDEF) memo directing the DoD Chief lnformation Officer (DoD CIO) to issue implementing guidance by August 2, 2025, SECDEF echoed the importance of the CMMC program and related initiatives stating, “…the Department will fortify existing programs and processes utilized within the [DIB] to ensure that adversarial foreign influence is appropriately eliminated or mitigated . . . Specifically, the DoD CIO will leverage efforts such as … [CMMC], the Software Fast Track Program, the Authority to Operate process, the Federal Risk and Authorization Management Program, and initiatives such as the Secure Software Development Framework.”
We expect to see the resulting DoD CIO guidance in the coming weeks. For the last several months, and in the meantime, major DIB contractors have been issuing CMMC 2.0 readiness surveys and communications to some of their subcontractors to gauge readiness across their own supply chains.
Notably, on July 22, 2025, the DoD submitted the final CMMC 2.0 rule for review by the White House's Office of Information and Regulatory Affairs (OIRA), marking the last stage before implementation. As previously explained, CMMC implementation is contingent on publication of the pending “contract rule” under Code of Federal Regulations (CFR) Title 48 tied to Defense Federal Acquisition Regulation Supplement (DFARS) Case number 2019-D041, which follows last year’s publication of the CFR Title 32 “program rule.”
OIRA’s review process generally takes ninety (90) days, but OIRA can take up to one hundred twenty (120) days as needed. After OIRA completes its review process, the rule will move to final publication in the Federal Register. Once published, the rule is expected to take effect immediately, jump-starting the phased implementation effort described in detail under the final “program rule.”1
The above-described timeline means that CMMC 2.0 cybersecurity requirements may begin to appear in your DoD Federal Contract Information (FCI) and Controlled Unclassified Information (CUI)-covered contracts and solicitations as early as the end of October 2025. If included, DoD contractors can expect to see the insertion of CMMC language, including the required level of certification and DFARS Clause 252.204-7021. And if you are pursuing opportunities with the Army Corps of Engineers (USACE), which recently issued a notice to the DIB in SAM.gov, compliance with CMMC 2.0 requirements evidently is imminently required. The USACE notice states, “Once final, USACE solicitations will specify the level certification required for performance under the contract” (emphasis added).2
It is key to highlight that per the “program rule,” contracting officers have wide discretion to implement what they deem to be necessary CMMC requirements at each phase. Thus, although not widely expected during phase 1 of the roll-out beginning on the effective date of the “contract rule,” DoD contract offices may, at their discretion, include the requirement for Level 2 C3PAO certification in place of the Level 1 or Level 2 Self certification. If you are not C3PAO-certified at the time of offer, you will not be eligible for these opportunities.
As previously cautioned, Government contractors should not rely on being able to secure waivers or pursue a certification during the time between solicitation and award.
The Morris, Manning & Martin, LLP Government Contracts team continues to closely track updates pertinent to the implementation of the CMMC 2.0 program. Please reach out with any pertinent questions, comments, and concerns.
