Major CMMC Updates Signal Imminent Rulemaking: What DoD Contractors Need to Know Now

After years of anticipation, the Department of Defense (DoD) is moving swiftly to finalize the Cybersecurity Maturity Model Certification (CMMC) program. Three major developments over the past few months clearly signal that CMMC rulemaking is entering its final phase. Under these changes, contract requirements could begin appearing as soon as October 2025.

Here’s what every DoD contractor and subcontractor needs to know about the latest CMMC updates and how to prepare.

DoD Sends Final 48 CFR Rule to OIRA (July 22, 2025)

Recently, we reached the most critical milestone yet in our CMMC journey. On July 22, 2025, the DoD officially sent the final CMMC rule to the Office of Information and Regulatory Affairs (OIRA) for review.

This submission represents the last step in the rulemaking process under 48 CFR before CMMC requirements can legally appear in federal contracts. Once OIRA approves the final rule, the DoD will be able to immediately insert CMMC language into new solicitations. Based on previous DoD projections, these changes are anticipated to start as early as the end of October.

Contractors who have been waiting for clarity now have it. The clock is ticking. If you’re not already CMMC-ready, you’re already behind.

Secretary of Defense Memo Orders Implementation Guidance by August 2, 2025

IS Partners has created a streamlined process designed to take the complexity out of CMMC. Our methodology guides clients step by step—from the earliest gap analysis through final audit preparation—so that by the time the official CMMC certification process begins, there are no loose ends.

DoD Releases Updated CMMC 2.0 Assessment & Waiver GuidanceHere’s how we do it:

Finally, at the beginning of the year, the DoD published an updated memo titled, “Implementing the Cybersecurity Maturity Model Certification (CMMC) Program: Guidance for Determining Appropriate CMMC Compliance Assessment Levels and Process for Waiving CMMC Assessment Requirements.”

This memo clarifies several key points about CMMC 2.0, including:

• Which contracts require Level 1 vs. Level 2 assessments
• How waivers will be considered (e.g., for urgent mission-critical acquisitions)
• Expectations for C3PAO-led assessments vs. self-assessments
• Additional definitions for Federal Contract Information (FCI) and CUI

The memo has already prompted extensive industry analysis and offers concrete insight into what the finalized rule will likely require. It also fills in key operational gaps, helping organizations determine their appropriate CMMC level and plan their assessment path accordingly. If you haven’t already, now is a great time to review the memo and partner with a CMMC consultant if needed to determine next steps.

How IS Partners Helps Other Companies Achieve CMMC ComplianceWhat This Means for DoD Contractors and Subcontractors

Contractors across industries—from aerospace and manufacturing to IT, logistics, and healthcare—trust IS Partners because we offer more than just assessments. We deliver:If your organization does business with the DoD—or hopes to—you can no longer afford to treat CMMC as a future issue. With CMMC language likely to appear in contracts starting as early as Q4 2025, OIRA’s final rule review is the last procedural hurdle before enforcement. And because the DoD can immediately begin apply CMMC once OIRA approves the final rule, contractors don’t have any time to waste. Official guidance will clarify expectations around timing, waivers, and roles, but contractors who delay risk award eligibility, revenue, and reputation. 

Here are five immediate steps contractors should take:

1. Determine your CMMC level. Level 1 is for contractors that handle FCI only, while Levels 2 and 3 are for contractors that handle CUI based on contract scope.
2. Review the updated waiver and assessment guidance to understand if you qualify for self-assessment or require a C3PAO.
3. Conduct a gap assessment using NIST 800-171 or FAR 52.204-21 as your baseline.
4. Engage a Registered Provider Organization (RPO) or Certified Third Party Assessment Organization (C3PAO) for expert guidance.
5. Prepare documentation and evidence packages now—don’t wait for a contract requirement to get started.

The DoD has made its intentions clear: CMMC will be enforced. With the final rule under OIRA review, official implementation guidance imminent, and detailed assessment policies already issued, the question is no longer if CMMC will impact your business—but when.

Smart contractors aren’t waiting. They’re building muscle memory now, investing in readiness, and reducing the risk of losing out on future contracts. IS Partners is ready to help accelerate your CMMC readiness today. 

As an Authorized C3PAO, we help companies achieve CMMC Level 2 certification with confidence. We have more than 20 years of cross-industry compliance experience and a 95% client retention rate. Our expert team makes it easy to navigate CMMC audit readiness and compliance, from the initial gap assessment all the way through to the audit phase. 

Check out our full list of CMMC compliance services to learn how we can help you.

About The Author

Jena Andrews

Jena is a senior auditor and security consultant since 2021. She is specialized in compliance management, cybersecurity, IT security, and risk management. Jena is a certified information systems auditor (CISA) and project manager.

With a decade-long history in Project Management, Jena has focused the past five years on Compliance, IT and Operations auditing, Information Security, and Cybersecurity. She has conducted a plethora of compliance audits and security assessments in accordance with standards including SOC 1, SOC 2, HIPAA, PCI DSS, ISO 27001, and NIST 800-53, 800-171.

Jena is a proud B.S. graduate in Criminal Justice from West Chester University and holds esteemed CISA, PMP, and CCP certifications, further highlighting her expertise and commitment to professionalism.