What’s Coming With CMMC And 48 CFR?
- jchouinard9
- Aug 7
- 3 min read
The Calm Before the Compliance Storm
If you’re a Department of Defense (DoD) contractor, the quiet period is almost over.
After years of drafts, delays, and debate, the final rule for the Cybersecurity Maturity Model Certification (CMMC) is expected to be published within 48 CFR in late summer or early fall 2025. This isn’t another optional guideline. Once it lands, CMMC compliance will be a contractual requirement, and your eligibility to bid, win, and retain contracts will depend on it.
What Is 48 CFR, and Why Is It So Important?
The Federal Acquisition Regulation (FAR) governs how the U.S. government buys goods and services. The 48 CFR is the section of FAR that will formally incorporate the CMMC framework. This is what makes CMMC enforcement real — not a suggestion, not a plan, but a regulatory mandate.
Once finalized:
CMMC 2.0 will replace self-attestation for many defense contractors.
It will require third-party certification at various maturity levels.
Contract awards may be withheld if your organization isn’t certified at the right level — or even on the path to it.
In short: no compliance, no contracts.
CMMC 2.0 at a Glance
Here’s what we know so far about CMMC 2.0:
Level | Focus | Requirements |
Level 1 | Basic Cyber Hygiene | Self-assessment |
Level 2 | Intermediate – Protecting CUI | Third-party assessment (in most cases) |
Level 3 | Expert – Advanced Threat Defense | Government-led assessments (for high sensitivity) |
Level 2Â will apply to the majority of DoD subcontractors and suppliers.
That means your organization will need to demonstrate:
110 controls from NIST SP 800-171
Strong policies and procedures
Documented evidence of compliance
Consistent, managed practices
What’s the Timeline?
While the final rule is expected soon, implementation will roll out in phases. That doesn’t mean you have time to waste.
Expect to see:
Early adoption in select contracts within 30–60 days of the rule’s publication
Wider enforcement across all relevant DoD contracts by mid-to-late 2026
A three-year phased approach, but early movers will gain a competitive advantage
Prime contractors will increasingly require their subs to show progress toward certification, even before final enforcement.
Why Waiting Is a Risk You Can’t Afford
Every day you delay preparation is a day closer to lost bids, disqualification, and regulatory exposure.
Top 3 risks of waiting:
Bid Ineligibility – Contracts may soon require a CMMC certificate at the time of award
Higher Costs – Remediation gets more expensive when it’s rushed
Reputational Damage – Non-compliance signals poor cyber hygiene
How TMGC Can Help: Your CMMC Partner from Day One
At The Millennium Group Computing, we understand what’s coming — and we’re already helping defense contractors prepare.
Pre-Rule Readiness Assessments: We map your environment to NIST 800-171 and identify what’s missing.
Scalable Remediation & Support: From MFA to SIEM, we implement the right tools and practices.
Audit-Ready Documentation: We help generate SSPs, POAMs, policies, and logs — without the scramble.
Industry Experience: We specialize in DoD-aligned cybersecurity for small to mid-sized contractors.
Final Thoughts: Prepare Now or Pay Later
The finalization of 48 CFR will be a line in the sand.
Contractors that cross it prepared will thrive. Those that don’t may find themselves sidelined from lucrative DoD work.
CMMC 2.0 isn’t just about compliance — it’s about securing your future in the defense industrial base.
Join Us Live: CMMC 2.0 & 48 CFR Readiness Webinar
Topic: What’s Changing and How to Stay EligibleDate: Tuesday, September 16, 2025
Time: 11:00–11:30 AM
Panelists:
Evan Neufeld, CMMC-RP, Edwards Performance Solutions
Tony DiDonato, CEO, The Millennium Group Computing