The Cybersecurity Maturity Model Certification (CMMC) has been years in the making, evolving from draft concepts to the rulemaking stage. With the publication of the interim rule in 48 CFR (which formally embeds CMMC 2.0 into the Defense Federal Acquisition Regulation Supplement, or DFARS), many in the Defense Industrial Base (DIB) are asking the same question: What happens next?

The short answer: enforcement is coming, and the clock is ticking. Let’s unpack what the rulemaking milestone means and how contractors should prepare for the next phase.

From Policy to Practice: Why 48 CFR Matters

The inclusion of CMMC into Title 48 of the Code of Federal Regulations (48 CFR) signals that the Department of Defense (DoD) has locked in CMMC as part of acquisition law. No longer just a framework or set of guidelines, CMMC is now tied directly to federal contracting regulations.

This step gives contracting officers the authority to insert CMMC requirements into contracts. It also clarifies that compliance is no longer “voluntary”, it’s mandatory for doing business with DoD once the rollout begins.

What Happens After Rule Publication

Once published in the Federal Register, the rule goes through a public comment period (typically 60 days). During this time, contractors, industry groups, and stakeholders can provide feedback. The DoD may refine the final rule based on this input, but the core structure of CMMC 2.0 is unlikely to change.

Following the comment period, DoD will set an effective date for enforcement. That date starts the countdown for when CMMC requirements will begin appearing in Requests for Proposals (RFPs) and contract clauses. Analysts project this could begin showing up in early 2026 contracts, depending on the speed of the rule’s finalization.

Phased Rollout: What to Expect

DoD has signaled a phased implementation strategy to ease contractors into compliance:

• Year 1 (Initial Rollout): A small percentage of contracts will require CMMC Level 1 or Level 2 certification. This allows DoD to validate processes and give C3PAOs time to scale.
• Year 2–3: More contracts will include certification requirements, particularly those involving Controlled Unclassified Information (CUI). Level 2 assessments will become more common.
• Year 3–5: Full enforcement. By this stage, nearly all contracts handling FCI or CUI will require proof of certification at the appropriate level.

The Role of C3PAOs and Assessments

With the rule now codified, Certified Third-Party Assessor Organizations (C3PAOs) will become busier than ever. Level 2 certifications, in particular, require a formal C3PAO assessment. Early adopters who schedule assessments now will be ahead of the inevitable bottleneck once thousands of contractors seek certification at the same time.

Key Challenges Contractors Face

Even with the rule finalized, contractors face several hurdles:

• Backlog of Assessments: Limited numbers of C3PAOs may cause scheduling delays.
• Documentation Gaps: Many organizations lack fully developed System Security Plans (SSPs) and Plan of Actions & Milestones (POA&Ms).
• Vendor Risk: Subcontractors must also comply, adding complexity to supply chai

Luis G. Batista C.P.M., CPSM
luis@cybercomply.us
Office: (305) 306-1800 Ext. 800
Website LinkedIn Schedule Appointment
CAGE: 9QG33 UEI: K6UZHLE1WUA7
CyberComply CMMC GRC
A Product of Armada Cyber Defense