Get the latest on the 48 CFR CMMC proposed rule, its impact on DoD contracts, and how to prepare for upcoming CMMC certification requirements.
Watch the Podcast
Listen to the Podcast
This episode is from the Sum IT Up podcast. Click here to learn more.
The 48 CFR CMMC Proposed Rule Has Been Published
Remember back in late 2023 when we predicted 2024 would be a year of non-stop rulemaking chaos? Well, we weren’t kidding! Fast forward to now, and we’ve got a whirlwind of DIB CS rules, FedRAMP memos, and a flood of new proposals.
It’s like the regulatory cavalry arrived at 4 AM, and we’ve been scrambling ever since.
But now, the biggest rulemaking update of the year just dropped: after 1,417 days since the original Cybersecurity Maturity Model Certification (CMMC) clause was first published, we’ve finally got the official CMMC proposed rule revising the DFARS clause 252.204-7021.
What is the 48 CFR CMMC Proposed Rule?
This is where it gets real, folks—this rule is going to show up in your contracts, RFPs, awards, and everything else involving the DoD.
So, what does it say, and who does it affect?
It’s been a long journey since the CMMC journey started. We’re way past speculating what’s going to happen; we’re now in the thick of it. Rules are being published, and timelines are being set in stone.
Let’s get to the core of it.
This rule is short—just 57 pages—and breaks down into two main parts:
- The preamble
- The actual changes to the DFARS clause
The preamble is where the heavy lifting happens, with all the legalese, cost-benefit analyses, and small business impact considerations.
But the actual DFARS changes? They’re only 13 pages long, and they’re pretty straightforward.
This rule comes with some essential definitions, like “current” CMMC status, which is defined as not older than one year for level one self-assessments, and three years for level two and three certifications.
The rule also introduces the DOD Unique Identifier (DOD-UID), which is an alphanumeric string that tracks your CMMC assessment in the SPRS.
What does the 48 CFR rule mean for your organization?
Here’s the kicker: this rule means that if you want to win DoD contracts, you need to be CMMC certified at the required level before you can take award.
That’s right—no certification, no contract.
Looking for the fastest way to become CMMC compliant with confidence? Check out the CUI Enclave above.
The rule also lays out what’s required in your RFPs and contracts, including flowing down requirements to your subcontractors. If you’re a subcontractor, listen up: before awarding a subcontract, the prime contractor must ensure that the subcontractor has the required CMMC certification. This flow-down requirement is going to be huge, affecting every part of the supply chain.
The key takeaway? You need to get certified, and you need to do it fast.
When will CMMC be in contracts?
A phased rollout is closer than you think. The phased rollout of this rule starts in June 2025, with CMMC certifications becoming a requirement for contract awards soon after.
And guess what? By the end of 2025, this rule will be in full swing, affecting every DoD contract out there.
The DoD is not messing around with these requirements. They’re setting the bar high for cybersecurity across the defense industrial base, and this rule is the mechanism that will enforce it. If you’re in the DIB, it’s time to get serious about your CMMC certification, because this train is leaving the station.
.gif?width=1000&height=563&name=on-my-way-speed-walking%20(1).gif)
