From Framework to Force—Your Compliance Deadline Is Here
By Melissa McCoy, Chief Information & Security Officer – CISSP-ISSAP, CCSP, RP
While much of the discussion about the Cybersecurity Maturity Model Certification (CMMC) has focused on the 32 Code of Federal Regulations (CFR) Part 170 rule, which officially established the program’s framework, the real-world impact for contractors begins with the separate 48 CFR rule. This latter rule, currently in its final stages of review, will amend the Defense Federal Acquisition Regulation Supplement (DFARS) to include the CMMC contract clause (DFARS 252.204-7021) in solicitations. This is the critical step that will legally bind contractors to CMMC requirements. It’s a two-part process: the 32 CFR rule defines the levels and standards, while the 48 CFR rule outlines how the contractual mechanism implements those requirements for the defense industrial base.
Once the 48 CFR rule is finalized, the phased rollout of CMMC will begin. The first contracts requiring CMMC compliance are expected as early as October 2025. This means that if your company handles Controlled Unclassified Information (CUI), you should be actively working on your cybersecurity program now. The days of simply self-attesting to a set of security controls are over. The new era requires a verified third-party assessment for most contracts handling CUI, adding a new layer of accountability and integrity to the DoD’s supply chain security.
CMMC October 2025 compliance deadline is here. Contact Kaizen Approach for a free 30-minute CMMC consultation. Kaizen Approach, Inc. can help you prepare!
