Listen to this post

Key point: CMMC took another step towards reality, with OIRA clearing for publication the DFARS proposed rule that will add CMMC requirements as a condition of award for new contracts.

What happened: On August 25, 2025, the Office of Management and Budget’s Office of Information and Regulatory Affairs (OIRA) completed its review of the DoD’s proposed rule Assessing Contractor Implementation of Cybersecurity Requirements. The proposed rule would amend the DFARS and incorporate the Cybersecurity Maturity Model Certification (CMMC) requirements into new solicitations. OIRA reviews often take 60–90 days, but in this case, the proposed rule was approved in just over 30 days. The speed at which OIRA approved the proposed rule demonstrates the Executive Branch’s prioritization of cybersecurity in the areas of critical infrastructure and national defense.

Next steps: The DFARS rule will now be published in the Federal Register, triggering the first phase of CMMC contractual compliance for DoD contractors and subcontractors. Publication typically takes 1–3 weeks, and we expect the DFARS rule to become effective within the next 60 days. However, since the CMMC program has been in effect since December 2024, it is entirely possible that the DFARS rule will go into effect immediately upon publication.

Practical takeaways: When the final rule goes into effect, CMMC compliance will be a condition of award for DoD solicitations that involve federal contract information (FCI) or controlled unclassified information (CUI). If not already completed, prime contractors, subcontractors, and DoD suppliers will need to complete either a CMMC Level 1 self-assessment or a Level 2 assessment—possibly a Level 2 self-assessment, but more likely a third-party Level 2 certification. Once complete, senior company officials for each of these entities will need to submit an annual compliance affirmation via the Supplier Performance Risk System.

Since there is already a bottleneck for scheduling third-party Level 2 certifications with an approved CMMC Third Party Assessment Organization (C3PAO), contractors, subcontractors, and suppliers who thought CMMC would never come to fruition are now at a competitive disadvantage. These organizations should immediately review their cybersecurity procedures and policies against the CMMC Level 1 and Level 2 assessment guides, complete a Level 1 self-assessment if needed, and ensure all required documentation for a third-party assessment is ready for review. Advance preparation will be critical, as the deadline for compliance is rapidly approaching.

Bottom line: OIRA’s approval signals the end of the hypothetical era for CMMC and the onset of tangible requirements. The next two months will set the tone for enforcement and shape the future of cybersecurity in the defense supply chain. If you have questions regarding CMMC compliance requirements, contact Husch Blackwell’s cybersecurity or government contracts attorneys for advice.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Erik Dullea Erik Dullea

As head of Husch Blackwell’s Cybersecurity practice group, Erik assists clients in all aspects of cybersecurity and information security compliance and data breach response. Erik previously served as the acting deputy associate general counsel for the National Security Agency’s cybersecurity practice group before…

As head of Husch Blackwell’s Cybersecurity practice group, Erik assists clients in all aspects of cybersecurity and information security compliance and data breach response. Erik previously served as the acting deputy associate general counsel for the National Security Agency’s cybersecurity practice group before returning to the firm in 2023.

Read more about Erik DulleaErik's Linkedin Profile
Show more Show less
Photo of Heidi Salow Heidi Salow

Heidi counsels clients on a wide range of privacy, cybersecurity, and artificial intelligence laws, regulations, and standards, including the CCPA, FERPA, EU AI Act, EU and U.K. GDPR, HIPAA, FCRA, GLBA, and NIST frameworks, as well as various U.S. state laws and regulations…

Heidi counsels clients on a wide range of privacy, cybersecurity, and artificial intelligence laws, regulations, and standards, including the CCPA, FERPA, EU AI Act, EU and U.K. GDPR, HIPAA, FCRA, GLBA, and NIST frameworks, as well as various U.S. state laws and regulations touching on healthcare and financial privacy, artificial intelligence, biometrics, and information security. She draws on a notable background as one of the first U.S. attorneys focused on data privacy and cybersecurity, as well as experience as a corporate executive. Heidi previously held executive roles at two large multinational corporations, Thomson Reuters and Leidos.

Read more about Heidi Salow
Show more Show less
Photo of Luis Hidalgo Luis Hidalgo

Luis assists clients with government contracts. A former accountant and auditor, Luis thrived on investigative work but was keenly aware that his role never included resolving any of the problems he uncovered. He chose to pursue a career as an attorney, where he

Luis assists clients with government contracts. A former accountant and auditor, Luis thrived on investigative work but was keenly aware that his role never included resolving any of the problems he uncovered. He chose to pursue a career as an attorney, where he could combine his passions for fact-finding, problem-solving, and creativity.

Read more about Luis Hidalgo
Show more Show less