Last week, a new milestone in the 48 CFR rulemaking process signified that CMMC will likely be required in nearly all new DoD contracts starting this October.

Against that backdrop, the CyberAB’s July Town Hall delivered timely insight, expert analysis, and tactical reminders as the ecosystem accelerates toward implementation. This month’s session not only clarified key regulatory nuances but also shed light on readiness trends, early certification failures, and ecosystem bottlenecks that could impact organizations seeking certification (OSCs) in the coming months.

Here are the major takeaways.

1. CMMC phased rollout is imminent, most likely beginning this fall if not sooner

Previously, in the May townhall, the CyberAB recapped the CMMC CEIC West event, during which Stacy Bostjanick, Chief of the DoD’s Industrial Base Cybersecurity Office, indicated that the 48 CFR rule was expected to go into effect in fall 2025 and kick off the phased rollout.

This fall deadline officially showed up in the updated final 48 CFR rule, which was submitted on July 22 to the Office of Information and Regulatory Affairs (OIRA), a part of the Office of Management and Budget (OMB), for review. You can find it listed on OIRA’s List of Regulatory Actions Currently Under Review. 

Source: OIRA Regulatory Page

This updated final 48 CFR rule contained contract clause 204.7503, which states that CMMC certification must be included in all applicable solicitations and contracts awarded after October 1, 2025. 

To address speculation about how “real” this deadline is, Michael Gruden, a partner at Crowell & Moring and former acquisition official with both the DoD and DHS, joined this month’s townhall. He said the 48 CFR rule—sometimes referred to as the CMMC clause rule—moving forward in the rulemaking process is a big deal since it has seemed relatively stagnant in the public sphere. Being sent to OIRA last week shows that enforcement is imminent and the clause could appear as early as the fall or even sooner. 

Here’s why Gruden said the timeline is not certain:

• There’s no minimum period of review delineated in the regulatory review process in Executive Order 12866 so we could see it at any time. 
• However, the EO does give OIRA up to 90 days to review. This time period is designed so other agencies can review the rule and put forth any questions, concerns, and inquiries and then the acting agency (the DoD in this case) and rule drafters can consider this feedback and make any necessary revisions. 
• The OMB director can request a 30-day extension (one time) so collectively the review could take a maximum of 120 days. 
• Typically, the rule is then sent back to the acting agency (again, the DoD in this case) which sends it to the Federal Register to be published. This typically takes a couple weeks. The rule should be effective upon publication in the Federal Register. At that point, the first phase of the CMMC rollout will begin and CMMC Level 1 and Level 2 requirements will be enforceable through contract clauses.

Given this nuance, Gruden estimates that the CMMC clause will start appearing in contracts in the fall, most likely October but possibly November. However, he noted that in conversations with DoD officials, they said that theoretically the final 48 CFR rule could be issued in the next couple of weeks if the agency wanted to. It’s not likely but the government does have that flexibility. 

Another key indicator that this clause will start appearing sooner rather than later is that the OIRA designated this 48 CFR rule update as “not economically significant.” The 32 CFR rule was designated economically significant, which required formal reviews from Congress. So designating the 48 CFR rule as “not” eliminates some of the formal reviews that would otherwise be required or provided from Congress.

2. What ifs that could affect the finalization of the 48 CFR Rule or CMMC program more broadly

While there are some what if’s that could de-rail the 48 CFR rulemaking timeline and CMMC rollout—OIRA could deem the rule incompatible with the law or the analysis and justification for the regulation inadequate and sent back to DoD, for example, or the final rule could be challenged under the Administrative Procedures Act—Gruden emphasized that there’s a lot of support behind this final rule and the overall CMMC 2.0 program so these worst case scenarios are not likely. 

What is more likely to impact the implementation of the CMMC program is any significant rulemaking milestones or changes to the proposed FAR CUI Rule or existing DFARS 7012 and 32 CFR rule. Gruden explains they’re all so intersectional and complementary that it’s possible they could affect each other. For example, will the incident response requirements in DFARS 7012 be implicated or merged with requirements in CMMC or will they co-exist? What will happen if the 32 CFR rule is updated to align CMMC 2.0 to NIST 800-171 Revision 3, as the DoD has said?

In the case of the latter, an amendment like that would essentially re-start the proposed rule phase, which is a 6-12 month process. So to keep up with these potential changes, Gruden recommends looking out for the administration’s Unified Regulatory Agenda that will likely be published in the fall. 

So while the CMMC enforcement deadline is still uncertain due to these and many other factors, the key takeaway is that the 48 CFR rulemaking has progressed and that the contract clause is imminent. 

There’s another important reason that organizations seeking certification shouldn’t delay, which we’ll cover next. 

3. CMMC Level 2 assessments are increasing exponentially

While the CMMC phased rollout hasn’t officially begun, hundreds of organizations are already certified at Level 2. In this month’s townhall, the CyberAB reported that 258 organizations have completed Level 2 assessments and received a Final CMMC status. 

While this number may seem low compared to the DoD estimate of 80,598 organizations that will need Level 2 certification by the end of the phase-in period, it is significant for two reasons. The first is that these organizations have proactively prepared and sought out Level 2 assessments before the enforcement deadline was finalized, signifying a commitment to CMMC that hasn’t been seen widely across the DIB in earlier phases of the program. 

The second is that this number has been steadily increasing month over month since the 32 CFR Rule went into effect in December 2024 and Level 2 assessments started in January. For the first five months of the year, approximately 100 CMMC Level 2 assessments had been completed—roughly 20 per month. Then in June, the CyberAB reported 158 had been completed, which was nearly three times the monthly average. Then July broke that record, with 90 assessments completed—a 33% month over month increase. 

With 87 Level 2 assessments already in progress, this is a promising trend and indicator that CMMC readiness, CUI protection, and national security more broadly will continue to increase. It’s also a signal to OSCs to not delay pursuing Level 2 certifications as the CMMC deadline approaches and C3PAO capacity decreases. 

4. Some primes and subcontractors already asking for CMMC certification in their supply chain 

Another reason to not delay CMMC compliance: some contracts may already require it!  

In his current role, Gruden said he’s already seeing prime and higher tier subcontractors requiring lower tier subcontractors to demonstrate CMMC certification or attest to timeframe when they will obtain certification. 

This makes sense if everyone is getting ready for an October timeframe, according to Gruden. Even though many OSCs will only be required to self-assess in the first phase of the rollout, the DoD can identify any solicitation or future contract to require a certification assessment during this phase. So core programs and contractors want to get affairs in order and are already putting pressure on their supply chain to get compliant—or at least show progress. 

5. First time that assessment failures are reported

For the first time, the CyberAB shared the number of organizations that failed a Level 2 assessment. Although CyberAB CEO and town hall moderator Matthew Travis noted that there may be unreported false starts (meaning organizations might be stopping an assessment partway through or converting it to a mock assessment if significant gaps are discovered), the official number is hearteningly low, with only 8 organizations having failed.

One possible reason that organizations are failing or pausing their assessments, according to Travis? They’re not seeking out support from CMMC registered practitioners. Let’s take a look at the CMMC ecosystem update next. 

Source: CyberAB’s July Town Hall Presentation Slides

6. CMMC ecosystem capacity update

As more organizations move toward assessment, the strength—and limits—of the CMMC ecosystem are coming into focus. The July Town Hall offered a detailed update on ecosystem capacity and practitioner growth:

• 77 authorized C3PAOs (with over 500 C3PAO applications in the pipeline)
• 455 Certified CMMC Assessors (CCAs) and 300 Lead CCAs (with over 900 CCA applications in the pipeline)
• 971 Certified CMMC Professionals (CCPs)
• 345 Registered Practitioner Organizations (RPOs) and 233 Registered Practitioner Associates (RPAs)
• Over 1,800 Registered Practitioners (RPs) actively supporting OSCs

These numbers tell a promising story. The surge in CCA and C3PAO applications suggests that industry professionals are eager to help meet demand as the certification deadline draws near. However, that demand may outpace supply, particularly as bottlenecks form at key points of oversight, including CyberAB’s own processing capacity and the throughput of certified assessors.

Travis also suggested that many of the early assessment failures may stem from organizations skipping expert guidance. With over 2,000 certified or registered practitioners available, organizations have no shortage of qualified help. But as certification requests ramp up in Q4, waiting too long to engage these resources could mean getting stuck in a backlog.

Another important reminder: ethics and transparency are paramount. Practitioners and advisors must avoid misrepresenting their qualifications, such as claiming to be “CMMC certified” as an organization when only individuals hold credentials, or fabricating certification badges that don’t exist. The CyberAB Professional Code of Conduct prohibits such misrepresentations, and enforcement will likely increase as more organizations enter the assessment queue.

7. CMMC is going international

CMMC is going to be a global program, with CyberAB reporting they received the first C3PAOs applications from firms in Taiwan and Canada and encouraging practitioners to think about how they can best serve the growing international market.  

This is a positive sign since defense contractors, subcontractors, and other members of the DIB that are based outside of the US but work with the DoD still have to get CMMC certified. Since many countries have privacy concerns about assessors from other countries getting access to their information and systems, the CMMC ecosystem must expand internationally to have assessors in place to support and conduct these assessments. 

8. A reminder on accurate and up-to-date CAGE codes for system and HLOs

CAGE codes may seem like a bureaucratic detail, but they are critical to certification eligibility. During this month’s Town Hall, the CyberAB again emphasized that an inaccurate or outdated CAGE code can derail an assessment, even if every technical requirement is met.

Why do CAGE codes matter? After a certification assessment is complete, results are uploaded to eMASS, which sends validated data to SPRS, the system that federal contracting officers use to verify CMMC compliance. If the CAGE code doesn’t match across systems (due to a retired or incorrect code, for example), SPRS won’t show a CMMC certified status for your organization’s system and may affect your contract eligibility.

Additionally, organizations must also submit the CAGE code for the Highest Level Owner (HLO), the ultimate owner of the OSC with the CMMC certified information system and being awarded the contract. This is true even if the HLO is not a defense contractor. For example, if a private equity firm owns the OSC, that firm must still obtain a CAGE code to satisfy eMASS submission requirements. This step can easily be missed but plays a crucial role in ensuring your certification status is properly processed and visible.

9. The 10-day re-evaluation period is still being misunderstood

While addressed in the May townhall, the CyberAB received feedback from assessors that many OSCs still misunderstand the nature of the 10-day re-evaluation window.

To recap: If a requirement is assessed as “Not Met” (or trending that way), OSCs may have up to 10 business days during the course of the assessment to submit existing, but previously unshared, evidence. This is only allowed if:

• The evidence was in existence prior to the requirement being assessed,
• It does not affect or limit the effectiveness of other requirements marked as “Met,” and
• The Assessment Findings Report has not yet been delivered.

This period is not an opportunity for OSCs to create new evidence or correct evidence that was deemed insufficient. Instead, it is an opportunity for OSCs that did not provide all the evidence they had, whether a policy, technology, or person that wasn’t available at the time the requirement was assessed. For example, let’s say a critical person was missing during the security requirement interview. This person could be presented as “additional evidence” during the 10-day re-evaluation period. 

In short: think existing evidence, not additional evidence. “Additional” is the language used in the 32 CFR rule that’s causing confusion, but C3PAOs have been instructed to interpret it as existing evidence.  

Importantly, Travis clarified that assessors may still exercise discretion to allow minor clarifications or “quick fixes” before a determination is made on whether a requirement is met. This discretion is distinct from the re-evaluation period and should not be conflated with it.

A Notice to the Ecosystem will be released soon to clarify this further, and CyberAB’s CAP documentation will be amended to align with current guidance.

Final thoughts: Stay prepared, stay informed

The July 2025 Town Hall delivered a clear message: CMMC enforcement is no longer a question of “if” but “when.” 

With the 48 CFR rule submitted to OIRA and a contract clause poised to take effect as early as October, the phased rollout is closer than it has ever been. And with certification failures now publicly acknowledged, the importance of planning, preparation, and practitioner support is undeniable.

Organizations that act now—by updating their CAGE codes, engaging qualified practitioners, and proactively scheduling assessments—will be best positioned to compete for contracts and demonstrate their commitment to protecting CUI and other sensitive government information.

As we approach the final months before enforcement, stay informed. Each month brings new clarity, new risks, and new guidance that could reshape your certification strategy. You can explore additional insights and rulemaking coverage in the CMMC.com Newsroom, including our in-depth recaps of previous CyberAB Town Halls:

• June 2025 recap
• May 2025 recap
• April 2025 recap