background

The CMMC 2.0 Rulemaking Process

  • cmmcangle-right
  • The CMMC 2.0 Rulemaking Process

CMMC 2.0 represents a significant overhaul of the Department of Defense’s (DoD) cybersecurity framework for defense contractors. 

After receiving feedback from the defense industry, Congress, and other stakeholders, the DoD moved away from its original CMMC framework (known as CMMC 1.0) toward a more streamlined model (known as CMMC 2.0).

Introduced in November 2021, CMMC 2.0 introduced key changes to the original framework to meet three key objectives: 

  • reducing costs, particularly for small businesses
  • increasing trust in the CMMC assessment ecosystem
  • clarifying and aligning cybersecurity requirements to existing federal requirements and commonly accepted standards

To ensure continued alignment with federal regulations input from industry stakeholders, CMMC 2.0 underwent a rigorous rulemaking process. Understanding this process is essential for defense contractors and subcontractors preparing for compliance.

Key stages in the CMMC 2.0 rulemaking process: How the 32 CFR CMMC Program Rule was finalized

The CMMC 2.0 rulemaking process followed a structured approach to ensure clarity, transparency, and industry engagement. However, because of the length of the rulemaking process, it may not seem so clear. Below we’ll break down the process into the most important milestones so you can better understand how the program has evolved over time. 

4 major milestones in the rulemaking process for 32 CFR CMMC Program rule

Please note that this section will cover the rulemaking process for the 32 Code of Federal Regulations (CFR) CMMC Program rule, which officially established the CMMC 2.0 program. There is a separate rulemaking process for the 48 CFR CMMC Acquisition rule, which will implement CMMC policies in DoD contracts. This process is still ongoing and will be covered in the next section.

December 2023: Release of the CMMC 2.0 Proposed Final Rule (32 CFR rule)

On December 26, 2023, the DoD published the 32 CFR CMMC Program Rule, the much-anticipated proposed rule change for the CMMC program. Dubbed CMMC 2.0, the proposed rule change revised certain aspects of the program to address public concerns in response to DoD's initial vision for the CMMC 1.0 program published back in 2020.

Most notably, CMMC 2.0 streamlined and simplified the process for small and medium-sized businesses by reducing the number of assessment levels from five to three. These levels aligned cybersecurity requirements to the sensitivity of unclassified information to be protected. It also added a self-assessment requirement to affirm implementation of applicable cybersecurity requirements and a certification requirements to verify implementation of cybersecurity requirements. These elements were added to ensure accountability while minimizing barriers to compliance with DoD requirements.

February 2024: End of public comment period for the CMMC 2.0 Proposed Final Rule

The rule change was open for comment for 60 days. During this period, industry stakeholders submitted feedback on the proposed rule. Nearly 800 comments were received before the public comment period closed on February 26, 2024 at 11:59 p.m. These comments informed the Final Rule. 

October 2024: Release of the CMMC 2.0 Final Rule

The DoD reviewed comments and made adjustments to improve the feasibility and effectiveness of the final 32 CFR rule. Because of the number of comments, this took most of 2024. They published this final rule, also known as the updated 32 CFR rule, in the Federal Register on Tuesday, October 16 for a 60-day congressional review period.

December 2024: Effective date of the CMMC 2.0 Final Rule

CMMC 2.0 completed its 60-day congressional review period without any changes on December 16, 2024. At this point, rulemaking was complete and the CMMC 2.0 program went into effect. 

While assessments were available at this time, CMMC requirements were not included in DoD contracts yet. Let’s look at why below.

The rulemaking process for the 48 CFR CMMC Acquisition Rule

While the 32 CFR rule finalized the program structure, a separate rule — the 48 CFR Acquisition Rule — is required to mandate CMMC in DoD contracts by updating the Defense Federal Acquisition Regulation Supplement (DFARS).

Let’s walk through the key milestones of this second rule.

September 2020: Release of the 48 CFR CMMC Acquisition interim final rule

On September 9, 2020, DoD published the 48 CFR CMMC interim final rule, Defense Federal Acquisition Regulation Supplement (DFARS): Assessing Contractor Implementation of Cybersecurity Requirements. This implemented the DoD’s vision for the initial CMMC Program and outlined the basic features of the framework, including the five-tiered model, required assessments, and implementation through contracts, to protect FCI and CUI. 

This interim rule was open for public comment for 60 days. During this period, they received approximately 750 comments. These comments highlighted a variety of industry concerns related to:

  • the costs for a C3PAO certification
  • the costs and burden associated with implementing, prior to award, the required process maturity and 20 additional cybersecurity practices that were included in the CMMC 1.0 Program
  • interpretations of the CMMC framework implementation requirements and control objectives
  • the impact the rule would have on small businesses in the DIB

November 2020: Effective date of 48 CFR interim final rule

The 48 CFR CMMC interim final rule became effective on 30 November 2020. Designed to increase compliance with its cybersecurity regulations and improve security throughout the defense industrial base (DIB), this rule introduced one new provision and two new clauses:

  • DFARS provision 252.204-7019: Requires contractors to conduct a NIST SP 800-171 self-assessment and submit scores via the Supplier Performance Risk System (SPRS) for contract eligibility.
  • DFARS clause 252.204-7020: Ensures subcontractors have SPRS scores on file before contract award.
  • DFARS clause 252.204-7021, also known as 48 CFR 252.204-7021: Mandates contractors achieve and maintain the required CMMC certification level and flow down requirements to subcontractors.

This rule kicked off the five-year phase-in period. 

March 2021: Start of DoD’s internal review of CMMC’s implementation

Because they received so much feedback on the 48 CFR CMMC interim final rule, the DoD decided to pause the planned CMMC rollout and initiate an internal review of CMMC’s implementation in March 2021. This review involved cybersecurity and acquisition leaders within DoD to refine policy and program implementation based on input from the industry and the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) received relating to the initial CMMC Program.

August 2024: Release of proposed rule change to 48 CFR 

On August 15, 2024, The Department of Defense (DoD) published for public comment the DoD’s proposed amendments to the 48 Code of Federal Regulation (CFR) rule. These amendments were focused on incorporating contractual requirements related to the CMMC 2.0 program requirements proposed in 32 CFR part 170. 

The most notable changes included:

  • Requiring contractors to prove CMMC compliance at the level included in a given solicitation and contracting officers to verify the results in the SPRS.
  • Requiring contractors to obtain certifications or perform self-assessments under the CMMC program before contract award by adding a new provision, DFARS 252.204-7YYY.
  • Requiring contractors to maintain compliance at the specified CMMC level throughout contract performance and notify contracting officers if lapses or changes in CMMC certification levels occur.
  • Removing the Non-Federal Organization (NFO) control requirements

October 2024: End of public comment period

The public comment period closed on October 15, 2024 at 11:59 p.m. At this point, the DoD had to review this feedback and make any final changes to the rule before submitting it to the Office of Information and Regulatory Affairs (OIRA) for regulatory review. The rule was expected to go before Congress in mid-October, but this did not happen. 

July 2025: 48 CFR Rule Submitted to OIRA

On July 22, 2025, the DoD submitted the final 48 CFR Acquisition Rule to the Office of Information and Regulatory Affairs (OIRA), a part of the Office of Management and Budget (OMB), for review. Included in the submission was clause 204.7503, which stated that CMMC certification must be included in all applicable solicitations and contracts awarded after October 1, 2025. 

This turned out to be an old reference from CMMC 1.0 and has officially been removed. While the exact date remains pending, CMMC is still expected to become enforceable before the end of 2025, according to the CyberAB’s August Town Hall.

As soon as this rule is final, the first phase of the CMMC rollout will begin and CMMC Level 1 and Level 2 self-assessment requirements (which DoD estimates will apply to 65% of the DIB) will be enforceable through contract clauses.

While the 48 CFR rule still has to pass OMB review and be published in the Federal Register, this major rulemaking milestone shows that enforcement is imminent and the clause could appear as early as the fall or even sooner, according to the July CyberAB Townhall.

In short: CMMC is no longer a future possibility. It will likely be a contractual requirement for most defense work starting this year.

Impact of the rulemaking process on defense contractors

The rulemaking process influences how and when defense contractors must comply with CMMC 2.0. 

Key considerations include:

  • Compliance is no longer optional: CMMC will likely be enforced in most new DoD contracts starting in October 2025 with Level 1 and Level 2 self-assessment requirements (although DoD has discretion to require third-party certification for Level 2 during this phase).
  • Time is limited: Contractors seeking CMMC certification will need time to define scope, implement controls, complete documentation, and either complete a self-assessment or engage with a C3PAO.
  • Early action is critical: Demand for assessors is already rising. Waiting risks missing the deadline or losing contract eligibility.

This post was originally published in March 2025 and has been updated for accuracy and comprehensiveness based on recent updates across the CMMC ecosystem, like the CyberAB's August Town Hall.

FAQs

Is CMMC 2.0 rule-making complete?

Almost. The 32 CFR CMMC Program Rule was finalized in October 2024 and went into effect in December 2024. The 48 CFR Acquisition Rule, which implements CMMC in contracts, was submitted to OMB on July 22, 2025 and is expected to be finalized and published in the Federal Register by end of year. Once that happens, the DoD will begin rolling out CMMC self-assessment requirements in most new contracts and Level 2 certification requirements in some high-priority contracts.

What’s the difference between an interim and proposed rule for CMMC? 

A proposed rule goes into effect after public comments have been reviewed and incorporated, while an interim rule goes into effect before that comment process is complete. CMMC 1.0 was implemented as an interim rule. CMMC 2.0 followed the full proposed rulemaking process.

Can an organization get CMMC certified before the 48 CFR rule is final?

Yes. Assessments became available in December 2024 when the 32 CFR rule went into effect. Organizations can voluntarily pursue certification in advance of the 48 CFR rule becoming final and, as of August, 270 organizations have already achieved Level 2 certification. Also, many primes are already requiring evidence of CMMC readiness from their subcontractors. With enforcement expected to officially begin this year, early certification is strongly recommended.

Use trust to accelerate growth

Request a demoangle-right
cta-bg

CMMC Overview

Comparing CMMC to Other Federal Frameworks

CMMC Requirements

CMMC Certification Process

Automating CMMC Compliance

CMMC Tools and Resources