CMMC Compliance in 2025: What Defense Contractors Need to Know

The Cybersecurity Maturity Model Certification (CMMC) is becoming a critical requirement for defense contractors in 2025. With updated regulations like 32 CFR and 48 CFR shaping the compliance landscape, businesses must act now to meet stringent cybersecurity standards and protect sensitive data in the DoD supply chain. As things continues to evolve, it's critical to know where things stand as we head into 2025.

A quick background on CMMC

CMMC was created to ensure that contractors and suppliers in the DoD supply chain use solid cybersecurity practices. This helps protect sensitive information and supports national security. There are now three levels in the CMMC, ranging from basic cybersecurity (Level 1) to expert-level practices for the most critical data (Level 3), with most small to medium manufacturers aiming for Level 2.

To understand the approval process, manufacturers need to understand some key parts of the Code of Federal Regulations (CFR)—specifically 32 CFR (focused on national defense), 48 CFR (about federal acquisitions), and FAR CUI (government actions classifying CUI).

What is 32 CFR?

32 CFR specifically pertains to the Department of Defense (DoD) and outlines regulations that govern the protection of Controlled Unclassified Information (CUI). 
 

The mechanisms discussed in this rule will allow the Department to confirm a defense contractor or subcontractor has implemented the security requirements for a specified CMMC level and is maintaining that status (meaning level and assessment type) across the contract period of performance. This rule will be updated as needed, using the appropriate rulemaking process, to address evolving cybersecurity standards, requirements, threats, and other relevant changes.
 

What is 48 CFR?

48 CFR serves as the primary regulation for federal government procurement. 48 CFR governs the acquisition process by which the federal government procures goods and services from the private sector, including cybersecurity requirements for contractors. 
 

Key Components of 48 CFR:

• General principles: Emphasizes fair competition, cost-effectiveness, and ethical conduct.
• Contract types: Details on different kinds of contracts and how to manage them.
• Acquisition planning: Agencies must plan how they’ll make purchases to stick to their missions and budgets.
• Contract administration: Guidelines for managing contracts after they’re awarded, including performance monitoring and dispute resolution.
• Socioeconomic programs: Encourages participation from small businesses and minority-owned businesses in federal contracting.

What is FAR CUI?

This FAR rule will establish universal contract clauses that would apply to all contractors working with the government.

Key components include:

• Applies the controlled unclassified information (CUI) program requirements in Federal contracts in a uniform manner to protect CUI.
• It is part of a larger strategy to improve the Government’s efforts to identify, deter, protect against, detect, and respond to increasing sophisticated threat actions targeting Federal contractors.
• Issued in accordance with the National Archives and Records Administration (NARA) regulations implementing the CUI program per Executive Order 13556 issued November 4, 2010, as implemented in NARA’s implementing regulations.

How far along are these clauses?

In December 2023, the proposed 32 CFR CMMC rule was published and became official on December 16, 2024. 48 CFR just wrapped up its public comment period and is being reviewed.

Once the DoD updates 48 CFR, it will be sent to the Office of Management and Budget (OMB) for approval and then published in the Federal Register. The rule becomes official 60 days after publication, so we're looking at the second quarter of 2025 for finalization. After both rules are in place, manufacturers will start seeing CMMC requirements pop up in DoD contract solicitations.

As for FAR CUI, the Office of Information and Regulatory Affairs (ORIA) released the final proposed rule for public comment on January 15 with an expected 60 day comment period.

As big world events change, focus could shift away from CMMC deadlines, but seeing as strong cybersecurity is a must today, a prolonged delay isn't likely.

Conclusion

As we approach the final stages of CMMC rule implementation, manufacturers should prioritize compliance by understanding the regulations and taking proactive steps. Partnering with a CMMC-compliant ERP and preparing early can secure your eligibility for defense contracts while safeguarding your data. Stay ahead of cybersecurity threats—your readiness begins today.

For more help, check out the two whitepapers on our CMMC page and start getting ready to tackle cybersecurity threats head-on.