DoD’s CMMC Contract Rule Heads to OMB Review: What Small Contractors Need to Know
On July 22, 2025, the Department of Defense sent its long-awaited CMMC contract rule to the Office of Management and Budget. This was an important step in making CMMC 2.0 clauses a regular part of DoD solicitations.
For small businesses in the Defense Industrial Base, knowing this process is important. Getting ahead can help them win the next prime contract. It can also prevent them from losing to better-prepared competitors.
Why CMMC Title 48 Rule Matters
From Framework to Contract
The first CMMC rule (32 CFR Part 170) set the program’s technical requirements. This second CMMC rule will add requirements to the Defense Federal Acquisition Regulation Supplement (DFARS). It will specifically affect 48 CFR Parts 204, 212, 217, and 252.
Mandatory Clauses in Every Solicitation
Once finalized, every new Department of Defense (DoD) solicitation will include requirements for the Cybersecurity Maturity Model Certification (CMMC). This applies to solicitations that contain Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). These requirements will be at the level set by the contracting officer. No more optional self-certification or “we’ll do it later.”
What Submissions to OMB Mean for You
1. Interagency Review (≈90 Days)
OMB’s Office of Information and Regulatory Affairs (OIRA) will look at the proposed DFARS changes. This review will take up to 90 days. During this time, other agencies can suggest edits—most often around cost estimates or small-business impacts.
2. National Security Exemption
Because CMMC touches national security, DoD sought an expedited review under the national-security exemption. That can shorten or streamline OIRA’s normal process.
3. Timing for Publication
If OMB clears the rule on schedule, the final DFARS text should appear in the Federal Register by late 2025. Contracting officers will begin adding CMMC clauses within weeks of that publication.
Key Provisions to Prepare For CMMC Compliance and CMMC Certification
• Clause 252.204-7021: Contractors will enter their SPRS score into the DoD’s Supplier Performance Risk System. This score can be from a Level 1 self-assessment or a Level 2 third-party audit.
• Precise Flow-Down Language: DFARS will require primes to pass CMMC obligations and SPRS reporting duties clearly and explicitly to every subcontractor handling CUI.
• Enforcement Guidance: Misstating compliance in SPRS can trigger False Claims Act liabilities—no more “we’ll fix it later” loopholes.
How Small Businesses Can Get Ahead
1. Review Your SPRS Posture Now: Log in to SPRS and ensure your Level 1 or Level 2 score is accurate. Clean up any Plan-of-Action & Milestones before these clauses become mandatory.
2. Update Your Contracts: Even before DFARS is final, revise your subcontract language to mirror the forthcoming clauses. That way, you won’t scramble when prime contracts start demanding it.
3. Confirm Your Assessment Partner: For Level 2 work, check the CMMC Accreditation Body’s marketplace—73 C3PAOs are currently active, and more will be authorized by year-end. Lock in your audit dates early.
4. Budget and Schedule for Audits: Third-party assessments take weeks to schedule and complete. Build that into your proposal timelines and cost estimates now.
What Happens After the Title 48 DFARS Rule
Phased Roll-In
DoD’s plan calls for a three-year phase-in of CMMC clauses—starting with the highest-value contracts first and expanding to all solicitations by Year 3.
Alignment with NIST SP 800-171 Revision 3
Soon after DFARS finalizes, DoD will begin rulemaking to align CMMC requirements with the latest NIST standards published in May 2024.
Continuous Updates
Stay tuned to the DoD CMMC Resources page and Reginfo.gov for Federal Register notices, official guidance, and implementation briefs.
Help for Small Businesses
To help small businesses prepare for CMMC, consider using a managed, cloud-based service like CORE Vault. It provides a ready-to-use environment. This environment is certified for FedRAMP High. It is designed for Controlled Unclassified Information (CUI) in your AWS GovCloud account.
CORE Vault handles the technical setup, security controls, and documentation support out of the box—so you can focus on your contracts, not your infrastructure (Core Business Solutions). This approach makes your compliance boundary smaller. It lowers network upgrade costs.
It helps you meet 82 of the 110 NIST SP 800-171 controls right away. You can do this without changing your current IT system.
By understanding the upcoming DFARS amendments now, your small business can build compliance into your project plans—keeping you competitive, audit-ready, and poised to win new DoD work.
