What Happens Next for 48 CFR 204.75: Timeline to CMMC Enforcement

Eric Marquette

Welcome back to CMMC Unlocked. I'm Eric, joined by Ruby, Paul, and Roz. Today we're walking through exactly what happens now that 48 CFR Subpart 204.75 has cleared the OIRA review. Roz, let's start right at the top—the Reg Map shows OIRA review as a big milestone, but it's really just one step on the track. What comes immediately after OIRA signs off on a rule like this?

Roz the Rulemaker

Thanks, Eric. In the federal rulemaking process, after OIRA—or the Office of Information and Regulatory Affairs—concludes its review of the final rule, the next step is drafting the final regulatory text and accompanying preamble. The agency then submits that package to the Federal Register for official publication. This is a formal move: once it's published, the rule is visible for all stakeholders. Under the Congressional Review Act, agencies must also submit the rule to both the House and Senate, and to the Government Accountability Office. Only after these submissions does the clock start ticking for the rule’s effective date. Normally, there’s at least a thirty-day waiting period before it springs to life, though there can be exceptions for urgent rules. So, you can think of OIRA as quality control, but not the finish line—a few more hurdles remain before enforcement begins.

Paul Netopski

Roz, if I can jump in—just to make it practical, the Congressional Review Act part is sometimes overlooked. I’ve actually seen a DoD interim rule that met all the technical thresholds but was delayed for months because someone neglected the Congressional submission paperwork. That disconnect pushed back enforcement, and caused all kinds of headaches on the ground: delayed contract awards, confusion among contracting officers… the works. It really highlights that every stage—OIRA, Federal Register, Congressional Review Required—must be checked off or the process just… stalls out.

Ruby Sturt

Yeah, that's wild. Honestly, as much as it sounds like procedural red tape, every little misstep seems to have a ripple effect that ends up on a contractor’s desk. And that minimum 30-day window—can be longer, right, Roz? There’s room for delays?

Roz the Rulemaker

Absolutely. By law, most rules have to wait at least 30 days after publication before taking effect, but agencies can grant more time, especially for complex or "economically significant" rules. For CMMC enforcement, DoD has made clear it will stick to the stated implementation phases—a very structured rollout, not a rushed launch.

Eric Marquette

So, once this last bit of paperwork and waiting wraps up, that’s when the CMMC train leaves the station and these requirements actually show up in DoD contracts. Let's talk through what that roll-out looks like and who’s on the hook at each stage.

Ruby Sturt

Ok, so I’m still picturing a big, dramatic countdown here. Paul, can you walk us through the CMMC rollout—like, when and how it all gets phased in? The 32 CFR 170.3(e) section lays out these four phases, but the dates always do my head in.

Paul Netopski

Sure thing, Ruby. The rollout really centers around four phases, each triggered in sequence. Phase 1 hits immediately after the final DFARS rule is published—which, going by most expectations, is likely to happen between October 2025 and March 2026. At that point, any contract where a contractor touches Federal Contract Information, FCI, will require a CMMC Level 1 self-assessment to be eligible for award. It's a baseline bar: basically, if you've got FCI, you need to show documented compliance, even for small-ball contracts. And this requirement can flow to subs—subcontractors who handle FCI have to keep up as well.

Roz the Rulemaker

Exactly. After the one-year mark—so, Phase 2—contracts begin to require third-party certification at CMMC Level 2 for those handling the most sensitive Controlled Unclassified Information, or CUI, especially CUI categories listed in the Defense Organizational Index Grouping of the NARA CUI Registry. Level 2 self-assessment is still in play for other CUI, but for those priority categories, certification shifts from self-attested to independently assessed. Then, two years after publication—Phase 3—Level 3 certification enters for select contracts needing even higher protection, such as those tied to advanced technologies or mission-critical programs, using NIST SP 800-172. By the start of Phase 4, the full implementation regime is in place: all covered contracts, options, and extensions must meet applicable CMMC requirements, and flowdown is enforced supply-chain wide, except for COTS-only deals.

Ruby Sturt

Right—so let’s make this concrete. Roz, let’s say I’m a small IT firm about to bid a contract in Phase 1. It’s a help desk gig, and maybe I’ve got one sub managing ticketing software that processes FCI. What would my world look like at that point? Then, say we flash forward to Phase 4: same contract, but it’s a recompete, and now there’s some CUI involved. What’s changed?

Roz the Rulemaker

Great scenario. In Phase 1, your primary obligation would be documenting and affirming a CMMC Level 1 self-assessment prior to award. Both your company and any subcontractors handling FCI would need that posted in SPRS before you could be awarded the contract. There might even be a one-year window before any higher bars come into play. Now, flip to Phase 4: if the recompete includes CUI—particularly from categories in the Defense Organizational Index Grouping—you’d face a CMMC Level 2 or even Level 3 assessment. That means either an independent third-party assessment, or a DoD-led certification if the CUI is especially sensitive. Plus, every subcontractor that could touch FCI or CUI—including that ticketing software sub—would be on the hook for demonstrating the relevant CMMC certification. The flowdown is comprehensive, and contracting officers won't be able to award, renew, or extend your contract unless compliance is in place for every in-scope information system. It puts pressure on prime contractors to vet their entire supply chain, not just their own teams.

Paul Netopski

It also changes how you structure teaming agreements and how quickly you can onboard subs. If your subcontractor doesn’t have their CMMC ducks in a row, it could block your deal entirely come option renewal time in Phase 4. The phased schedule gives everyone some breathing room, but by full implementation, it's a hard line—no exceptions except via formal waivers.

Eric Marquette

So, it’s a rising tide—everyone starts with Level 1, but if you touch the higher-risk CUI, you’ll need to be ready for outside scrutiny, especially as we go further into the timeline. That brings us to a big question: Who's actually choosing the CMMC level for each contract, and what happens with waivers or enforcement?

Roz the Rulemaker

To answer that, let’s look at the OSD implementation memo and the final rule context. The Program Manager, or requiring activity, is empowered to determine the baseline CMMC level required for each effort—using the Level Determination Guide. They assess the type of information (FCI, CUI, or CUI deserving extra protection) that will hit contractor systems. The CMMC level selected must cover the highest-risk information in play, with decision-making documented early in the requirements process. In rare cases, a higher level can be chosen if security needs dictate, but they can’t dip below the minimums set out in the guide. Acquisition executives—the Service or Component—can authorize waivers, but these are formally structured. There’s coordination with the component CIO, detailed reporting, and it’s all wrapped in quarterly reports back to DOD’s senior leadership, stating what level was waived and why.

Paul Netopski

And it’s worth stressing—waiving a CMMC assessment requirement doesn’t eliminate underlying security controls. Even if a program gets a pass on a CMMC certification, the baseline requirements, like those from FAR 52.204-21 or DFARS 252.204-7012, stay locked in. For example, Level 1 waivers are basically off the table according to the memo—it's a minimum for anyone who handles FCI. You really only see waivers for Level 2 third-party certifications, and most often for unusual situations like attracting novel suppliers where imposing an immediate certification would undermine competition or timelines. There always has to be a compensating protection plan in place.

Ruby Sturt

Can I just say, that sounds like a lot of paperwork and a lot of risk-balancing for the acquisition folks? Eric, you mentioned once about a contracting officer who’d just been through the ringer with all this new reporting. What was their take?

Eric Marquette

Yeah, I had this chat with a CO not long ago. They were honestly shocked by the scale of waiver reporting. Turns out, every special exemption gets tracked in a quarterly report to the Pentagon, broken down by waived CMMC level, contract codes, and the reasons behind it. For acquisition teams, the big tension was between delivering a capability quickly and adhering to the letter of compliance. Sometimes those pressures collide—mission urgency versus risk of cyber exposure. The CO told me, “We’re not just adding a clause now, we’re making a choice that has to be justified up the chain, every time.” And all that info rolls up for internal oversight, so there’s definitely accountability.

Roz the Rulemaker

That's right. When Phase 4 lands, it’s all locked down: CMMC is required as a condition of award, extension, or option—no certification, no contract. CMMC clauses get baked into nearly every applicable DoD solicitation, and that includes instructions for flowing down requirements to every subcontractor, with COTS-only contracts remaining the main carveout. So, prime contractors need to verify their whole supply chain is ready. It ties back to the trend we’ve touched on across this series: compliance isn’t static. It's a process, with oversight, enforcement, and—occasionally—a human face behind tough choices.

Paul Netopski

Exactly. And the intent from DoD’s perspective is really about driving widespread, sustained adoption of security best practices across the defense supply chain—not just at contract signing, but throughout that contract’s lifespan. The mechanisms—determination, waiver, enforcement—are all built to reinforce that culture.

Ruby Sturt

So, not just more red tape for the sake of it, but an attempt to bring real security outcomes. Got it!

Eric Marquette

And on that note, we’ll wrap for today. Next time, we’ll dig into the realities of first-wave CMMC contract language—what’s negotiable, what isn’t, and how small firms can keep up. For now, thanks Roz, Paul, Ruby—and thanks to all of you for listening to CMMC Unlocked. See you next time!

Roz the Rulemaker

Thank you, everyone. It’s always a pleasure.

Paul Netopski

Appreciate it, looking forward to the next one.

Ruby Sturt

Thanks heaps all, and cheers ‘til next time!