Trump Admin. Just Cleared Rule For Cyber Compliance

The argument over whether Cybersecurity Maturity Model Certification would ever show up in real contracts is finished. It is over. Basta. Finito. On August 25, 2025, the Office of Information and Regulatory Affairs cleared the Defense Department acquisition rule in Title 48 of the Code of Federal Regulations for assessing contractor cybersecurity requirements. That clearance, completed in 34 days, is a brisk pace in an often glacial government bureaucracy and marks the final checkpoint before publication in the Federal Register, which will carry the effective date. Across a defense supply chain of roughly 220,000 to 300,000 contractors and subcontractors, with about 80,000 expected to require Level 2, only about 270 organizations hold a final CMMC certificate as of late August 2025. The program rule in Title 32 made CMMC real in policy. The acquisition rule in Title 48 makes it real in awards.

Alphabet Soup: What Are OIRA, DFARS And SPRS and Why They Matter

Federal cybersecurity policy arrives wrapped in acronyms. Three of the most consequential in the CMMC discussion are OIRA, DFARS and SPRS. Understanding them clarifies how policy becomes enforceable contract language, how eligibility is evaluated and why this clearance accelerates the timeline for CMMC readiness.

OIRA: The Office of Information and Regulatory Affairs sits inside the White House Office of Management and Budget. It reviews significant federal rules for cost, benefits and policy alignment. For CMMC, OIRA clearance is the final policy review before the Defense Department publishes the acquisition rule in the Federal Register with an effective date.

DFARS: The Defense Federal Acquisition Regulation Supplement is the Defense Department’s acquisition rulebook alongside the governmentwide FAR. It resides in Title 48 of the Code of Federal Regulations and provides the contract clauses used in solicitations and awards. For cybersecurity, DFARS 252.204-7012, 252.204-7019, 252.204-7020 and 252.204-7021 tie award eligibility to controls such as NIST SP 800-171 and to status recorded in government systems like SPRS. Once the DFARS CMMC rule is effective, contracting officers can name a CMMC level, verify status and treat missing or outdated information as a gating issue for award or option exercise.

SPRS: The Supplier Performance Risk System is the Pentagon’s authoritative system for supplier risk data. Contracting officials consult SPRS to confirm NIST SP 800-171 assessment scores and CMMC status or affirmations before award and at option exercises. Missing, outdated, or inconsistent postings place eligibility at risk.

Why The Timing Matters

• DoD submitted the DFARS final rule to OIRA on July 22, 2025 and OIRA cleared it on August 25, 2025. That is 34 days from submission to clearance.
• Executive Order 12866 allows up to 90 days for OIRA review, with an optional 30-day extension. Thirty-four days is fast relative to that ceiling and the usual pace of these reviews.
• Historically, OIRA reviews often average in the mid-40s to mid-50s in days. By that yardstick, this clearance moved briskly.

The takeaway is straightforward. The rule reached OIRA in mature form after sustained work by acting DoD CIO Katie Arrington and many colleagues and it was treated as a priority by Secretary Hegseth and the Trump administration. That supports expectations of prompt publication in the Federal Register, followed by an effective date 1 to 60 days later.

What Actually Changed

The Defense Department finalized the CMMC program rule in Title 32 last year. That rule defined levels, scope and a phased plan across the defense supply chain. It did not, by itself, put CMMC into contracts. The acquisition rule in Title 48 closes that gap by authorizing contracting officers to require a specific CMMC level in solicitations and awards and by enabling verification of status in government systems.

Said plainly, the program rule defined the game. The acquisition rule puts it on the field. Once effective, buyers will be able to state the required level in the solicitation, confirm status before award and enforce it at option exercises.

When It Starts To Affect Awards

After OIRA clearance, the rule is published in the Federal Register and will name an effective date. Federal rules typically take effect 1 to 60 days after publication. That date is the start of Phase 1 of the rollout. From that point forward the Department intends to include Level 1 or Level 2 self-assessment requirements as a condition of award where applicable. Level 2 third-party assessments may be introduced as the phases advance and will expand in later phases alongside Level 3 government assessments for the highest-risk work.

The effective date should be treated as a bid gate. This is no longer a policy aspiration. It is eligibility.

How Contracting Will Change

With Title 48 in force, contracting officers can insert the DFARS clause that specifies the required CMMC level, check SPRS for self-assessment scores or certifications before award and before exercising options and treat missing or stale status as a gating issue. That moves CMMC from guidance to an enforceable contract requirement with visible, auditable checkpoints.

Expect three practical changes:

1. Named levels in the RFP. Solicitations will state Level 1 or Level 2 where appropriate, with higher-level or third-party requirements as scope warrants.
2. Verification in government systems. Buyers will check SPRS for the vendor’s current score, affirmation, or certification before award and at option points.
3. Consequences for noncompliance. If the required status is not present and current, offers can be deemed ineligible regardless of technical merit.

Why This Matters To The United States And The Free World

CMMC is not a paperwork exercise. It is a national defense requirement that closes the front door adversaries keep trying to walk through. Allied cyber agencies have warned about state-sponsored pre-positioning inside critical infrastructure. Campaigns commonly tracked as Volt Typhoon and Salt Typhoon showed long-term access, living-off-the-land tradecraft and a focus on telecommunications, energy, transport, logistics and public services. The strategic aim is simple. In a crisis an adversary wants options to disrupt logistics, degrade command and control and pressure civilian leadership.

The defense industrial base sits in the middle of this picture. Small and mid-sized suppliers handle Federal Contract Information and Controlled Unclassified Information every day. That data maps directly to weapons sustainment, depot schedules, parts availability and the operational readiness of the force and its allies. CMMC raises the floor across that supply chain, makes self-attestation visible in acquisition systems and brings independent verification for higher-risk environments. The result is less attack surface, higher cost for adversaries and more resilience for the free world.

Leaders across the ecosystem have been blunt about the stakes. Pentagon acting CIO Katie Arrington has warned that nation-state attacks are felt daily across the supply chain. The head of the accreditation ecosystem, Matthew Travis, has emphasized that building a trusted, verified and resilient defense industrial base is the most important cyber mission. The message is consistent. Discipline at scale is the only sustainable answer.

What It Means For The Defense Industrial Base

For work involving Federal Contract Information, expect Level 1 self-assessment and annual affirmation. For work involving Controlled Unclassified Information, plan for Level 2. Phase 1 emphasizes self-assessments where applicable; later phases expand certified third-party assessments and introduce government assessments for the highest tier of work. Bids without current status posted in SPRS are likely to be screened out before technical merit is even reviewed.

This will change competition. Firms with a current Level 1 score and affirmation will clear the first gate for lower-risk work. Firms with defensible Level 2 self-assessments and complete, current artifacts will move faster on awards where third-party certification is not yet required. As third-party capacity ramps, certified firms will gain an advantage on higher-risk solicitations and option years. Compliance becomes a visible part of commercial posture, not a back-office task.

What Contracting Officers Will Do Differently

Expect a simple rhythm that industry should mirror:

• Plan: Identify the CMMC level by mapping data flows and contract scope.
• State: Put the level and the evidence requirement in the solicitation.
• Verify: Check SPRS and require proof before award or option exercise.
• Enforce: Withhold award, withhold option exercise, or require corrective action if status is missing or expired.

This is the practical operating cadence the acquisition rule enables.

What Leaders Should Do Now

The path is straightforward in concept but requires dedicated resources. The work is substantial and nuanced. Unsuccessful attempts risk contract ineligibility and delays measured in years, not months. Treat the following as a board-level checklist, with each step assigned to a named owner, a date and a measurable outcome.

1. Partner With A Trusted Sherpa: Select a guide that does more than a one-time gap assessment. Favor a provider that can operate the security and compliance program end to end, not simply check the box. Look for Registered Practitioner Organization credentials, a repeatable operating model and the ability to run day-to-day functions: policy management, control ownership, ticketed workflows, evidence collection, log management, detection and response, vulnerability and patch cadence and SPRS workflows. Prioritize teams that pair vCISO leadership with managed operations and have established relationships across C3PAOs, moving contractors from assessment to sustained compliance without rework.
2. Decide The Level By Data: Perform a current-state inventory of where Federal Contract Information and Controlled Unclassified Information reside. Map systems, users, vendors and external connections. Confirm where data is created, processed, stored and transmitted. Set the required level by data reality, not aspiration.
3. Finish The Fundamentals: Produce a defensible System Security Plan and a real Plan of Action and Milestones aligned to NIST SP 800-171 where required. Close easy gaps first. Harden baselines, enforce configuration standards and turn on logging with retention that matches control language. Prefer partners that deliver documentation and implementation, including technical controls, training content and a delivery plan that holds schedule and budget.
4. Make Eligibility Visible: Complete the self-assessment, post scores to SPRS and execute the senior affirmation. Keep dates, artifacts and evidence current. Build executive views that show status by site, by enclave and by contract. Require weekly progress until postings are complete and quarterly refresh cycles thereafter.
5. Stand Up A Repeatable Program: Move from ad hoc activity to an operating cadence. Establish policy libraries, named control owners, ticketed workflows and evidence repositories with role-based access. Build dashboards that translate control health into simple red, yellow and green indicators tied to service-level targets. Align internal audit with assessment cycles. Seek an end-to-end managed CMMC program with prebuilt System Security Plan and Plan of Action and Milestones templates, engineering patterns for common controls, automated evidence capture and a staffed bench of practitioners so compliance is maintained, not reinvented.
6. Book Assessment Capacity Early: If a Level 2 third-party assessment will be required, reserve a window early. Choose support with proven readiness testing, dry-run assessments, sample evidence packs and transparent entrance and exit criteria. Insist on an issue log that executives can review and close on schedule.
7. Flow Down With Intent: Align subcontractors to the correct level. Place requirements and evidence expectations in teaming agreements and purchase orders. Verify status before proposal, not after award. Use supplier compliance management to inventory partners, maintain clause flow-downs, categorize critical suppliers by data and dependency and monitor status on a set cadence. Mitigate or replace partners that cannot meet the requirement in time.
8. Tie Compliance To Revenue: Make CMMC status a bid gate in sales operations. No current SPRS status means no bid submission. Report eligibility alongside pipeline, bookings and renewals so leadership and the board see risk and progress in business terms. Incentivize sustained compliance, not one-time milestones.

Last Call Before CMMC Hits Contracts

CMMC will be a contract requirement in late 2025. Implementation begins on the acquisition rule’s effective date. With OIRA clearance complete, only Federal Register publication and that date remain. The debate is over. Execution wins. Organizations that align now will compete, protect sensitive data and accelerate awards. Those that delay will keep debating intent while rivals lock in contracts, expand market share and strengthen both enterprise resilience and national security.