Final Review Begins, October Launch Expected
Big changes are on the horizon for organizations in the Department of Defense (DoD) supply chain. The long-anticipated rollout of CMMC 3.0 (Cybersecurity Maturity Model Certification) just took a major step forward:
The 48 CFR rule — which will make CMMC 3.0 legally enforceable — has officially been submitted to the Office of Management and Budget (OMB) for final review. (C3PAOs) may begin referencing this guidance at any time. Organizations still operating under Rev 2 may find gaps if they’re not preparing now.
⏳ What Happens Next?
The OMB’s review process typically takes 60 to 90 days, meaning we’re likely to see official publication around October 2025.
Once finalized, this rule will allow the DoD to begin including CMMC certification requirements directly into federal contracts, likely starting in Q4 of this year.
This is not a drill. For many defense contractors, the time for planning has passed — and the time for action is now.
🔎 What Should You Be Doing Right Now?
If you’re a contractor, subcontractor, or MSP supporting defense clients, here’s what to prioritize:
✅ Review your current cybersecurity practices against NIST SP 800-171 Rev 3
✅ Familiarize yourself with new Organizational Defined Parameters (ODPs)
✅ Assess existing gaps in documentation, technical controls, and policy alignment
✅ Update POAMs (Plans of Action & Milestones) in preparation for formal assessment
✅ Plan for certification requirements to appear in contracts by Q4
Many organizations will be surprised when these requirements start showing up in RFPs, contract clauses, or renewals — especially if they haven’t proactively followed the rollout timeline.
📌 SOCSoter Is Here to Help
We’re already helping clients align with the latest compliance requirements and adjust their documentation, systems, and policies. If your domains haven’t been reviewed yet, we’re integrating the new ODP guidance into all upcoming assessments.
Don’t wait until October to scramble!
If you’re unsure where your compliance stands — or you support clients who may be impacted — now is the time to reach out. Let’s build a clear path toward certification before the clock runs out.