White House Review Greenlights DFARS Cyber Rule, Opening Door to CMMC in Defense Contracts
WASHINGTON, Sept. 5 — The White House Office of Information and Regulatory Affairs has completed its review of the Defense Department’s long-running cybersecurity acquisition rule, clearing the way for contracting officers to begin inserting Cybersecurity Maturity Model Certification requirements into new solicitations once the regulation is published in the Federal Register. The clearance—recorded in late August—moves the Defense Federal Acquisition Regulation Supplement companion rule through its final checkpoint before implementation.
Defense and legal advisories tracking the action say the Pentagon transmitted the finalized DFARS rule to OIRA on July 22, with clearance following on Aug. 25—about a month later—an unusually fast turnaround for a major acquisition measure. With review complete, publication is the next step; such notices often appear within one to three weeks of OIRA sign-off, after which the rule’s effective date will control when it can be applied to awards.
Unlike the previously issued program rule in Title 32 of the Code of Federal Regulations, which established the structure of the CMMC initiative, the DFARS action in Title 48 is the enforcement gateway that enables contracting offices to require certification (or self-attestation, depending on level) as a condition of eligibility. Industry guidance emphasizes that this is the operational pivot—shifting CMMC from policy to procurement—by authorizing use of the CMMC clause in solicitations and contracts.
Based on agency briefings and contractor alerts, the Pentagon is expected to phase requirements in, starting with solicitations that call for Level 1 or Level 2 self-assessments, with third-party assessments for certain Level 2 efforts to follow at program-office discretion. Several compliance firms forecast that CMMC language could begin appearing in select solicitations in early to mid-fall if publication occurs in September, although exact timing will depend on the Federal Register notice and any implementation guidance issued by the department,
The clearance lands amid broader changes to federal cyber policy under President Donald Trump’s second term, including a June executive order that recalibrated parts of the prior administration’s approach to federal cybersecurity, AI, and software assurance. While those shifts continue to be parsed across civilian agencies, the Pentagon’s progress on CMMC signals that defense acquisition will anchor minimum cyber practices directly in award decisions, raising the stakes for thousands of suppliers handling federal contract information or controlled unclassified information.
For companies in the defense industrial base, immediate steps include finalizing system security plans, documenting and closing gaps against NIST SP 800-171 controls where applicable, and preparing evidence packages that support either self-assessment scores or third-party evaluations. Advisory notes caution that programs may tie option exercises and new task orders to demonstrated compliance, creating commercial consequences for contractors that have delayed remediation. Some industry trackers also warn that once the DFARS rule is effective, there may be no practical grace period for solicitations that designate a CMMC requirement at release.
While the department has not issued a single “switch-on” date for universal enforcement, legal commentators say the combination of the 32 CFR program framework and the newly cleared DFARS rule gives contracting officers the tools to tailor cyber obligations by acquisition. That approach is expected to produce a patchwork of solicitations carrying different CMMC demands over the next several months, accelerating as acquisition teams and assessors gain capacity.
Publication timing remains the near-term watch item for contractors and associations. Historically, Federal Register notices for cleared rules have posted within weeks of OIRA action, though effective dates can vary. In the interim, multiple firms are advising suppliers to assume that readiness will be judged at the time of proposal or award—rather than after contract start—and to book any needed assessment resources accordingly. A number of advisories also underscore that firms unable to meet the required practices risk exclusion from competitions that involve sensitive data until deficiencies are corrected.
The latest move follows summer statements from defense leaders and industry observers that positioned CMMC compliance as integral to mission performance, not a discretionary IT initiative. Those messages, combined with the accelerated OIRA review, have reinforced perceptions that the department intends to leverage contractual levers—award decisions, option exercises, and corrective actions—to ensure that cyber baselines are met across the supply chain.
As publication approaches, the practical effect for the defense marketplace will be visible in the language of solicitations. Contracting offices are expected to begin mapping CMMC levels to information sensitivity and program risk, expanding use of third-party assessments as capacity grows. Contractors that have completed gap remediation and can substantiate their control implementations are likely to face fewer schedule frictions as cyber obligations become embedded in procurement cycles through the end of 2025 and into 2026.
