Summary5 min read

Podcast Summary: Sum IT Up: CMMC News Roundup

Episode: "When Will CMMC be in Defense Contracts?"

Host: Summit 7
Date: May 22, 2025

Overview

In this episode, the hosts break down the much-anticipated timeline for the Department of Defense's Cybersecurity Maturity Model Certification (CMMC) to appear in defense contracts. Broadcasting live from the Seek West event in Las Vegas, they explain how the window for release of the final 48 CFR CMMC rule—the critical regulatory milestone that triggers CMMC as a requirement in defense contracts—is opening imminently (June–October 2025). The discussion covers why this window is so significant, the structure of CMMC regulations, key data points supporting their forecasts, and urgent guidance for defense contractors.

Key Discussion Points and Insights

Understanding CMMC and the Regulatory Pathways

Dual-Regulation Structure: CMMC is implemented via two separate regulations:
- 32 CFR Program Rule: Sets overall policy—levels, roles, waivers, definitions, and assessment procedures.
- 48 CFR Clause Rule: Puts CMMC into actual contract language; required for CMMC to be enforceable in contracts.
Why Two Rules?: Two different DoD offices oversee these, creating a lag between policy and contractual enforcement.
[03:00]

Timeline Recap and Key Milestones

32 CFR Rule:
- Proposed: Earlier, finalized October 2024
- Became effective: December 2024
- Enabled companies to get CMMC Level 2 certifications ("market rollout" phase)
- Over 100 organizations have already attained certifications as of May 2025
  [04:00]
48 CFR Rule (The Critical Step):
- Proposed: May 2024
- Not yet finalized as of May 2025
- This rule is needed for CMMC requirements to show up in contracts—the beginning of the "phased rollout"
  [05:15]

Publication Window & Predictive Analysis

Data-driven Forecast: The hosts analyzed all DoD rules from 2009–2024, comparing the lag from proposed to final publication. The average suggests October 2025, but the accelerated timeline of 32 CFR (which was highly complex) suggests June 2025 is plausible.
Confidence Window: "Our 90% confidence estimate is that the window for the publication of the final rule and the beginning of the phased rollout will happen sometime between June and October of 2025." (A, 07:30)
Why Not Wait for the Contract Requirement?:
Waiting until the CMMC is present in a contract solicitation is a losing proposition—implementation and certification take longer than contract award cycles.
- "It is not a viable strategy to wait until it shows up in a solicitation. You will run out of time, especially at this point." (A, 07:50)
- "Everybody who's prepared... there's people getting certs right now, so do not wait." (A, 08:48)

The Human Factor and Historical Trends

Vacation Paradox:
A running joke and historical pattern: DoD seems to release major rules right before the hosts’ planned vacations.
- "Every time I am planned to go on vacation or you are planned to go on vacation, that the Friday before that happens, the DoD likes to be like, oh, enjoy yourself." (B, 09:25)
- Estimated "Father’s Day weekend" (mid-June) as a plausible publication date, but with usual tongue-in-cheek skepticism.
Growing Confidence:
- "I think that I'm more at the 95% level, that at some point this summer this is going to be really real." (B, 09:40)

Direct Message to Contractors

Urgent Call to Action:
- "Do not wait until it shows up in contracts... you need to get started ahead of time." (A, 08:08)

Notable X Factors

Leadership Endorsement & DoD Messaging:
Referenced previous episode with Katie Arrington, acting DoD CIO, who strongly affirmed the inevitability of CMMC and criticized complacency.
- "If you don't know who she is, you're wrong. And you definitely need to study your history, go back and listen to that episode....listen to what she has to say about the inevitability of CMMC and what she thinks about people who aren't complying with their current requirements because they think CMMC isn't going to happen." (A, 09:57)

Notable Quotes and Memorable Moments

On the Sense of Urgency
- "Waiting until CMMC shows up as a requirement in your contract is a massive mistake." (A, 07:20)
- "This ain't 2023 anymore. We're not halfway through 2024. We're in May of 2025. Window is opening." (A, 08:28)
On the Bureaucratic Irony
- "One office is in charge of the 32 CFR program rule...a different office is in charge of the 48 CFR contract clause rule. And even though these people all share a break room and, and park next to each other in the parking lot, they're not on the same timeline for executing the rulemaking." (A, 05:00)
On the Rulemaking Window
- "Our 90% confidence estimate is that the window for the publication of the final rule...will happen sometime between June and October of 2025." (A, 07:30)
On DoD’s Timing and Jokes
- "The other trend that we've noticed since we've been doing this show is that every time I am planned to go on vacation or you are planned to go on vacation, the DoD likes to be like, oh, enjoy yourself." (B, 09:25)
Final Message
- "As soon as the news breaks, if you like, and subscribe you'll hear it here first." (A, 10:25)

Timestamps for Key Segments

[00:02] Scene-setting, episode focus: imminent timing of final CMMC contract rule
[01:11–04:50] Explaining dual-regulation structure and background
[04:50–07:30] Review of market and phased rollout stages, historical data and predictions
[07:30–08:53] Detailed analysis of prediction window (June–October 2025), urgency message
[08:53–09:52] Anecdotes, confidence levels, and "vacation paradox"
[09:52–10:54] Leadership perspective, summary, and call to subscribe

Takeaways

Window for CMMC in Contracts:
Most likely June–October 2025; contractors must act now, not wait for the rule to appear in solicitations.
Preparation is Key:
Begin (or finish) implementing NIST SP 800-171 and obtaining CMMC certification—delay risks missing contract awards.
Stay Tuned:
The hosts promise immediate updates as regulatory news breaks.

For more CMMC updates, check out previous episodes and stay subscribed for real-time news as the CMMC rules become reality for defense contractors.

Loading summary

Transcript8 lines

[00:03]
A
All right, folks, it is May of 2025. We are currently partying in Las Vegas at Seek West. But we decided to take a brief moment from the, from the good times to talk about the fact that the window for the publication of the 48 CFR CMMC final rule, the thing that will put CMMC in your contracts, the thing that will kick off the CMMC phase rollout is about to open in June of 2025. We're going to talk about why we think that, how confident we are, what to expect, how to plan all that good stuff.
[00:39]
B
Along the way we've had timelines that usually are riddled with a whole bunch of stops. So this has to happen for this role. This is the comment period for this role. This is, this is going to happen. This is when we think CMMC assessments are going to happen. And now we're at this weird point in the journey where CMMC assessments are happening. One rule is final and I think we are really on the cusp of the next rule being ready to go out the door, especially with how things are going administratively within the DoD, right?
[01:11]
A
Yeah, absolutely. So we've got a handy dandy visual that we have prepared for everybody. So as a quick recap, CMMC is a single program that is implemented by two different regulations. It is a program that verifies if defense contractors have implemented their contractually obligated cybersecurity requirements pursuant to a thing called DFARS clause 252-204-7012. We are doing a series on the DFARS suite of cybersecurity clauses. So if you don't know what that is or if you're having trouble remembering, check out the video link below to have a nice refresher. That clause DFARS7012 is the thing that obligates you to implement NIST SP 800171 security requirements. CMMC is coming along as an assurance mechanism to give the DoD proof that contractors have implemented those requirements and complied with the terms of DFARS 7012. Because as you may know, people aren't doing that. They haven't been doing that. The DoD knows that they're not getting what they paid for. There have been harms to defense weapon systems and the taxpayer and blah, blah, blah. And so Congress and the DOD got big mad about it and came up with a program to verify whether things have been implemented. But anyways, single program, two different regulations to implement that program, what is known as the 32 CFR program rule as we call it, around These parts and the 48 CFR clause rule. So the first rule or regulation is all the policy stuff. How many levels there are, what are the roles and responsibilities, how do waivers work, how do different assessments work? What are the organizationally defined parameter definitions for the requirements in NIST SP800 1 72. All that stuff is outlined in the 32 CFR program rule. It's called that because policies like that live at Title 32 of the Code of Federal Regulations, 32 CFR, the program rule. That rule codified CMMC policy. That rule, as you can see in the top swim lane here, was published as a final rule in October of 2024 and and successfully went into effect in black and white as a real live regulation for the DoD in December of 2024. Which is why as we speak right now, companies can go to a C3PAO assessment organization and pay to get a CMMC Level 2 certification to prove that they have complied with their requirements. This is what we call the market rollout in this green box here in the sense that the market is rolling out with the ability to go get CMMC certifications. Over 100 companies as of this conversation in May of 2025. But DoD has yet to put the requirement into contracts yet because we're waiting on the other regulation that implements CMMC, the 48 CFR clause rule. So we've got this program, we've got this policy. But contract clauses themselves are regulations. And all regulations must go through the rulemaking process, unfortunately, through the way that the bureaucracy of the Pentagon works. One office is in charge of the 32 CFR program rule. The DOD CIO's office and a different office is in charge of the 48 CFR contract clause rule. The office of the Undersecretary of Defense for Acquisition and Sustainment. And even though these people all share a break room and, and park next to each other in the parking lot, they're not on the same timeline for executing the rulemaking. So there is a lag, there is a gap between when the market rollout started and when what is known as the phased rollout will start. So that is the point at which DoD will begin inserting requirements into contracts saying, go get this level of CMMC certification. They call this the phased rollout. So when is that going to happen? That's the thing everybody wants to know. When is CMMC going to show up in contracts? Our 90% confidence estimate is that the window for the publication of the final rule and the beginning of the phased rollout will happen sometime. Between June and October of 2025. Why do we think that? We think that because the 48 CFR proposed rule was published in May of 2024. And we went back and we analyzed every single DoD rule that went from proposed to final from 2009 until 2024, controlling for different administrations and holidays, government shutdowns, all that good stuff. And the average amount of time overlaid from when the proposed rule came out says that the rule would probably be published in October. However, the 32 CFR rule is much bigger, much more controversial. It's a net new policy. And there were almost 2,000 public comments that had to be sorted through. There was a ton of headwind. There was a bunch of stuff going on. And so that rule actually beat that average timeline by 30%. And so if you take the shorter timeline that the related Big Brother rule took and you overlay it From May of 2024, we should get the 48 CFR rule in June of 2025. So if you take the average conservative estimate, it's October. If you take the accelerated, probably pretty likely estimate, it would be June. So it's very hard to, you know, isolate a month in particular at this point. So the cone of uncertainty, the window of our prediction is June to October of 2025. And if you're listening to this when we're having this conversation in May of 2025, that means next month the window opens for when we could see the final rule and the beginning of requirements to start showing up in contracts. Obviously, if you like and subscribe and you keep up with our content here, LinkedIn and everywhere else, you'll know as soon as we know when the wheels are turning. But this window is right around the corner. And as we talked about in previous episodes about procurement, administrative lead time and things like that, waiting until CMMC shows up as a requirement in your contract is a massive mistake. Because the amount of time that it will take you to implement NIST SP800 1 71, comply with DFARS clause 7012, and get your CMMC certification. This CMMC implementation lead time, if you will, is almost always going to be longer than the amount of time that your customer takes to between soliciting and awarding a contract. And because CMMC certification is a condition of contract award, that means if you wait until you see the requirement in the solicitation, you will not be able to finish in time to take award of the contract. So do not wait until it shows up in contracts, even though that's going to happen here pretty Soon. You need to get started ahead of time. It is not a viable strategy to wait until it shows up in a solicitation. You will run out of time, especially at this point. This ain't 2023 anymore. We're not halfway through 2024. We're in May of 2025. Window is opening. Everybody who's prepared. There's people getting certs right now, so do not wait.
[08:53]
B
I think that you have different reasons for your 90 confidence in when you think that the Rule 48 CFR is going to come out. Right. I have my own reason and that is history repeating itself. There are two things that play into this. 1:32 CFR look when it got published right about this time last year. Right. And so the other trend that we've noticed since we've been doing this show is that every time I am planned to go on vacation or you are planned to go on vacation, that the Friday before that happens, the DoD likes to be like, oh, enjoy yourself.
[09:31]
A
Works like a charm.
[09:32]
B
So Father's Day weekend is my guesstimate. I'm sure it's going to happen after that because I can't always be right. But with history repeating itself, the confidence that we had before is only growing. I, I think that I'm more at the 95% level, that at some point this summer this is going to be really real.
[09:53]
A
Yeah, yeah, absolutely. And I think the big X factor here, in case you think that things are changing or they're uncertain or anything like that. If you missed our episode last week about statements from Katie Arrington, the lady performing the duties of the DOD cio, who, if you don't know who she is, you're wrong. And you definitely need to study your history, go back and listen to that episode and listen to what she has to say about the inevitability of CMMC and what she thinks about people who aren't complying with their current requirements because they think CMMC isn't going to happen. That's all I'll say about that. 1. Go ahead and listen to the episode for yourself and you'll, you'll hear from the DoD directly on what they have to say about it. But that's what we think as far as this current rulemaking update heading into the summer, still very confident that the 48 CFR rule should be published sometime in June to October of 2025 based off our analysis and estimates. And yeah, that's what we know at this point. Obviously, as soon as the news breaks, if you like, and subscribe you'll hear it here first. And we'll see you next week.
[10:55]
B
See you next week.