Podcast Summary: Sum IT Up: CMMC News Roundup

Episode: "When Will CMMC be in Defense Contracts?"

Host: Summit 7
Date: May 22, 2025

Overview

In this episode, the hosts break down the much-anticipated timeline for the Department of Defense's Cybersecurity Maturity Model Certification (CMMC) to appear in defense contracts. Broadcasting live from the Seek West event in Las Vegas, they explain how the window for release of the final 48 CFR CMMC rule—the critical regulatory milestone that triggers CMMC as a requirement in defense contracts—is opening imminently (June–October 2025). The discussion covers why this window is so significant, the structure of CMMC regulations, key data points supporting their forecasts, and urgent guidance for defense contractors.

Key Discussion Points and Insights

Understanding CMMC and the Regulatory Pathways

Dual-Regulation Structure: CMMC is implemented via two separate regulations:
- 32 CFR Program Rule: Sets overall policy—levels, roles, waivers, definitions, and assessment procedures.
- 48 CFR Clause Rule: Puts CMMC into actual contract language; required for CMMC to be enforceable in contracts.
Why Two Rules?: Two different DoD offices oversee these, creating a lag between policy and contractual enforcement.
[03:00]

Timeline Recap and Key Milestones

32 CFR Rule:
- Proposed: Earlier, finalized October 2024
- Became effective: December 2024
- Enabled companies to get CMMC Level 2 certifications ("market rollout" phase)
- Over 100 organizations have already attained certifications as of May 2025
  [04:00]
48 CFR Rule (The Critical Step):
- Proposed: May 2024
- Not yet finalized as of May 2025
- This rule is needed for CMMC requirements to show up in contracts—the beginning of the "phased rollout"
  [05:15]

Publication Window & Predictive Analysis

Data-driven Forecast: The hosts analyzed all DoD rules from 2009–2024, comparing the lag from proposed to final publication. The average suggests October 2025, but the accelerated timeline of 32 CFR (which was highly complex) suggests June 2025 is plausible.
Confidence Window: "Our 90% confidence estimate is that the window for the publication of the final rule and the beginning of the phased rollout will happen sometime between June and October of 2025." (A, 07:30)
Why Not Wait for the Contract Requirement?:
Waiting until the CMMC is present in a contract solicitation is a losing proposition—implementation and certification take longer than contract award cycles.
- "It is not a viable strategy to wait until it shows up in a solicitation. You will run out of time, especially at this point." (A, 07:50)
- "Everybody who's prepared... there's people getting certs right now, so do not wait." (A, 08:48)

The Human Factor and Historical Trends

Vacation Paradox:
A running joke and historical pattern: DoD seems to release major rules right before the hosts’ planned vacations.
- "Every time I am planned to go on vacation or you are planned to go on vacation, that the Friday before that happens, the DoD likes to be like, oh, enjoy yourself." (B, 09:25)
- Estimated "Father’s Day weekend" (mid-June) as a plausible publication date, but with usual tongue-in-cheek skepticism.
Growing Confidence:
- "I think that I'm more at the 95% level, that at some point this summer this is going to be really real." (B, 09:40)

Direct Message to Contractors

Urgent Call to Action:
- "Do not wait until it shows up in contracts... you need to get started ahead of time." (A, 08:08)

Notable X Factors

Leadership Endorsement & DoD Messaging:
Referenced previous episode with Katie Arrington, acting DoD CIO, who strongly affirmed the inevitability of CMMC and criticized complacency.
- "If you don't know who she is, you're wrong. And you definitely need to study your history, go back and listen to that episode....listen to what she has to say about the inevitability of CMMC and what she thinks about people who aren't complying with their current requirements because they think CMMC isn't going to happen." (A, 09:57)

Notable Quotes and Memorable Moments

On the Sense of Urgency
- "Waiting until CMMC shows up as a requirement in your contract is a massive mistake." (A, 07:20)
- "This ain't 2023 anymore. We're not halfway through 2024. We're in May of 2025. Window is opening." (A, 08:28)
On the Bureaucratic Irony
- "One office is in charge of the 32 CFR program rule...a different office is in charge of the 48 CFR contract clause rule. And even though these people all share a break room and, and park next to each other in the parking lot, they're not on the same timeline for executing the rulemaking." (A, 05:00)
On the Rulemaking Window
- "Our 90% confidence estimate is that the window for the publication of the final rule...will happen sometime between June and October of 2025." (A, 07:30)
On DoD’s Timing and Jokes
- "The other trend that we've noticed since we've been doing this show is that every time I am planned to go on vacation or you are planned to go on vacation, the DoD likes to be like, oh, enjoy yourself." (B, 09:25)
Final Message
- "As soon as the news breaks, if you like, and subscribe you'll hear it here first." (A, 10:25)

Timestamps for Key Segments

[00:02] Scene-setting, episode focus: imminent timing of final CMMC contract rule
[01:11–04:50] Explaining dual-regulation structure and background
[04:50–07:30] Review of market and phased rollout stages, historical data and predictions
[07:30–08:53] Detailed analysis of prediction window (June–October 2025), urgency message
[08:53–09:52] Anecdotes, confidence levels, and "vacation paradox"
[09:52–10:54] Leadership perspective, summary, and call to subscribe

Takeaways

Window for CMMC in Contracts:
Most likely June–October 2025; contractors must act now, not wait for the rule to appear in solicitations.
Preparation is Key:
Begin (or finish) implementing NIST SP 800-171 and obtaining CMMC certification—delay risks missing contract awards.
Stay Tuned:
The hosts promise immediate updates as regulatory news breaks.

For more CMMC updates, check out previous episodes and stay subscribed for real-time news as the CMMC rules become reality for defense contractors.