The Cybersecurity Maturity Model Certification (CMMC) is on track to become a core requirement for defense contractors. However, before CMMC can be included in Department of Defense (DoD) contracts, a key regulation must take effect: Title 48 of the Code of Federal Regulations (48 CFR).
If your organization does business with the DoD—or hopes to—you need to understand this rule and how it will impact your eligibility to win and maintain government contracts.
What Is 48 CFR?
48 CFR is part of the Federal Acquisition Regulation (FAR) System, which governs how the federal government procures goods and services. Within this system, the Defense Federal Acquisition Regulation Supplement (DFARS) adds DoD-specific rules. The 48 CFR rule specifically integrates CMMC 2.0 into the DFARS. In short, this rule establishes cybersecurity requirements as a contractual obligation—not just policy guidance.
How 48 CFR Connects to CMMC 2.0
Two key regulations support CMMC:
Once finalized, 48 CFR will require contractors and subcontractors to be CMMC-certified in order to be eligible for DoD contracts, making CMMC enforcement real in procurement.
What Will the 48 CFR Rule Do?
The 48 CFR rule will:
When Will It Take Effect?
When the 48 CFR CMMC Acquisition Rule will be released is the big question right now. It has completed the public comment period and is undergoing final review by the Office of Information and Regulatory Affairs (OIRA). The DoD has been anticipating the rule to be finalized soon. Although there is no official date, many expect it in the summer of 2025.
Once finalized, CMMC certification will be phased into contracts—starting with Level 1 requirements and eventually expanding to include Level 2 for contractors handling Controlled Unclassified Information (CUI).
Why This Rule Matters to Your Business
This is not a drill—CMMC is becoming a contractual gatekeeper.
Government Compliance Workshops and Services to Get You Ready
The 48 CFR rule is the mechanism that will make CMMC real for DoD contractors. If you're in the defense supply chain, the time to act is now. Everyone agrees that the rules are complicated. Once the 48 CFR rule is released, experts at every level of the compliance chain will be in short supply. Together with our partners, Daymark has the certifications and qualifications to guide you through the entire CMMC 2.0 compliance process.
You can start with our Government Scoping Workshop. It’s a first step to scope your environment in the compliance program. This workshop helps determine which requirements your organization needs to follow and identifies sensitive information you may be creating, processing, storing, or transmitting. If you’re further along, we offer a Government Implementation Workshop, which guides you through a detailed plan for achieving compliance within your organization.
Migration services are obviously critical. Daymark has the proven expertise to migrate data from your current environment to Microsoft’s Government Cloud, leveraging Microsoft-authorized GCC, GCC High, and Azure Government licenses. This can include:
These are just some of the many ways we can help you quickly prepare for CMMC deadlines. Contact us today to get started.