On August 25, 2025, the Office of Management and Budget Office of Information and Regulatory Affairs ("OIRA") cleared the Department of Defense's ("DOD") final rule Assessing Contractor Implementation of Cybersecurity Requirements, as indicated in DOD's Open DFARS Cases document published today (dated August 29, 2025).

DOD's Assessing Contractor Implementation of Cybersecurity Requirements final rule is the Department's companion rule to its Cybersecurity Maturity Model Certification ("CMMC") program rule, which became effective in December 2024 (discussed here). As noted in the Open DFARS Cases document, OIRA's approval means that the "DARS Regulatory Control Officer is preparing [the final rule] for publication" in the Federal Register.

Notably, when the final rule is published in the Federal Register and takes effect (very soon) the first phase of the CMMC program rollout will begin. See 32 C.F.R. § 170.3 (stating that CMMC "Begins on the effective date of the complementary 48 CFR part 204 CMMC Acquisition final rule. DoD intends to include the requirement for CMMC Statuses of Level 1 (Self) or Level 2 (Self) for all applicable DoD solicitations and contracts as a condition of contract award. . . .").

Takeaway

OIRA's stamp of approval on DOD's companion DFARS rule is big news for the defense industrial base. It signals that – after years painstaking development – the CMMC program is now right around the corner. We expect that the DFARS rule likely will be published in the Federal Register within the next week or so. In light of this major development, defense contractors (large and small) should take notice and plan accordingly.

. . .

#govcon