On August 25, 2025, the White House Office of Information and Regulatory Affairs (OIRA) cleared the Department of Defense’s long-awaited CMMC acquisition rule for publication in the Federal Register (OIRA Review for RIN 0750-AK81, DFARS Case 2019-D041). This action officially moves CMMC from concept into enforceable regulation, embedding cybersecurity certification requirements directly into DoD contracts within weeks.

According to DoD’s Open DFARS Cases tracker, the final DFARS rule was cleared by OIRA and is now being prepared for Federal Register publication. Once published, the rule will take effect after a standard 60-day period, meaning CMMC clauses will start appearing in DoD solicitations and contracts as early as late October 2025.

What the Rule Does

The new rule, formally titled “Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements”, codifies DFARS clause 252.204-7021 and related changes across 48 CFR Parts 204, 212, 217, and 252. In practical terms:

• Cybersecurity certification becomes a condition of contract award.
• Level 1 CMMC (self-assessment) will be required for contracts involving Federal Contract Information (FCI).
• Level 2 CMMC (third-party certification in most cases) will be required for contracts handling Controlled Unclassified Information (CUI).
• Contractors must post assessment results in the Supplier Performance Risk System (SPRS) to be eligible.

DoD has confirmed that Phase 1 of the CMMC rollout will begin on the effective date of the final rule. From that point forward, contracting officers will not be able to award or extend contracts unless the required CMMC certification is in place.

From the Top-Floor to the Shop-Floor

For manufacturers, this is the moment that changes everything. CMMC is no longer a future requirement – it’s about to become part of every DoD contract involving sensitive data. And while compliance is mandatory, production can’t stop.

That’s why Alchemi-Data built AXE (Alchemi Execution Environment) specifically for the manufacturing ecosystem. AXE is designed to integrate CMMC compliance across the entire operation – from the top-floor to the shop-floor without disrupting output. With Alchemi-Data as your CMMC solution providers:

• Machines never stop – AXE keeps production running while compliance is implemented.
• No costly downtime – cybersecurity is built into existing processes, not bolted on later.
• No overload of redundant training – AXE aligns compliance with how teams already work.
• End-to-end coverage – from SPRS postings to certification assessments, manufacturers are supported every step of the way.

With AXE, manufacturers can achieve CMMC Level 2 readiness within 90 days, maintaining full operational tempo while becoming audit ready.

The Bottom Line

The White House has cleared the rule, DoD has confirmed its rollout. Before 2025 ends, CMMC will be embedded into every DoD contract involving FCI or CUI. There is no longer time to wait. If you are a manufacturer in the Defense Industrial Base, the choice is simple: act now or risk being locked out of future DoD work.

With Alchemi-Data’s AXE, compliance is embedded across your operations without downtime. All required controls are executed and enforced in real time, giving you confidence that what’s on paper is also happening on the shop floor. AXE delivers a full-stack solution for manufacturers – top-floor to shop-floor – where machines never stop and compliance never slips.

Call Alchemi-Data today to protect your contracts, secure your future, and keep your machines running.