CMMC Milestone: Title 48 Reaches OIRA Review – What This Means for Defense Contractors

After years of development and revisions, the Cybersecurity Maturity Model Certification (CMMC) program has almost come to fruition.

On July 22, 2025, the Department of Defense (DoD) submitted the final 48 CFR rule to the Office of Information and Regulatory Affairs (OIRA) for review, signaling we're in the final stretch before CMMC requirements officially appear in defense contracts.

The Final Piece of the CMMC Puzzle

While the CMMC program itself was established with the publication of Title 32 CFR in October 2024 (effective December 2024), the 48 CFR rule is the crucial component that authorizes contracting officers to include CMMC requirements in solicitations and contracts.

With OIRA review typically taking 90 days, defense contractors should prepare for CMMC requirements to begin appearing in contracts as early as October 2025.

Protecting Controlled Unclassified Information (CUI) Is Now Mission-Critical

For contractors handling Controlled Unclassified Information (CUI), the clock is ticking. Most defense contractors fall under CMMC Level 2, which requires protection of CUI through 110 cybersecurity controls based on NIST SP 800-171.

What's particularly noteworthy is that many prime contractors aren't waiting for the official implementation. They're already requiring CMMC readiness from their subcontractors to ensure supply chain security. This forward-looking approach means that even if you're not directly contracting with the DoD, your readiness to protect CUI may impact your eligibility to participate in the defense supply chain.

Recommended Reading: What is Controlled Unclassified Information? Best Practices for CUI Security

Encryption: The Most Critical Control for CUI Protection

Among the 110 controls required for CMMC Level 2 compliance, encryption stands out as particularly essential yet frequently overlooked. Effective encryption ensures that even if other security measures fail, CUI remains protected from unauthorized access.

For many organizations, implementing proper encryption for CUI is one of the most challenging aspects of CMMC compliance, yet it's fundamental to securing sensitive defense information throughout its lifecycle.

How Virtru Helps You Meet CMMC Requirements for CUI Protection

As a FedRAMP Moderate authorized data security provider, Virtru helps defense contractors address 27 of the 110 CMMC Level 2 controls with one comprehensive platform—covering nearly 25% of your compliance requirements with solutions specifically designed for CUI protection:

Cover 27 CMMC Level 2 Controls with One Platform

Virtru's data-centric security solutions help you meet requirements across multiple CMMC domains, including Access Control, Audit and Accountability, System and Communications Protection, and System and Information Integrity. This comprehensive coverage streamlines your compliance efforts with integrated tools that work together seamlessly.

Recommended Reading: Virtru Shared Responsibility Matrix for CMMC 2.0

End-to-End Encryption for CUI in Gmail and Outlook

Our FedRAMP-authorized,  FIPS 140-2 validated email encryption integrates directly with Gmail and Outlook, enabling secure sharing of CUI without disrupting workflows. Users can encrypt messages and attachments with a simple toggle, ensuring CUI remains protected throughout its lifecycle.

Complete Control and Visibility for Defense Supply Chain Collaboration

Enable secure sharing between primes, subcontractors, and mission partners with granular access controls that let you:

• Revoke access to CUI immediately
• Set expiration dates for time-limited access
• Disable forwarding of sensitive information
• Add watermarks to documents containing CUI

Zero Trust Data Security Aligned with DoD Requirements

Virtru strengthens your Zero Trust posture in alignment with DoD Zero Trust architecture, focusing on the data pillar that the DoD identifies as the central element. Our solutions protect CUI both in motion and at rest, ensuring sensitive information remains secure regardless of where it travels.

Virtru Private Keystore for Total Key Control

Maintain complete sovereignty over your encryption keys with Virtru Private Keystore, allowing you to manage keys separately from your data. Choose to host your keys on-premises or in the cloud environment of your choice, giving you enhanced control and security for your most sensitive information.

Seamless File Sharing for Defense Collaboration

Virtru Secure Share enables friction-free sharing of files up to 15GB with anyone—even partners without Virtru accounts. This facilitates secure collaboration throughout the defense supply chain while maintaining persistent control and visibility over CUI.

Don't Wait for Title 48 to Become Official – Act Now

With Title 48 at OIRA review, CMMC requirements will soon become contractual obligations. The window for preparation is closing fast. Start implementing critical controls today to avoid being caught unprepared when the rule takes effect this fall.

Ready to address 27 of the 110 CMMC Level 2 controls before Title 48 takes effect? Contact Virtru today to strengthen your CUI protection and position your organization for CMMC success.