U.S. Department of Defense | CMMC Update
Effective November 10, 2025 | Rule 48 Now Active
The U.S. Department of Defense has officially activated Title 48 CFR 204.75.
From this point forward, all new contracts will include Cybersecurity Maturity Model Certification (CMMC) requirements.
What This Means
• Defense Industrial Base (DIB) partners must comply with the CMMC requirements of the contract and demonstrate compliance prior to award.
• All CMMC requirements are currently based on NIST SP 800-171r2, NIST SP 800-172, and DFARS 252.204-7012 (where applicable).
What Australian Defence Suppliers Need to Know
Australian frameworks such as DISP and the Essential 8 are not equivalent to CMMC and will not earn reciprocity.
To remain eligible for U.S. Defense contracts, organisations must meet the requirements from NIST SP 800-171r2:
✔️ 14 Domains
✔️ 110 Controls
✔️ 320 Assessment Objects
Secure State is supporting Australian defence and manufacturing businesses to understand, implement and certify against these requirements through practical, plain-English cybersecurity and compliance solutions.
Under the leadership of Luke Smith, Secure State has positioned itself at the forefront of CMMC readiness in Australia. With a deep understanding of both the technical foundations of NIST frameworks and the operational realities of the Australian defence supply chain, Luke and the Secure State team bridge the gap between complex U.S. compliance expectations and achievable, local implementation. Their work enables SMEs to compete confidently in global defence programs — without getting lost in the noise of regulation.
Let’s make sure your business is ready.
Contact our team or fill out our contact form to learn more about how we can help you prepare for CMMC.
Reach out to chat about your goals, challenges, or just to get a fresh perspective on your IT. Our team is ready to listen.
