32 CFR Part 170 CMMC: What the Final Rule Actually Requires
32 CFR Part 170 is the CMMC Program Rule.
It is the federal regulation that establishes the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) program. It defines the three CMMC levels, the assessment types, scoping, scoring, plan-of-action limits, annual affirmations, and subcontractor flow-down for any contractor whose systems handle Federal Contract Information or Controlled Unclassified Information.
The rule was published in the Federal Register on October 15, 2024 (89 FR 83092) and became effective December 16, 2024. But here’s the part that trips up nearly everyone: the rule itself doesn’t put CMMC in your contract. A DFARS contract clause does that — on a phased schedule that started November 10, 2025 and reaches full force by 2028.
32 CFR Part 170 CMMC in one screen
| Question | Straight answer |
|---|---|
| What is 32 CFR Part 170? | The CMMC Program Rule — the regulation that establishes DoD's CMMC program. |
| What does it govern? | CMMC levels, assessment types, scoping, scoring, POA&M limits, affirmations, and flow-down. |
| When did it take effect? | Published Oct 15, 2024 (89 FR 83092); effective December 16, 2024. |
| Does it put CMMC in my contract? | No. The DFARS clause (DFARS 252.204-7021) does that, when included. |
| Who can it affect? | DoD contractors and subcontractors whose systems process, store, or transmit FCI or CUI. |
| Level 1? | 15 requirements from FAR 52.204-21, annual self-assessment (FCI). |
| Level 2? | 110 requirements from NIST SP 800-171 Rev. 2, self or C3PAO assessment (CUI). |
| Level 3? | The 110 plus 24 from NIST SP 800-172, assessed by the government (DIBCAC). |
| Where does status live? | The Supplier Performance Risk System (SPRS), with an annual affirmation. |
| First move? | Read the clause, identify FCI vs CUI, confirm the required level and assessment type — then choose a provider category. |
Which contractors this rule reaches — and which it doesn’t
Before you spend a minute on the levels, place yourself. 32 CFR Part 170 applies to any DoD prime or subcontractor whose information systems will process, store, or transmit FCI or CUI in the performance of a contract, on contracts above the micro-purchase threshold — except contracts exclusively for commercially available off-the-shelf (COTS) items. It does notapply to federal information systems that a contractor operates on the government’s behalf, and DoD can waive it for a specific procurement. (Source: 32 CFR § 170.3.)
| Your situation | Likely first step | Not the right first step |
|---|---|---|
| You saw the rule cited but don't know your level, scope, or assessment type | Map your situation (RP/RPO help or a neutral path tool) | Cold-calling a C3PAO before you know your scope |
| You handle CUI but your environment isn't ready | Readiness / implementation help (RPO, MSSP, GRC, CUI enclave) | Scheduling an assessment with no evidence in place |
| Your contract names Level 2 (C3PAO) and your evidence is ready | A C3PAO assessment path | Treating readiness consulting as the assessment |
| You may need Level 3 | Confirm the DoD designation and your Level 2 prerequisite first | Assuming ordinary CUI automatically means Level 3 |
| You handle FCI only and the contract says Level 1 | Prepare a Level 1 self-assessment | Building an expensive Level 2 environment with no trigger |
The right CMMC provider isn’t the same for every contractor — the category you need (a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave) depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. The contract clause sets your level, not a checklist. Because a general answer can’t resolve those for you, use The Defense Compliance Report’s Find My CMMC Path tool to map your situation to the right provider category before you request quotes — and do not submit CUI, drawings, or sensitive contract details.
What is 32 CFR Part 170 in CMMC?
32 CFR Part 170 is the federal regulation that establishes the CMMC program. It sets out how the Department of Defense verifies that contractors and subcontractors have implemented required cybersecurity standards on systems that process, store, or transmit FCI or CUI. It is the program rulebook — not, by itself, the contract requirement. (Source: 32 CFR § 170.1.)
Let’s decode the citation itself, because half the intimidation is just formatting. “32 CFR” means Title 32 of the Code of Federal Regulations — the slice of federal law that covers national defense. “Part 170” is the specific part that codifies CMMC. Put together, 32 CFR Part 170 is the rule that took CMMC from a DoD slide deck and made it enforceable federal regulation.
The rule traces to Section 1648 of the National Defense Authorization Act for Fiscal Year 2020 — that authority note tells the whole origin story.
What the rule actually does
The rule builds a complete program around cybersecurity requirements that, in most cases, already existed. Inside 32 CFR Part 170 you’ll find:
- The CMMC model and its three levels (§ 170.14).
- The assessment mechanisms for each level — self-assessment, third-party certification, and government assessment (§§ 170.15–170.18).
- Scoping rules that decide which systems are in and out (§ 170.19).
- POA&M (Plan of Action and Milestones) limits and the 180-day closeout window (§ 170.21).
- The annual affirmation requirement (§ 170.22).
- Subcontractor flow-down logic (§ 170.23).
- The scoring methodology (§ 170.24).
- The ecosystem roles — the C3PAO, the accreditation body, the assessor certification organization (Subpart C).
What 32 CFR Part 170 does not do
This is where contractors waste money, so we’ll be blunt:
- It does notinsert CMMC into your contract. That’s the DFARS clause’s job.
- It does not decide your level from a generic checklist. Your contract and your data type do.
- It does not make every contractor a Level 2 shop. Plenty of firms are Level 1, and some touch no FCI or CUI at all.
- It does not make NIST SP 800-171 Revision 3 the current CMMC Level 2 baseline. CMMC Level 2 maps to Revision 2 unless and until DoD amends the rule.
- It does not mean buying a tool equals compliance. A platform can help you get there; it cannot certify you.
Does 32 CFR Part 170 apply to me — and is it in my contract yet?
32 CFR Part 170 establishes the CMMC program, but a DFARS contract clause is what makes CMMC a contractual obligation. DFARS 252.204-7025 gives notice of the required CMMC level in a solicitation; DFARS 252.204-7021 carries the ongoing obligation once it’s in your contract. Those clauses began phasing into DoD contracts on November 10, 2025. (Sources: DFARS 252.204-7021, DFARS Subpart 204.75.)
The single most useful thing we can teach you about this rule is a distinction most articles blur. Different documents do different jobs, and confusing them is how people buy the wrong thing.
| The layer | What it is | What it does for you |
|---|---|---|
| 32 CFR Part 170 | The CMMC Program Rule | Defines levels, assessments, scope, scoring, POA&M, affirmation, flow-down |
| DFARS 252.204-7025 | Solicitation notice provision | Tells offerors the CMMC level they'll need to be eligible for award |
| DFARS 252.204-7021 | Contract clause | Makes the required status, maintenance, SPRS posting, CMMC UID, and flow-down obligations contractual |
| DFARS 252.204-7012 | Safeguarding clause | Requires safeguarding of covered defense information and 72-hour incident reporting |
| NIST SP 800-171 Rev. 2 | The technical standard | Supplies the 110 requirements used for CMMC Level 2 |
| NIST SP 800-172 | Enhanced-requirements standard | Supplies the 24 selected requirements used for Level 3 |
Think of it as a chain: standard → rule → clause. NIST writes the security requirements. 32 CFR Part 170 adopts them and builds the certification program. The DFARS clause drops that program into a specific contract. See DFARS 252.204-7025 in a solicitation, and the resulting contract will carry the DFARS 252.204-7021 CMMC obligation for the systems used in performance.
Where the phase-in stands right now
The DFARS rule that carries CMMC into contracts was published September 10, 2025 and became effective November 10, 2025 — the day Phase 1 began. Here’s what each phase authorizes:
| Phase | Start date | What DoD includes as a condition of award |
|---|---|---|
| Phase 1 | Nov 10, 2025 | Level 1 (Self) or Level 2 (Self) requirements; DoD may, at its discretion, require Level 2 (C3PAO) in their place |
| Phase 2 | Nov 10, 2026 | Adds Level 2 (C3PAO) certification for applicable acquisitions; DoD may add Level 3 (DIBCAC) |
| Phase 3 | Nov 10, 2027 | Level 2 (C3PAO) for all applicable awards, and as a condition to exercise an option period on contracts awarded after the effective date; DoD intends Level 3 (DIBCAC) as a condition of award, but may delay it to an option period |
| Phase 4 | Nov 10, 2028 | Full implementation — CMMC in all applicable solicitations, contracts, and option periods |
One date deserves a highlighter. If you handle CUI and your work is likely to be designated Level 2 (C3PAO), your planning anchor is November 10, 2026— that’s when third-party assessments start becoming a condition of award for applicable acquisitions. Because a C3PAO assessment is a hard requirement, not a form you file, the runway is shorter than the calendar suggests once you factor in readiness and scheduling.
A major 2026 change: what the FAR overhaul did to DFARS 7019, 7020, and FAR 52.204-21
February 1, 2026: the basic self-assessment upload requirement is gone.
DoD class deviations under the government-wide “Revolutionary FAR Overhaul” eliminated DFARS 252.204-7019 and renumbered DFARS 252.204-7020 to DFARS 252.240-7997, removing the old “basic self-assessment” SPRS-upload requirement. FAR 52.204-21 was renumbered to FAR 52.240-93. Critically, DFARS 252.204-7012 and the CMMC clauses (252.204-7021 and 252.204-7025) were left unchanged, and 32 CFR Part 170 itself is untouched.
Your NIST SP 800-171 implementation obligations still live on through DFARS 252.204-7012, and your assessment obligation now runs through CMMC (DFARS 252.204-7021). Government-led NIST SP 800-171 assessments continue under the renumbered clause, DFARS 252.240-7997.
One wrinkle worth knowing: because these were class deviations, not formal rulemaking, the codified text on the eCFR and Acquisition.gov still displays 7019 and 7020. The deviations override them in practice. If a vendor or checklist still tells you to “post your 7019 self-assessment score,” that instruction is out of date. What matters now is your CMMC status and affirmation.
Stop asking “does this apply to me?” first
The abstract question — does 32 CFR Part 170 apply to me? — sends you into a regulatory rabbit hole. These operational questions get you an answer today. Ask, in order:
- Does my solicitation, contract, option, modification, or flow-down include CMMC language — specifically DFARS 252.204-7025 or 252.204-7021?
- Does the work involve FCI, CUI, or both?
- What CMMC level and assessment type does the document name (Level 1 Self, Level 2 Self, Level 2 C3PAO, or Level 3 DIBCAC)?
- Which of my systems will actually process, store, or transmit that information?
- What’s my award or option timeline?
Answer those five and you’ve done more than 90% of the “do I need CMMC” analysis that matters.
We’ll also say the honest thing plainly: a web page cannot tell you your exact CMMC scope or your legal obligation. 32 CFR Part 170 defines the program; your contract language, your data, and your systems define your duty. If your situation is genuinely ambiguous, that’s a conversation for a CMMC Registered Practitioner (a credentialed CMMC advisor) or a qualified federal-contracts attorney.
Map 32 CFR Part 170 to your contract before you request quotes
Tell us the CMMC level named in your solicitation or flow-down, whether you handle FCI or CUI, your assessment type, your environment, and your timeline. The Defense Compliance Report’s Find My CMMC Path tool points you to the provider category to verify next — not a named vendor. It never asks for CUI, drawings, or sensitive contract details.
Find My CMMC Path →Which CMMC level does 32 CFR Part 170 require?
32 CFR Part 170 maps CMMC Level 1 to the 15 basic safeguarding requirements in FAR 52.204-21, Level 2 to the 110 requirements in NIST SP 800-171 Revision 2, and Level 3 to 24 selected requirements from NIST SP 800-172. The contract and the sensitivity of the information — not a self-diagnosis — determine which level applies. (Source: 32 CFR § 170.14.)
| CMMC Level | Information trigger | Requirement source | Assessment route | Common mistake |
|---|---|---|---|---|
| Level 1 (Foundational) | FCI only | 15 requirements, FAR 52.204-21(b)(1) | Annual self-assessment + annual affirmation | Assuming a POA&M is allowed (it isn't) |
| Level 2 (Self) | CUI, where DoD permits self-assessment | 110 requirements, NIST SP 800-171 Rev. 2 | Self-assessment every 3 years + annual affirmation | Treating a self-assessment as equal to certification |
| Level 2 (C3PAO) | CUI requiring third-party assessment | 110 requirements, NIST SP 800-171 Rev. 2 | C3PAO certification every 3 years + annual affirmation | Calling a C3PAO before evidence exists |
| Level 3 (Expert) | Highest-sensitivity CUI / APT concern | 110 + 24 selected from NIST SP 800-172 | DCMA DIBCAC (government) assessment | Assuming every CUI contract is Level 3 |
Level 1 — 15 requirements, and no safety net
Level 1 covers Federal Contract Information (FCI) — information provided by or generated for the government under a contract that isn’t meant for public release. It requires the 15 basic safeguarding requirements in FAR 52.204-21, confirmed by an annual self-assessment and an affirmation in SPRS. One hard rule: Level 1 allows no POA&Ms. All 15 must be fully met at the time you affirm (§§ 170.15, 170.21).
A quick myth-buster: you may have read that Level 1 has “17” requirements. The rule counts 15— FAR 52.204-21(b)(1)(i) through (xv). The “17” traces to two things: the retired CMMC 1.0 model, which listed 17 practices, and crosswalks that map those 15 FAR requirements to 17 of the 110 NIST SP 800-171 requirements. Either way, the Level 1 requirement count under the rule is 15.
Level 2 — the 110, and the number most people land on
Level 2 covers Controlled Unclassified Information (CUI). It requires all 110 security requirements in NIST SP 800-171 Revision 2, organized into 14 control families and assessed against 320 assessment objectives in NIST SP 800-171A. Whether you may self-assess or must pass a C3PAO assessment depends on the contract (§§ 170.16, 170.17).
CMMC Level 2 currently uses NIST SP 800-171 Revision 2, not Revision 3. This matters because a lot of well-meaning guidance is quietly steering people toward Rev. 3. A NIST publication only becomes a CMMC obligation when DoD writes it into the rule — and as of this review, that’s still Rev. 2.
Level 3 — the government’s tier, and it’s not for most
Level 3 is for CUI tied to the DoD’s highest-priority programs — the ones facing advanced persistent threats (APTs). It layers 24 enhanced requirements selected from NIST SP 800-172 on top of a full Level 2 foundation, and it’s assessed exclusively by the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DCMA DIBAC) — the government, not a C3PAO. There’s a strict order of operations: you must earn a Final Level 2 (C3PAO)status on the relevant scope first, then undergo the separate DIBCAC assessment (§§ 170.14(c)(4), 170.18). DoD estimated Level 3 would apply to only about one percent of the defense industrial base — so if you’re wondering whether you’re Level 3, confirm it with your program office before you assume it.
Level 2 self-assessment vs Level 2 C3PAO — and should you call a C3PAO yet?
Level 2 (Self) and Level 2 (C3PAO) test the same 110 NIST SP 800-171 Rev. 2 requirements, but they produce different CMMC statuses through different assessors. A self-assessment is performed by your own organization and posted to SPRS; a C3PAO assessment is a formal certification conducted by a Cyber AB-authorized third party. (Source: 32 CFR §§ 170.16–170.17.)
The controls are identical. What changes is who signs off and how much rigor the sign-off carries. A Level 2 self-assessment is a documented internal review, submitted every three years with an annual affirmation. A Level 2 (C3PAO) assessment is an independent certification by a CMMC Third-Party Assessment Organization — one of the firms authorized by the Cyber AB.
When contractors see this rule, their instinct is to call a C3PAO. That is often the wrong first call — and it can cost you. A C3PAO assessment isn’t where you becomeready; it’s where your readiness gets tested. If your scope isn’t defined, your System Security Plan (SSP) isn’t written, your evidence isn’t collected, and your SPRS score isn’t where it needs to be, an early assessment is an expensive way to get a list of findings you already could have predicted.
There’s a bright-line rule that works in your favor. Under the CMMC Code of Professional Conduct and the ISO/IEC 17020:2012 impartiality standard, a C3PAO cannot assess a client it provided CMMC consulting or readiness services to within the previous three years. In plain terms: the firm that helps you get ready generally cannot also be the firm that certifies you. So the sequence is clear and it protects you: get readiness and implementation help first (from an RPO, an MSSP, a GRC platform, or a CUI enclave provider, depending on your gaps), thenengage a C3PAO when you’re genuinely assessment-ready.
Assessment-ready, or readiness-first?
Run this quick self-check. Every box needs to be a confident “yes” before a C3PAO assessment makes sense:
- Your CMMC assessment scope is defined and documented
- Your System Security Plan (SSP)is complete and current (it’s required — CA.L2-3.12.4, and it can never be deferred)
- You’ve collected evidence for all 110 requirements
- Your SPRS score reflects reality (realistically, 88 or higher for a conditional path)
- You’ve separated POA&M-eligible gaps from must-close gaps
- Your cloud, ESP, and CSP dependencies are documented (with FedRAMP handled where CUI is involved)
- Your affirming official is identified
Checked all seven with confidence? You’re likely ready to talk to a C3PAO. Missing several? Readiness or implementation help comes first — and that’s the more common (and cheaper) starting point. Either way, the right category depends on where you landed.
Not sure whether you need readiness help or a C3PAO?
The answer depends on your level, your CUI scope, your assessment type, your environment, and your timeline. Use Find My CMMC Path to map those to the provider category to verify next — readiness, managed security, GRC and evidence, CUI enclave strategy, or C3PAO assessment. No CUI required.
Map my CMMC path →How is CMMC scored, and can you POA&M your way through?
For CMMC Level 2, the DoD Assessment Methodology starts you at 110 points and deducts 1, 3, or 5 points per unmet requirement, on a scale that runs from −203 to 110. You need at least 88 of 110 to earn a Conditional status, and you may place only limited 1-point gaps on a POA&M — which must be closed within 180 days. (Sources: 32 CFR § 170.21, § 170.24.)
| The rule | The detail | Source |
|---|---|---|
| Score range | Start at 110; scores can fall to −203 | DoD Assessment Methodology; § 170.24 |
| Point weights | Each requirement is worth 1, 3, or 5 points by risk | § 170.24 |
| Minimum for Conditional Level 2 | 88 of 110 (80%) — your score ÷ total must be ≥ 0.8 | § 170.21(a)(2)(i) |
| What a POA&M can hold | Generally only 1-point requirements | § 170.21(a)(2)(ii) |
| The one exception | SC.L2-3.13.11 (FIPS-validated cryptography) can be POA&M'd at a 3-point cost if encryption is in use but not yet FIPS-validated; if there's no encryption at all it scores 5 points and is not eligible | § 170.21(a)(2)(ii) |
| What can never be deferred | Several 1-point “program-integrity” requirements — including CA.L2-3.12.4 (the SSP itself) — plus all 3- and 5-point requirements | § 170.21(a)(2)(iii) |
| Closeout window | 180 days from your Conditional status date; miss it and the Conditional status expires | § 170.21 |
| Level 1 | No POA&Ms — everything must be met | § 170.21 |
Read the math and the 88 threshold turns out to be tougher than “80% is a passing grade” sounds. To reach 88, every3-point and 5-point requirement has to be fully met — those are the high-risk controls like multifactor authentication and FIPS-validated encryption. The only breathing room is a small handful of 1-point items. A POA&M is a short, disciplined finish line, not a “we’ll get to it” cushion.
One more distinction: the POA&M (the post-assessment list that governs your 180-day window) is not the same as the Operational Plan of Action (OPA) — the ongoing document that satisfies requirement CA.L2-3.12.2 between assessments. Different artifacts, different purposes. Conflating them is a common finding.
Scoping, the cloud, your MSP, and your subcontractors
32 CFR Part 170 requires you to define your CMMC assessment scope before the assessment, and the rule applies to the contractor information systems used in performance that handle FCI or CUI — plus, for Level 2 and 3, assets that provide security protections for CUI systems or aren’t isolated from them. External service providers and cloud services can pull assets into scope, and a cloud service provider that handles CUI triggers FedRAMP requirements under DFARS 252.204-7012. (Source: 32 CFR § 170.19.)
Scope comes before tools — always
Scope is the most expensive thing to get wrong, and no purchase defines it for you. Your scope is built from your assets, data flows, users, systems, external providers, and — above all — where CUI actually lives and moves. Get the boundary right and you can dramatically shrink what you have to secure and prove. Get it wrong and you either over-spend protecting things that don’t need it or fail an assessment because something in scope was never documented.
Here’s how the Level 2 asset categories break down:
| Asset type | Why it matters for scope | What to verify |
|---|---|---|
| CUI Assets | They process, store, or transmit CUI | Assessed against the applicable requirements — this is your core boundary |
| Security Protection Assets | They provide security functions to your in-scope environment (e.g., SIEM, firewalls, VPN, identity, MDM) | In scope and assessed for the protections they provide, even if they don't touch CUI |
| Contractor Risk Managed Assets | They can but aren't intended to handle CUI, and you manage them under your policies | Document them in the SSP; managing them well keeps them from expanding your full-assessment footprint |
| Specialized Assets | They can handle FCI/CUI but can't be fully secured — IoT, IIoT, OT, GFE, restricted systems, test equipment | Document and manage per the rule; assessed differently than standard endpoints |
| Out-of-Scope Assets | They don't handle CUI and provide no security protection to in-scope assets | You must be able to show they're truly isolated and out |
| External Service Provider (ESP) | An outside firm providing IT or security services | Can be pulled into scope if it provides security protections for your assessed environment |
| Cloud Service Provider (CSP) | A cloud platform in your environment | If it processes, stores, or transmits CUI, FedRAMP requirements apply under DFARS 252.204-7012 |
Flow-down: what primes and subs each owe
32 CFR Part 170 pushes CMMC requirements down the supply chain, and DFARS 252.204-7021 requires a contractor to flow down the substance of the clause and verify a subcontractor’s status before subcontract award — except for subcontracts solely for COTS items. (Sources: DFARS 252.204-7021, 32 CFR § 170.23.)
If you’re a prime, your job is to identify which subs will actually touch FCI or CUI, flow down the correct level, and verify their status before award. The trap here is over-flowing — demanding Level 2 from a supplier who never touches CUI. If you’re a subcontractor, don’t accept a blanket demand at face value. Ask the prime: What CMMC level and data type is this tied to? Is it driven by an actual solicitation or contract, or internal policy? And do my own systems process, store, or transmit the FCI or CUI in question? The answers decide what you actually owe.
For the full supply-chain breakdown, see our CMMC flow-down requirements guide.
Common myths about 32 CFR Part 170 — and what the rule actually says
Because CMMC evolved from a 2020-era model into a 2024 Final Rule, a surprising amount of published content carries outdated or simply incorrect facts — wrong effective dates, the retired “17-control” figure for Level 1, and Revision 2 versus Revision 3 mix-ups. Every correction below is checked against the rule itself.
| What you’ll often see | What the rule actually says | Source |
|---|---|---|
| "Published December 2023" or "effective when published in October 2024" | Published Oct 15, 2024 at 89 FR 83092; effective December 16, 2024 — 60 days later, not on the publication date | 89 FR 83092 |
| "CMMC Level 1 = 17 requirements" | Level 1 = 15 requirements, FAR 52.204-21(b)(1)(i)–(xv). '17' traces to CMMC 1.0 and to the 15-to-17 NIST crosswalk | 32 CFR § 170.14(c)(2) |
| "CMMC uses NIST SP 800-171 Rev. 3" | CMMC Level 2 currently maps to Rev. 2; Rev. 3 is not a CMMC requirement unless DoD amends the rule | NIST CSRC; § 170.14 |
| "DFARS 252.204-7021 is the only CMMC clause" | The DFARS rule uses two: -7025 (solicitation notice) and -7021 (contract obligation) | Acquisition.gov |
| "You still post a 7019 self-assessment score to SPRS" | As of Feb 1, 2026, DFARS 7019 was eliminated and 7020 renumbered to 252.240-7997; the basic self-assessment upload requirement was removed | DoD class deviations, Feb 2026 |
| "32 CFR Part 170 puts CMMC in my contract" | No — the rule is the program; the DFARS clause puts it in contracts, on a phased schedule | § 170.3 |
| "A POA&M lets you defer almost anything" | POA&Ms are narrow: 1-point items only (one crypto exception), an 88 minimum, several items never eligible, 180-day closeout | § 170.21 |
The state of the CMMC ecosystem right now
DoD’s rulemaking estimated that 8,350 medium and large entities would need Level 2 certification assessments, out of a broader population estimated at roughly 80,000 organizations handling CUI. As of early-to-mid 2026, publicly reported figures put the number of authorized C3PAOs and the number of certified organizations far below that demand — which is why the bottleneck most contractors underestimate is their own readiness plus C3PAO scheduling. (Primary figure: 89 FR 83092.)
- Authorized C3PAOs: publicly reported in roughly the 70–105 range through early-to-mid 2026 (verify the live count at cyberab.org before relying on it).
- Certified Level 2 organizations: reported at roughly 500–1,000 as of early-to-mid 2026 — a small fraction of the expected population.
- C3PAO scheduling lead times: widely reported at 6–12 months, with some assessors booked into 2027.
The takeaway isn’t panic; it’s sequencing. With certification lagging demand and third-party assessments becoming a condition of award in Phase 2, the firms that book their readiness work now — and their assessment slot early — are the ones who won’t be scrambling when a Level 2 (C3PAO) requirement lands in a solicitation they want to win.
What to do the moment you see “32 CFR Part 170” or CMMC in a solicitation
Don’t start by buying software or scheduling an assessment. Start by extracting the required CMMC level from the document, confirming whether you handle FCI or CUI, mapping the systems in scope, checking your SPRS status and affirmation, and only then choosing the right provider category for readiness, implementation, evidence, or assessment. (Source: DFARS 252.204-7021.)
| Step | Do this | Why it matters |
|---|---|---|
| 1 | Find the DFARS 252.204-7025 or 252.204-7021 language | Confirms CMMC is actually entering your solicitation or contract |
| 2 | Identify the required CMMC level | Level 1, Level 2 Self, Level 2 C3PAO, and Level 3 are four different paths |
| 3 | Confirm FCI vs CUI | FCI-only and CUI environments carry very different requirements |
| 4 | Identify the systems used in performance | Scope covers systems that handle FCI/CUI, plus assets that protect them |
| 5 | Check the assessment type | Don't confuse Level 2 Self with Level 2 (C3PAO) |
| 6 | Review your SPRS entries | Check your CMMC status, CMMC UID, and annual affirmation — different DFARS provisions govern these, and they can affect eligibility |
| 7 | Define scope before requesting quotes | A bad scope produces bad quotes and bad assessments |
| 8 | Choose the provider category | RPO/RP, MSSP, GRC, CUI enclave, or C3PAO — depending on your stage |
| 9 | Keep CUI out of any intake form | Use general descriptors only |
| 10 | Confirm legal and contractual applicability | Use a CMMC Registered Practitioner or a federal-contracts attorney where the stakes warrant |
The 32 CFR Part 170 Contractor Action Map
This asset translates each key part of the rule into the one thing a contractor should verify, the misread to avoid, and the next move — with the primary source for each row. Note that it routes you to a provider category, never a named vendor, and is not a score, a ranking, or compliance advice.
| Rule / authority | What it establishes | What you should verify | What it does not mean | Your next move |
|---|---|---|---|---|
| 32 CFR Part 170 (overall) | The CMMC Program Rule for systems handling FCI/CUI | Whether your work involves FCI/CUI on your systems | It doesn't itself insert CMMC into your contract | Read the solicitation/flow-down; find the DFARS language |
| § 170.3 — Applicability | Which awards the program covers, with phase-in, waiver, and COTS exceptions | Whether the requirement is phased, waived, or COTS-only | Not every contractor gets the same level | Confirm data type and clause language |
| § 170.14 — Model & levels | Level 1/2/3 requirement sources | Whether you face FCI, CUI, or high-sensitivity CUI | It doesn't make Rev. 3 the current Level 2 baseline | Map the named level to the right standard |
| § 170.15 — Level 1 | Annual self-assessment + affirmation for FCI | Whether the requirement is FCI-only, Level 1 (Self) | It doesn't allow Level 1 POA&Ms | Prepare the self-assessment and SPRS affirmation |
| § 170.16 — Level 2 (Self) | Triennial self-assessment + annual affirmation | Whether the solicitation permits self-assessment | It isn't the same as C3PAO certification | Build evidence to NIST SP 800-171A objectives |
| § 170.17 — Level 2 (C3PAO) | Certification by an authorized C3PAO | Whether the contract requires Level 2 (C3PAO) | The C3PAO can't also do your remediation | Separate readiness help from the assessment |
| § 170.18 — Level 3 | DIBCAC assessment, Level 2 prerequisite | Whether DoD designated Level 3 for the contract | It doesn't apply to ordinary CUI by default | Confirm the designation with your program office |
| § 170.19 — Scoping | How assessment scope is defined | Which assets, ESPs, CSPs, and CUI flows are in scope | Buying a tool doesn't define your scope | Document scope before any provider quote |
| § 170.21 — POA&M | Conditional status and 180-day closeout | Which gaps are actually POA&M-eligible | It doesn't allow unlimited deferral | Identify must-close items before the assessment |
| § 170.22 — Affirmation | Annual affirmation by an affirming official | Who will affirm, and when it expires | It's not a one-time checkbox | Put the annual affirmation on the calendar in SPRS |
| § 170.23 — Subcontractors | Flow-down through all tiers | Which subs process/store/transmit FCI/CUI | It doesn't apply to subs with no FCI/CUI | Flow down the correct level; verify status pre-award |
| § 170.24 — Scoring | The DoD Assessment Methodology | Your SPRS score and the 88 threshold | 80% isn't a soft pass; high-value controls must be met | Score honestly before you commit to a date |
| DFARS 252.204-7025 / -7021 | Solicitation notice and contract obligation | Required level, CMMC UID, SPRS status, affirmation, flow-down | It isn't the same thing as 32 CFR Part 170 | Treat the contract language as your trigger |
| NIST SP 800-171 Rev. 2 | The 110 Level 2 requirements | Your implementation across 14 families | It isn't Rev. 3 for CMMC purposes | Gap-assess against the 320 objectives |
| NIST SP 800-172 | The 24 selected Level 3 requirements | Whether Level 3 applies to you at all | It isn't a default for CUI | Confirm designation before investing |
Turn the rule into your next CMMC move
You now know the level language to look for, the assessment types, and the sequence. If you want a shortcut to the category that fits your situation, tell us your level, whether you handle FCI or CUI, your assessment type, your environment, and your timeline. We’ll help you identify whether the next conversation is readiness, managed security, GRC and evidence workflow, CUI enclave strategy, or a C3PAO assessment — and route you to source-checked provider options.
Use Find My CMMC Path →What we verified for this page
We wrote this from primary and official sources, not vendor marketing. We read the current 32 CFR Part 170 rule text on the eCFR, confirmed the Federal Register citation and effective date, checked the DFARS clause language and phase dates on Acquisition.gov, verified the NIST version mapping against NIST’s own catalog, and confirmed the February 2026 clause changes against DoD class-deviation guidance.
What we checked, as of :
- eCFR, 32 CFR Part 170— current rule text: structure, definitions, the 15/110/24 level counts, applicability (§ 170.3), scoping (§ 170.19), POA&M rules (§ 170.21), scoring (§ 170.24), and flow-down (§ 170.23).
- Federal Register, 89 FR 83092 — publication Oct 15, 2024; effective Dec 16, 2024.
- Acquisition.gov, DFARS Subpart 204.75, 252.204-7021, and 252.204-7025 — the CMMC clause structure and the four-phase schedule (Phase 1 began Nov 10, 2025; Phase 2 begins Nov 10, 2026).
- February 2026 class deviations — the elimination of DFARS 252.204-7019 and renumbering of 252.204-7020 to 252.240-7997, and the renumbering of FAR 52.204-21 to 52.240-93, with DFARS 252.204-7012 and the CMMC clauses unchanged.
- NIST CSRC — SP 800-171 Rev. 2 (the current Level 2 baseline) and SP 800-172 (the Level 3 enhanced requirements).
What we did not verify, and you should confirm for your own situation:
- We did not use Cyber AB Marketplace counts as the basis for any regulatory claim; the ecosystem figures are publicly reported ranges. Verify the live count directly at cyberab.org on the day you rely on it.
- We did not review your contract, your solicitation, or your SPRS record.
- We did not assess your scope or determine your legal obligation — that’s a job for a CMMC Registered Practitioner (RP/RPO) or a qualified federal-contracts attorney.
- We did not rank or endorse any provider. This is educational research, not legal, contractual, or compliance advice.
Frequently asked questions about 32 CFR Part 170 CMMC
Is 32 CFR Part 170 the CMMC Final Rule?
Yes. 32 CFR Part 170 is the CMMC Program Rule. It establishes the program’s structure — levels, assessment types, scoping, POA&M limits, affirmation, and flow-down — for contractor systems that process, store, or transmit FCI or CUI. It was published October 15, 2024 and became effective December 16, 2024.
Is 32 CFR Part 170 the same as DFARS 252.204-7021?
No. 32 CFR Part 170 defines the CMMC program. DFARS 252.204-7021 is the contract clause that requires a contractor to have and maintain the current CMMC status for covered systems when the clause is in the contract. The rule is the program; the clause is the contractual trigger.
Is CMMC Level 2 based on NIST SP 800-171 Rev. 2 or Rev. 3?
CMMC Level 2 currently maps to NIST SP 800-171 Revision 2 under 32 CFR Part 170. Revision 3 is not the controlling Level 2 baseline unless and until DoD amends the CMMC rule to adopt it.
Does every Level 2 contract require a C3PAO?
No. 32 CFR Part 170 provides both a Level 2 (Self) path and a Level 2 (C3PAO) path. The required assessment type depends on the solicitation, the contract, the DoD implementation phase, and the program office’s decision.
How many requirements are in CMMC Level 1 — 15 or 17?
Fifteen. CMMC Level 1 uses the 15 basic safeguarding requirements in FAR 52.204-21(b)(1)(i) through (xv). The figure “17” traces to the retired CMMC 1.0 model and to crosswalks that map those 15 requirements to 17 NIST SP 800-171 requirements — but the Level 1 count under the rule is 15.
What happened to DFARS 252.204-7019 and 7020?
As of February 1, 2026, DoD class deviations under the Revolutionary FAR Overhaul eliminated DFARS 252.204-7019 and renumbered 252.204-7020 to 252.240-7997, removing the old “basic self-assessment” SPRS-upload requirement. DFARS 252.204-7012 and the CMMC clauses (7021 and 7025) were not changed. Because these were class deviations rather than rulemaking, the codified text still shows the old clause numbers.
Can I use a POA&M for CMMC?
Not for Level 1. For Level 2 and Level 3, POA&Ms are permitted only in narrow circumstances: generally 1-point items, a minimum score of 88 for Level 2, several requirements that can never be deferred, and a firm 180-day closeout window.
What is a CMMC UID?
A CMMC Unique Identifier (CMMC UID) is a 10-character alphanumeric code reflected in the Supplier Performance Risk System (SPRS) for each assessed contractor information system. Under DFARS 252.204-7021, contractors provide the CMMC UIDs for the systems used in performance of a contract.
Does CMMC apply to subcontractors?
Yes, when subcontractors process, store, or transmit FCI or CUI and the requirement is flowed down. DFARS 252.204-7021 requires primes to flow down the substance of the clause and verify appropriate subcontractor status before award — except for subcontracts solely for COTS items.
When is CMMC actually required in my contract?
CMMC becomes a contract requirement when a DFARS clause (252.204-7025 in the solicitation, 252.204-7021 in the contract) is included, which DoD began doing on November 10, 2025 under a four-phase schedule. Level 2 (C3PAO) assessments start becoming a condition of award in Phase 2, on November 10, 2026.
How much does CMMC cost?
It varies widely by level, scope, and starting maturity, so treat any single number with caution. Level 2 C3PAO assessment fees alone have been publicly reported across a broad range — commonly tens of thousands of dollars, often cited from roughly $40,000 into the six figures for larger or multi-site environments — and that’s separate from the readiness and remediation work that usually costs more. For a scoped picture, price the readiness path and the assessment as two distinct line items.
Should I contact a C3PAO first?
Only if you’re genuinely assessment-ready or your immediate need is scheduling a formal assessment. If you’re still defining scope, writing your SSP, building evidence, or drawing your CUI boundary, readiness or implementation help is usually the better first step — and conflict-of-interest rules keep those roles separate from the assessment anyway.
Need a next step, not just an explanation?
Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.
Find My CMMC Path →CMMC readiness checklist mapped to the 14 NIST SP 800-171 control families.
Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification. This page is educational research, not legal, contractual, or compliance advice. Confirm scope and applicability with a CMMC Registered Practitioner (RP/RPO) or a qualified federal-contracts attorney before you act.