The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base

32 CFR Part 170 CMMC: What the Final Rule Actually Requires

A contractor’s guide to the CMMC Program Rule — how it differs from the DFARS clause, which level and assessment path may apply to you, and what to verify before you spend a dollar.

By The Defense Compliance Report Editorial Team

Last reviewed: · Independent. Not affiliated with the Cyber AB, the Department of Defense, DCMA DIBCAC, NIST, or any U.S. government agency.

32 CFR Part 170 is the CMMC Program Rule.

It is the federal regulation that establishes the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) program. It defines the three CMMC levels, the assessment types, scoping, scoring, plan-of-action limits, annual affirmations, and subcontractor flow-down for any contractor whose systems handle Federal Contract Information or Controlled Unclassified Information.

The rule was published in the Federal Register on October 15, 2024 (89 FR 83092) and became effective December 16, 2024. But here’s the part that trips up nearly everyone: the rule itself doesn’t put CMMC in your contract. A DFARS contract clause does that — on a phased schedule that started November 10, 2025 and reaches full force by 2028.

32 CFR Part 170 CMMC in one screen

32 CFR Part 170 CMMC quick-reference answers
QuestionStraight answer
What is 32 CFR Part 170?The CMMC Program Rule — the regulation that establishes DoD's CMMC program.
What does it govern?CMMC levels, assessment types, scoping, scoring, POA&M limits, affirmations, and flow-down.
When did it take effect?Published Oct 15, 2024 (89 FR 83092); effective December 16, 2024.
Does it put CMMC in my contract?No. The DFARS clause (DFARS 252.204-7021) does that, when included.
Who can it affect?DoD contractors and subcontractors whose systems process, store, or transmit FCI or CUI.
Level 1?15 requirements from FAR 52.204-21, annual self-assessment (FCI).
Level 2?110 requirements from NIST SP 800-171 Rev. 2, self or C3PAO assessment (CUI).
Level 3?The 110 plus 24 from NIST SP 800-172, assessed by the government (DIBCAC).
Where does status live?The Supplier Performance Risk System (SPRS), with an annual affirmation.
First move?Read the clause, identify FCI vs CUI, confirm the required level and assessment type — then choose a provider category.

The Defense Compliance Report is the independent trade publication and decision resource for CMMC and Defense Industrial Base compliance — explaining the CMMC Final Rule with primary-source citation on every claim and mapping a contractor’s level, CUI scope, assessment type, and timeline to the right provider category, so DIB contractors choose the right CMMC path before they spend six figures.


Which contractors this rule reaches — and which it doesn’t

Before you spend a minute on the levels, place yourself. 32 CFR Part 170 applies to any DoD prime or subcontractor whose information systems will process, store, or transmit FCI or CUI in the performance of a contract, on contracts above the micro-purchase threshold — except contracts exclusively for commercially available off-the-shelf (COTS) items. It does notapply to federal information systems that a contractor operates on the government’s behalf, and DoD can waive it for a specific procurement. (Source: 32 CFR § 170.3.)

Contractor situation, first step, and what not to do
Your situationLikely first stepNot the right first step
You saw the rule cited but don't know your level, scope, or assessment typeMap your situation (RP/RPO help or a neutral path tool)Cold-calling a C3PAO before you know your scope
You handle CUI but your environment isn't readyReadiness / implementation help (RPO, MSSP, GRC, CUI enclave)Scheduling an assessment with no evidence in place
Your contract names Level 2 (C3PAO) and your evidence is readyA C3PAO assessment pathTreating readiness consulting as the assessment
You may need Level 3Confirm the DoD designation and your Level 2 prerequisite firstAssuming ordinary CUI automatically means Level 3
You handle FCI only and the contract says Level 1Prepare a Level 1 self-assessmentBuilding an expensive Level 2 environment with no trigger

The right CMMC provider isn’t the same for every contractor — the category you need (a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave) depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. The contract clause sets your level, not a checklist. Because a general answer can’t resolve those for you, use The Defense Compliance Report’s Find My CMMC Path tool to map your situation to the right provider category before you request quotes — and do not submit CUI, drawings, or sensitive contract details.


What is 32 CFR Part 170 in CMMC?

32 CFR Part 170 is the federal regulation that establishes the CMMC program. It sets out how the Department of Defense verifies that contractors and subcontractors have implemented required cybersecurity standards on systems that process, store, or transmit FCI or CUI. It is the program rulebook — not, by itself, the contract requirement. (Source: 32 CFR § 170.1.)

Let’s decode the citation itself, because half the intimidation is just formatting. “32 CFR” means Title 32 of the Code of Federal Regulations — the slice of federal law that covers national defense. “Part 170” is the specific part that codifies CMMC. Put together, 32 CFR Part 170 is the rule that took CMMC from a DoD slide deck and made it enforceable federal regulation.

The rule traces to Section 1648 of the National Defense Authorization Act for Fiscal Year 2020 — that authority note tells the whole origin story.

What the rule actually does

The rule builds a complete program around cybersecurity requirements that, in most cases, already existed. Inside 32 CFR Part 170 you’ll find:

What 32 CFR Part 170 does not do

This is where contractors waste money, so we’ll be blunt:


Does 32 CFR Part 170 apply to me — and is it in my contract yet?

32 CFR Part 170 establishes the CMMC program, but a DFARS contract clause is what makes CMMC a contractual obligation. DFARS 252.204-7025 gives notice of the required CMMC level in a solicitation; DFARS 252.204-7021 carries the ongoing obligation once it’s in your contract. Those clauses began phasing into DoD contracts on November 10, 2025. (Sources: DFARS 252.204-7021, DFARS Subpart 204.75.)

The single most useful thing we can teach you about this rule is a distinction most articles blur. Different documents do different jobs, and confusing them is how people buy the wrong thing.

CMMC regulatory layers — program rule, DFARS clauses, and technical standards
The layerWhat it isWhat it does for you
32 CFR Part 170The CMMC Program RuleDefines levels, assessments, scope, scoring, POA&M, affirmation, flow-down
DFARS 252.204-7025Solicitation notice provisionTells offerors the CMMC level they'll need to be eligible for award
DFARS 252.204-7021Contract clauseMakes the required status, maintenance, SPRS posting, CMMC UID, and flow-down obligations contractual
DFARS 252.204-7012Safeguarding clauseRequires safeguarding of covered defense information and 72-hour incident reporting
NIST SP 800-171 Rev. 2The technical standardSupplies the 110 requirements used for CMMC Level 2
NIST SP 800-172Enhanced-requirements standardSupplies the 24 selected requirements used for Level 3

Think of it as a chain: standard → rule → clause. NIST writes the security requirements. 32 CFR Part 170 adopts them and builds the certification program. The DFARS clause drops that program into a specific contract. See DFARS 252.204-7025 in a solicitation, and the resulting contract will carry the DFARS 252.204-7021 CMMC obligation for the systems used in performance.

Where the phase-in stands right now

The DFARS rule that carries CMMC into contracts was published September 10, 2025 and became effective November 10, 2025 — the day Phase 1 began. Here’s what each phase authorizes:

CMMC four-phase rollout schedule and conditions of award
PhaseStart dateWhat DoD includes as a condition of award
Phase 1Nov 10, 2025Level 1 (Self) or Level 2 (Self) requirements; DoD may, at its discretion, require Level 2 (C3PAO) in their place
Phase 2Nov 10, 2026Adds Level 2 (C3PAO) certification for applicable acquisitions; DoD may add Level 3 (DIBCAC)
Phase 3Nov 10, 2027Level 2 (C3PAO) for all applicable awards, and as a condition to exercise an option period on contracts awarded after the effective date; DoD intends Level 3 (DIBCAC) as a condition of award, but may delay it to an option period
Phase 4Nov 10, 2028Full implementation — CMMC in all applicable solicitations, contracts, and option periods

Source: 32 CFR § 170.3(e); each phase begins one calendar year after the last.

One date deserves a highlighter. If you handle CUI and your work is likely to be designated Level 2 (C3PAO), your planning anchor is November 10, 2026— that’s when third-party assessments start becoming a condition of award for applicable acquisitions. Because a C3PAO assessment is a hard requirement, not a form you file, the runway is shorter than the calendar suggests once you factor in readiness and scheduling.

A major 2026 change: what the FAR overhaul did to DFARS 7019, 7020, and FAR 52.204-21

February 1, 2026: the basic self-assessment upload requirement is gone.

DoD class deviations under the government-wide “Revolutionary FAR Overhaul” eliminated DFARS 252.204-7019 and renumbered DFARS 252.204-7020 to DFARS 252.240-7997, removing the old “basic self-assessment” SPRS-upload requirement. FAR 52.204-21 was renumbered to FAR 52.240-93. Critically, DFARS 252.204-7012 and the CMMC clauses (252.204-7021 and 252.204-7025) were left unchanged, and 32 CFR Part 170 itself is untouched.

Your NIST SP 800-171 implementation obligations still live on through DFARS 252.204-7012, and your assessment obligation now runs through CMMC (DFARS 252.204-7021). Government-led NIST SP 800-171 assessments continue under the renumbered clause, DFARS 252.240-7997.

One wrinkle worth knowing: because these were class deviations, not formal rulemaking, the codified text on the eCFR and Acquisition.gov still displays 7019 and 7020. The deviations override them in practice. If a vendor or checklist still tells you to “post your 7019 self-assessment score,” that instruction is out of date. What matters now is your CMMC status and affirmation.

Stop asking “does this apply to me?” first

The abstract question — does 32 CFR Part 170 apply to me? — sends you into a regulatory rabbit hole. These operational questions get you an answer today. Ask, in order:

  1. Does my solicitation, contract, option, modification, or flow-down include CMMC language — specifically DFARS 252.204-7025 or 252.204-7021?
  2. Does the work involve FCI, CUI, or both?
  3. What CMMC level and assessment type does the document name (Level 1 Self, Level 2 Self, Level 2 C3PAO, or Level 3 DIBCAC)?
  4. Which of my systems will actually process, store, or transmit that information?
  5. What’s my award or option timeline?

Answer those five and you’ve done more than 90% of the “do I need CMMC” analysis that matters.

We’ll also say the honest thing plainly: a web page cannot tell you your exact CMMC scope or your legal obligation. 32 CFR Part 170 defines the program; your contract language, your data, and your systems define your duty. If your situation is genuinely ambiguous, that’s a conversation for a CMMC Registered Practitioner (a credentialed CMMC advisor) or a qualified federal-contracts attorney.

Map 32 CFR Part 170 to your contract before you request quotes

Tell us the CMMC level named in your solicitation or flow-down, whether you handle FCI or CUI, your assessment type, your environment, and your timeline. The Defense Compliance Report’s Find My CMMC Path tool points you to the provider category to verify next — not a named vendor. It never asks for CUI, drawings, or sensitive contract details.

Find My CMMC Path →

Which CMMC level does 32 CFR Part 170 require?

32 CFR Part 170 maps CMMC Level 1 to the 15 basic safeguarding requirements in FAR 52.204-21, Level 2 to the 110 requirements in NIST SP 800-171 Revision 2, and Level 3 to 24 selected requirements from NIST SP 800-172. The contract and the sensitivity of the information — not a self-diagnosis — determine which level applies. (Source: 32 CFR § 170.14.)

CMMC levels, requirement sources, assessment routes, and common mistakes
CMMC LevelInformation triggerRequirement sourceAssessment routeCommon mistake
Level 1 (Foundational)FCI only15 requirements, FAR 52.204-21(b)(1)Annual self-assessment + annual affirmationAssuming a POA&M is allowed (it isn't)
Level 2 (Self)CUI, where DoD permits self-assessment110 requirements, NIST SP 800-171 Rev. 2Self-assessment every 3 years + annual affirmationTreating a self-assessment as equal to certification
Level 2 (C3PAO)CUI requiring third-party assessment110 requirements, NIST SP 800-171 Rev. 2C3PAO certification every 3 years + annual affirmationCalling a C3PAO before evidence exists
Level 3 (Expert)Highest-sensitivity CUI / APT concern110 + 24 selected from NIST SP 800-172DCMA DIBCAC (government) assessmentAssuming every CUI contract is Level 3

For the full level-by-level breakdown, see our CMMC Level 2 requirements guide and the CMMC certification process.

Level 1 — 15 requirements, and no safety net

Level 1 covers Federal Contract Information (FCI) — information provided by or generated for the government under a contract that isn’t meant for public release. It requires the 15 basic safeguarding requirements in FAR 52.204-21, confirmed by an annual self-assessment and an affirmation in SPRS. One hard rule: Level 1 allows no POA&Ms. All 15 must be fully met at the time you affirm (§§ 170.15, 170.21).

A quick myth-buster: you may have read that Level 1 has “17” requirements. The rule counts 15— FAR 52.204-21(b)(1)(i) through (xv). The “17” traces to two things: the retired CMMC 1.0 model, which listed 17 practices, and crosswalks that map those 15 FAR requirements to 17 of the 110 NIST SP 800-171 requirements. Either way, the Level 1 requirement count under the rule is 15.

Level 2 — the 110, and the number most people land on

Level 2 covers Controlled Unclassified Information (CUI). It requires all 110 security requirements in NIST SP 800-171 Revision 2, organized into 14 control families and assessed against 320 assessment objectives in NIST SP 800-171A. Whether you may self-assess or must pass a C3PAO assessment depends on the contract (§§ 170.16, 170.17).

CMMC Level 2 currently uses NIST SP 800-171 Revision 2, not Revision 3. This matters because a lot of well-meaning guidance is quietly steering people toward Rev. 3. A NIST publication only becomes a CMMC obligation when DoD writes it into the rule — and as of this review, that’s still Rev. 2.

Level 3 — the government’s tier, and it’s not for most

Level 3 is for CUI tied to the DoD’s highest-priority programs — the ones facing advanced persistent threats (APTs). It layers 24 enhanced requirements selected from NIST SP 800-172 on top of a full Level 2 foundation, and it’s assessed exclusively by the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DCMA DIBAC) — the government, not a C3PAO. There’s a strict order of operations: you must earn a Final Level 2 (C3PAO)status on the relevant scope first, then undergo the separate DIBCAC assessment (§§ 170.14(c)(4), 170.18). DoD estimated Level 3 would apply to only about one percent of the defense industrial base — so if you’re wondering whether you’re Level 3, confirm it with your program office before you assume it.


Level 2 self-assessment vs Level 2 C3PAO — and should you call a C3PAO yet?

Level 2 (Self) and Level 2 (C3PAO) test the same 110 NIST SP 800-171 Rev. 2 requirements, but they produce different CMMC statuses through different assessors. A self-assessment is performed by your own organization and posted to SPRS; a C3PAO assessment is a formal certification conducted by a Cyber AB-authorized third party. (Source: 32 CFR §§ 170.16–170.17.)

The controls are identical. What changes is who signs off and how much rigor the sign-off carries. A Level 2 self-assessment is a documented internal review, submitted every three years with an annual affirmation. A Level 2 (C3PAO) assessment is an independent certification by a CMMC Third-Party Assessment Organization — one of the firms authorized by the Cyber AB.

When contractors see this rule, their instinct is to call a C3PAO. That is often the wrong first call — and it can cost you. A C3PAO assessment isn’t where you becomeready; it’s where your readiness gets tested. If your scope isn’t defined, your System Security Plan (SSP) isn’t written, your evidence isn’t collected, and your SPRS score isn’t where it needs to be, an early assessment is an expensive way to get a list of findings you already could have predicted.

There’s a bright-line rule that works in your favor. Under the CMMC Code of Professional Conduct and the ISO/IEC 17020:2012 impartiality standard, a C3PAO cannot assess a client it provided CMMC consulting or readiness services to within the previous three years. In plain terms: the firm that helps you get ready generally cannot also be the firm that certifies you. So the sequence is clear and it protects you: get readiness and implementation help first (from an RPO, an MSSP, a GRC platform, or a CUI enclave provider, depending on your gaps), thenengage a C3PAO when you’re genuinely assessment-ready.

Assessment-ready, or readiness-first?

Run this quick self-check. Every box needs to be a confident “yes” before a C3PAO assessment makes sense:

Checked all seven with confidence? You’re likely ready to talk to a C3PAO. Missing several? Readiness or implementation help comes first — and that’s the more common (and cheaper) starting point. Either way, the right category depends on where you landed.

Not sure whether you need readiness help or a C3PAO?

The answer depends on your level, your CUI scope, your assessment type, your environment, and your timeline. Use Find My CMMC Path to map those to the provider category to verify next — readiness, managed security, GRC and evidence, CUI enclave strategy, or C3PAO assessment. No CUI required.

Map my CMMC path →

How is CMMC scored, and can you POA&M your way through?

For CMMC Level 2, the DoD Assessment Methodology starts you at 110 points and deducts 1, 3, or 5 points per unmet requirement, on a scale that runs from −203 to 110. You need at least 88 of 110 to earn a Conditional status, and you may place only limited 1-point gaps on a POA&M — which must be closed within 180 days. (Sources: 32 CFR § 170.21, § 170.24.)

CMMC Level 2 scoring mechanics and POA&M rules
The ruleThe detailSource
Score rangeStart at 110; scores can fall to −203DoD Assessment Methodology; § 170.24
Point weightsEach requirement is worth 1, 3, or 5 points by risk§ 170.24
Minimum for Conditional Level 288 of 110 (80%) — your score ÷ total must be ≥ 0.8§ 170.21(a)(2)(i)
What a POA&M can holdGenerally only 1-point requirements§ 170.21(a)(2)(ii)
The one exceptionSC.L2-3.13.11 (FIPS-validated cryptography) can be POA&M'd at a 3-point cost if encryption is in use but not yet FIPS-validated; if there's no encryption at all it scores 5 points and is not eligible§ 170.21(a)(2)(ii)
What can never be deferredSeveral 1-point “program-integrity” requirements — including CA.L2-3.12.4 (the SSP itself) — plus all 3- and 5-point requirements§ 170.21(a)(2)(iii)
Closeout window180 days from your Conditional status date; miss it and the Conditional status expires§ 170.21
Level 1No POA&Ms — everything must be met§ 170.21

Read the math and the 88 threshold turns out to be tougher than “80% is a passing grade” sounds. To reach 88, every3-point and 5-point requirement has to be fully met — those are the high-risk controls like multifactor authentication and FIPS-validated encryption. The only breathing room is a small handful of 1-point items. A POA&M is a short, disciplined finish line, not a “we’ll get to it” cushion.

One more distinction: the POA&M (the post-assessment list that governs your 180-day window) is not the same as the Operational Plan of Action (OPA) — the ongoing document that satisfies requirement CA.L2-3.12.2 between assessments. Different artifacts, different purposes. Conflating them is a common finding.


Scoping, the cloud, your MSP, and your subcontractors

32 CFR Part 170 requires you to define your CMMC assessment scope before the assessment, and the rule applies to the contractor information systems used in performance that handle FCI or CUI — plus, for Level 2 and 3, assets that provide security protections for CUI systems or aren’t isolated from them. External service providers and cloud services can pull assets into scope, and a cloud service provider that handles CUI triggers FedRAMP requirements under DFARS 252.204-7012. (Source: 32 CFR § 170.19.)

Scope comes before tools — always

Scope is the most expensive thing to get wrong, and no purchase defines it for you. Your scope is built from your assets, data flows, users, systems, external providers, and — above all — where CUI actually lives and moves. Get the boundary right and you can dramatically shrink what you have to secure and prove. Get it wrong and you either over-spend protecting things that don’t need it or fail an assessment because something in scope was never documented.

Here’s how the Level 2 asset categories break down:

CMMC Level 2 asset categories and scoping guidance
Asset typeWhy it matters for scopeWhat to verify
CUI AssetsThey process, store, or transmit CUIAssessed against the applicable requirements — this is your core boundary
Security Protection AssetsThey provide security functions to your in-scope environment (e.g., SIEM, firewalls, VPN, identity, MDM)In scope and assessed for the protections they provide, even if they don't touch CUI
Contractor Risk Managed AssetsThey can but aren't intended to handle CUI, and you manage them under your policiesDocument them in the SSP; managing them well keeps them from expanding your full-assessment footprint
Specialized AssetsThey can handle FCI/CUI but can't be fully secured — IoT, IIoT, OT, GFE, restricted systems, test equipmentDocument and manage per the rule; assessed differently than standard endpoints
Out-of-Scope AssetsThey don't handle CUI and provide no security protection to in-scope assetsYou must be able to show they're truly isolated and out
External Service Provider (ESP)An outside firm providing IT or security servicesCan be pulled into scope if it provides security protections for your assessed environment
Cloud Service Provider (CSP)A cloud platform in your environmentIf it processes, stores, or transmits CUI, FedRAMP requirements apply under DFARS 252.204-7012

Source: 32 CFR § 170.19. “We use GCC High” or “we bought an enclave” is a good start — it is not, by itself, a finished scoping answer.

Do not submit CUI, drawings, export-controlled technical data, contract attachments, or sensitive customer information into any web form on this site, including our matching tool. Use general descriptors only.

Flow-down: what primes and subs each owe

32 CFR Part 170 pushes CMMC requirements down the supply chain, and DFARS 252.204-7021 requires a contractor to flow down the substance of the clause and verify a subcontractor’s status before subcontract award — except for subcontracts solely for COTS items. (Sources: DFARS 252.204-7021, 32 CFR § 170.23.)

If you’re a prime, your job is to identify which subs will actually touch FCI or CUI, flow down the correct level, and verify their status before award. The trap here is over-flowing — demanding Level 2 from a supplier who never touches CUI. If you’re a subcontractor, don’t accept a blanket demand at face value. Ask the prime: What CMMC level and data type is this tied to? Is it driven by an actual solicitation or contract, or internal policy? And do my own systems process, store, or transmit the FCI or CUI in question? The answers decide what you actually owe.

For the full supply-chain breakdown, see our CMMC flow-down requirements guide.


Common myths about 32 CFR Part 170 — and what the rule actually says

Because CMMC evolved from a 2020-era model into a 2024 Final Rule, a surprising amount of published content carries outdated or simply incorrect facts — wrong effective dates, the retired “17-control” figure for Level 1, and Revision 2 versus Revision 3 mix-ups. Every correction below is checked against the rule itself.

Common myths about 32 CFR Part 170 CMMC versus what the rule actually says
What you’ll often seeWhat the rule actually saysSource
"Published December 2023" or "effective when published in October 2024"Published Oct 15, 2024 at 89 FR 83092; effective December 16, 2024 — 60 days later, not on the publication date89 FR 83092
"CMMC Level 1 = 17 requirements"Level 1 = 15 requirements, FAR 52.204-21(b)(1)(i)–(xv). '17' traces to CMMC 1.0 and to the 15-to-17 NIST crosswalk32 CFR § 170.14(c)(2)
"CMMC uses NIST SP 800-171 Rev. 3"CMMC Level 2 currently maps to Rev. 2; Rev. 3 is not a CMMC requirement unless DoD amends the ruleNIST CSRC; § 170.14
"DFARS 252.204-7021 is the only CMMC clause"The DFARS rule uses two: -7025 (solicitation notice) and -7021 (contract obligation)Acquisition.gov
"You still post a 7019 self-assessment score to SPRS"As of Feb 1, 2026, DFARS 7019 was eliminated and 7020 renumbered to 252.240-7997; the basic self-assessment upload requirement was removedDoD class deviations, Feb 2026
"32 CFR Part 170 puts CMMC in my contract"No — the rule is the program; the DFARS clause puts it in contracts, on a phased schedule§ 170.3
"A POA&M lets you defer almost anything"POA&Ms are narrow: 1-point items only (one crypto exception), an 88 minimum, several items never eligible, 180-day closeout§ 170.21

The state of the CMMC ecosystem right now

DoD’s rulemaking estimated that 8,350 medium and large entities would need Level 2 certification assessments, out of a broader population estimated at roughly 80,000 organizations handling CUI. As of early-to-mid 2026, publicly reported figures put the number of authorized C3PAOs and the number of certified organizations far below that demand — which is why the bottleneck most contractors underestimate is their own readiness plus C3PAO scheduling. (Primary figure: 89 FR 83092.)

The takeaway isn’t panic; it’s sequencing. With certification lagging demand and third-party assessments becoming a condition of award in Phase 2, the firms that book their readiness work now — and their assessment slot early — are the ones who won’t be scrambling when a Level 2 (C3PAO) requirement lands in a solicitation they want to win.


What to do the moment you see “32 CFR Part 170” or CMMC in a solicitation

Don’t start by buying software or scheduling an assessment. Start by extracting the required CMMC level from the document, confirming whether you handle FCI or CUI, mapping the systems in scope, checking your SPRS status and affirmation, and only then choosing the right provider category for readiness, implementation, evidence, or assessment. (Source: DFARS 252.204-7021.)

10-step order of operations when CMMC appears in a solicitation
StepDo thisWhy it matters
1Find the DFARS 252.204-7025 or 252.204-7021 languageConfirms CMMC is actually entering your solicitation or contract
2Identify the required CMMC levelLevel 1, Level 2 Self, Level 2 C3PAO, and Level 3 are four different paths
3Confirm FCI vs CUIFCI-only and CUI environments carry very different requirements
4Identify the systems used in performanceScope covers systems that handle FCI/CUI, plus assets that protect them
5Check the assessment typeDon't confuse Level 2 Self with Level 2 (C3PAO)
6Review your SPRS entriesCheck your CMMC status, CMMC UID, and annual affirmation — different DFARS provisions govern these, and they can affect eligibility
7Define scope before requesting quotesA bad scope produces bad quotes and bad assessments
8Choose the provider categoryRPO/RP, MSSP, GRC, CUI enclave, or C3PAO — depending on your stage
9Keep CUI out of any intake formUse general descriptors only
10Confirm legal and contractual applicabilityUse a CMMC Registered Practitioner or a federal-contracts attorney where the stakes warrant

The 32 CFR Part 170 Contractor Action Map

This asset translates each key part of the rule into the one thing a contractor should verify, the misread to avoid, and the next move — with the primary source for each row. Note that it routes you to a provider category, never a named vendor, and is not a score, a ranking, or compliance advice.

32 CFR Part 170 Contractor Action Map — what each rule section establishes, what to verify, what it does not mean, and your next move
Rule / authorityWhat it establishesWhat you should verifyWhat it does not meanYour next move
32 CFR Part 170 (overall)The CMMC Program Rule for systems handling FCI/CUIWhether your work involves FCI/CUI on your systemsIt doesn't itself insert CMMC into your contractRead the solicitation/flow-down; find the DFARS language
§ 170.3 — ApplicabilityWhich awards the program covers, with phase-in, waiver, and COTS exceptionsWhether the requirement is phased, waived, or COTS-onlyNot every contractor gets the same levelConfirm data type and clause language
§ 170.14 — Model & levelsLevel 1/2/3 requirement sourcesWhether you face FCI, CUI, or high-sensitivity CUIIt doesn't make Rev. 3 the current Level 2 baselineMap the named level to the right standard
§ 170.15 — Level 1Annual self-assessment + affirmation for FCIWhether the requirement is FCI-only, Level 1 (Self)It doesn't allow Level 1 POA&MsPrepare the self-assessment and SPRS affirmation
§ 170.16 — Level 2 (Self)Triennial self-assessment + annual affirmationWhether the solicitation permits self-assessmentIt isn't the same as C3PAO certificationBuild evidence to NIST SP 800-171A objectives
§ 170.17 — Level 2 (C3PAO)Certification by an authorized C3PAOWhether the contract requires Level 2 (C3PAO)The C3PAO can't also do your remediationSeparate readiness help from the assessment
§ 170.18 — Level 3DIBCAC assessment, Level 2 prerequisiteWhether DoD designated Level 3 for the contractIt doesn't apply to ordinary CUI by defaultConfirm the designation with your program office
§ 170.19 — ScopingHow assessment scope is definedWhich assets, ESPs, CSPs, and CUI flows are in scopeBuying a tool doesn't define your scopeDocument scope before any provider quote
§ 170.21 — POA&MConditional status and 180-day closeoutWhich gaps are actually POA&M-eligibleIt doesn't allow unlimited deferralIdentify must-close items before the assessment
§ 170.22 — AffirmationAnnual affirmation by an affirming officialWho will affirm, and when it expiresIt's not a one-time checkboxPut the annual affirmation on the calendar in SPRS
§ 170.23 — SubcontractorsFlow-down through all tiersWhich subs process/store/transmit FCI/CUIIt doesn't apply to subs with no FCI/CUIFlow down the correct level; verify status pre-award
§ 170.24 — ScoringThe DoD Assessment MethodologyYour SPRS score and the 88 threshold80% isn't a soft pass; high-value controls must be metScore honestly before you commit to a date
DFARS 252.204-7025 / -7021Solicitation notice and contract obligationRequired level, CMMC UID, SPRS status, affirmation, flow-downIt isn't the same thing as 32 CFR Part 170Treat the contract language as your trigger
NIST SP 800-171 Rev. 2The 110 Level 2 requirementsYour implementation across 14 familiesIt isn't Rev. 3 for CMMC purposesGap-assess against the 320 objectives
NIST SP 800-172The 24 selected Level 3 requirementsWhether Level 3 applies to you at allIt isn't a default for CUIConfirm designation before investing

Turn the rule into your next CMMC move

You now know the level language to look for, the assessment types, and the sequence. If you want a shortcut to the category that fits your situation, tell us your level, whether you handle FCI or CUI, your assessment type, your environment, and your timeline. We’ll help you identify whether the next conversation is readiness, managed security, GRC and evidence workflow, CUI enclave strategy, or a C3PAO assessment — and route you to source-checked provider options.

Use Find My CMMC Path →

What we verified for this page

We wrote this from primary and official sources, not vendor marketing. We read the current 32 CFR Part 170 rule text on the eCFR, confirmed the Federal Register citation and effective date, checked the DFARS clause language and phase dates on Acquisition.gov, verified the NIST version mapping against NIST’s own catalog, and confirmed the February 2026 clause changes against DoD class-deviation guidance.

What we checked, as of :

What we did not verify, and you should confirm for your own situation:


Frequently asked questions about 32 CFR Part 170 CMMC

Most confusion about 32 CFR Part 170 comes from bundling separate things — the program rule, the DFARS clauses, the NIST standard, your assessment status, and your SPRS affirmation — into one pile. These answers pull them apart.

Is 32 CFR Part 170 the CMMC Final Rule?

Yes. 32 CFR Part 170 is the CMMC Program Rule. It establishes the program’s structure — levels, assessment types, scoping, POA&M limits, affirmation, and flow-down — for contractor systems that process, store, or transmit FCI or CUI. It was published October 15, 2024 and became effective December 16, 2024.

Is 32 CFR Part 170 the same as DFARS 252.204-7021?

No. 32 CFR Part 170 defines the CMMC program. DFARS 252.204-7021 is the contract clause that requires a contractor to have and maintain the current CMMC status for covered systems when the clause is in the contract. The rule is the program; the clause is the contractual trigger.

Is CMMC Level 2 based on NIST SP 800-171 Rev. 2 or Rev. 3?

CMMC Level 2 currently maps to NIST SP 800-171 Revision 2 under 32 CFR Part 170. Revision 3 is not the controlling Level 2 baseline unless and until DoD amends the CMMC rule to adopt it.

Does every Level 2 contract require a C3PAO?

No. 32 CFR Part 170 provides both a Level 2 (Self) path and a Level 2 (C3PAO) path. The required assessment type depends on the solicitation, the contract, the DoD implementation phase, and the program office’s decision.

How many requirements are in CMMC Level 1 — 15 or 17?

Fifteen. CMMC Level 1 uses the 15 basic safeguarding requirements in FAR 52.204-21(b)(1)(i) through (xv). The figure “17” traces to the retired CMMC 1.0 model and to crosswalks that map those 15 requirements to 17 NIST SP 800-171 requirements — but the Level 1 count under the rule is 15.

What happened to DFARS 252.204-7019 and 7020?

As of February 1, 2026, DoD class deviations under the Revolutionary FAR Overhaul eliminated DFARS 252.204-7019 and renumbered 252.204-7020 to 252.240-7997, removing the old “basic self-assessment” SPRS-upload requirement. DFARS 252.204-7012 and the CMMC clauses (7021 and 7025) were not changed. Because these were class deviations rather than rulemaking, the codified text still shows the old clause numbers.

Can I use a POA&M for CMMC?

Not for Level 1. For Level 2 and Level 3, POA&Ms are permitted only in narrow circumstances: generally 1-point items, a minimum score of 88 for Level 2, several requirements that can never be deferred, and a firm 180-day closeout window.

What is a CMMC UID?

A CMMC Unique Identifier (CMMC UID) is a 10-character alphanumeric code reflected in the Supplier Performance Risk System (SPRS) for each assessed contractor information system. Under DFARS 252.204-7021, contractors provide the CMMC UIDs for the systems used in performance of a contract.

Does CMMC apply to subcontractors?

Yes, when subcontractors process, store, or transmit FCI or CUI and the requirement is flowed down. DFARS 252.204-7021 requires primes to flow down the substance of the clause and verify appropriate subcontractor status before award — except for subcontracts solely for COTS items.

When is CMMC actually required in my contract?

CMMC becomes a contract requirement when a DFARS clause (252.204-7025 in the solicitation, 252.204-7021 in the contract) is included, which DoD began doing on November 10, 2025 under a four-phase schedule. Level 2 (C3PAO) assessments start becoming a condition of award in Phase 2, on November 10, 2026.

How much does CMMC cost?

It varies widely by level, scope, and starting maturity, so treat any single number with caution. Level 2 C3PAO assessment fees alone have been publicly reported across a broad range — commonly tens of thousands of dollars, often cited from roughly $40,000 into the six figures for larger or multi-site environments — and that’s separate from the readiness and remediation work that usually costs more. For a scoped picture, price the readiness path and the assessment as two distinct line items.

Should I contact a C3PAO first?

Only if you’re genuinely assessment-ready or your immediate need is scheduling a formal assessment. If you’re still defining scope, writing your SSP, building evidence, or drawing your CUI boundary, readiness or implementation help is usually the better first step — and conflict-of-interest rules keep those roles separate from the assessment anyway.


Need a next step, not just an explanation?

Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.

Do not submit CUI, drawings, export-controlled technical data, contract attachments, or sensitive customer information. Use general descriptors only.

Find My CMMC Path →orCMMC readiness checklist mapped to the 14 NIST SP 800-171 control families.

Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification. This page is educational research, not legal, contractual, or compliance advice. Confirm scope and applicability with a CMMC Registered Practitioner (RP/RPO) or a qualified federal-contracts attorney before you act.