The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We are not affiliated with the Cyber AB, the Department of Defense, DCMA DIBCAC, NIST, or any U.S. government agency. This is educational research, not legal, contractual, or compliance advice. Confirm scope and applicability for your contract with a CMMC Registered Practitioner / Registered Provider Organization (RP/RPO) or a qualified federal-contracts attorney.
48 CFR CMMC Final Rule: What DFARS 252.204-7021 and 252.204-7025 Mean for Your Contracts
The 48 CFR CMMC final rule is the Department of Defense acquisition rule that turned the Cybersecurity Maturity Model Certification (CMMC) from a program on paper into a hard condition of award for the DoD contracts it applies to. It was published in the Federal Register on September 10, 2025 — 90 FR 43560, pages 43560–43577 — and took effect November 10, 2025.
What the rule requires of you comes down to one thing: the CMMC level and assessment type written into your specific contract. And here is the wrinkle most articles published in 2025 miss — on February 1, 2026, a separate federal overhaul quietly renumbered several of the clauses sitting right next to CMMC. We read the rule, the clause text on Acquisition.gov, and the Department of Defense deviation memos so you can see exactly what is current, what changed, and what to do about it.
The Defense Compliance Report is the independent trade publication and decision resource for CMMC and Defense Industrial Base compliance — explaining the CMMC Final Rule with primary-source citation on every claim and mapping a contractor’s level, CUI scope, assessment type, and timeline to the right provider category, so DIB contractors choose the right CMMC path before they spend six figures.
Who this page is for:primes, subcontractors, and the people who own the decision — CISOs, IT directors, FSOs, compliance managers, contracts officers, and small-business owners — who just saw CMMC show up in a solicitation, a contract mod, or a prime’s flow-down notice and need to know what it actually requires.
Who this page is not for:anyone looking for a “CMMC in five minutes” explainer or a ranked list of “best” providers. This is the contract-rule page. It tells you what changed, what can block an award, and how to figure out your path before you spend money.
The bottom line, in one screen
| Your question | The direct answer |
|---|---|
| Is the 48 CFR CMMC final rule actually final? | Yes. DoD issued the final DFARS rule on September 10, 2025, effective November 10, 2025. |
| Is it the same thing as “the CMMC Final Rule” from 2024? | No. That was 32 CFR Part 170 (the program rule). This is the 48 CFR DFARS rule that puts CMMC into contracts. Two rules, two jobs. |
| Which clauses matter most? | DFARS 252.204-7025 in the solicitation (states your required level) and DFARS 252.204-7021 in the contract (your compliance obligation). |
| What can block an award? | Not having a current CMMC status in SPRS at the required level — plus a current affirmation of continuous compliance — when the solicitation requires them. |
| Does everyone now need a third-party assessment? | No. Level 1, Level 2 self-assessment, Level 2 third-party (C3PAO), and Level 3 are four different paths. The clause sets which one. |
| Is Level 2 based on NIST 800-171 Revision 3? | No — not for CMMC. CMMC Level 2 currently maps to NIST SP 800-171 Revision 2 (110 requirements, 14 families). |
| Are contracts solely for off-the-shelf products excluded? | Yes. Acquisitions exclusively for commercially available off-the-shelf (COTS) items are excluded. |
| Did anything change in 2026? | Yes. On February 1, 2026, the Revolutionary FAR Overhaul eliminated one nearby clause and renumbered another. The CMMC clauses themselves (7021, 7025) did not change. |
The one honest caveat before you read further
Here is the thing no vendor wants to lead with: the 48 CFR rule will not tell you which provider to hire — and, by itself, it will not even tell you which CMMC level you need. Your required level and assessment type come from the fill-in block in your solicitation and from whether you handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). That is actually good news. It means the correct first move is almost never “panic and book a third-party assessment.” It is to understand your clause, scope your environment, and match the gap to a category.
Start with your clause, not a sales call.
Use The Defense Compliance Report’s Find My CMMC Path tool to map your required level, FCI/CUI scope, assessment type, environment, and timeline to the right provider category — before you request a single quote.
Find My CMMC Path →The right CMMC provider isn’t the same for every contractor — the category you need (a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave) depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. The contract clause sets your level, not a checklist.
What is the 48 CFR CMMC final rule?
The 48 CFR CMMC final rule is DoD’s final DFARS acquisition rule for incorporating CMMC into defense solicitations and contracts. The separate 32 CFR Part 170 rule established the CMMC Program — the levels, the assessments, the scoping rules. The 48 CFR rule tells contracting officers when and how to actually put CMMC into a contract. That distinction is not academic: you do not lose award eligibility because of a blog post or a checklist. You are exposed when the clause and your status don’t match.
“48 CFR” is simply Title 48 of the Code of Federal Regulations — the Federal Acquisition Regulation (FAR) system. DFARS is DoD’s supplement to it. So when someone says “the 48 CFR CMMC rule,” they mean the contracting side of CMMC, not the program side. The rule amends four parts of the DFARS: Part 204 (administrative and cybersecurity procedures), Part 212 (commercial products and services), Part 217 (special contracting methods), and Part 252 (the solicitation provisions and contract clauses).
What we verified in the rule record:
- Federal Register document:2025-17359
- Citation:90 FR 43560 (pages 43560–43577, 18 pages)
- DFARS Case:2019-D041 (RIN 0750-AK81; Docket DARS-2020-0034)
- CFR parts amended:48 CFR 204, 212, 217, 252
- Effective date:November 10, 2025
We read the final rule text on the Federal Register and the codified DFARS at 48 CFR Subpart 204.75 on July 1, 2026.
One precision point worth getting right: this rule was issued by the Department of Defense. You may see “Department of War” used in some 2025–2026 materials, but the FAR and DFARS — the regulations that actually govern your contract — still use “DoD,” and that is what we use here.
48 CFR vs. 32 CFR: the two CMMC rules, side by side
This single table clears up more confusion than anything else on the page. If you only remember one thing: 32 CFR is the program; 48 CFR is the contract hook.
| 32 CFR Part 170 — the Program Rule | 48 CFR — the Acquisition (DFARS) Rule | |
|---|---|---|
| Its job | Establishes the CMMC Program: levels, assessment types, scoping, affirmations, the assessor ecosystem, and the phased-implementation schedule | Puts CMMC into contracts: adds the clause + provision, tells contracting officers how to require a level, and conditions award on SPRS status |
| Common names | "Program Rule" | "Acquisition Rule," "DFARS Rule," "Procurement Rule" |
| Where it lives | Title 32, Part 170 | Title 48 — DFARS Parts 204, 212, 217, 252 (new Subpart 204.75) |
| Federal Register | 89 FR 83092 | 90 FR 43560 (doc 2025-17359) |
| Published | October 15, 2024 | September 10, 2025 |
| Effective | December 16, 2024 | November 10, 2025 |
| Can it put CMMC in your contract by itself? | No — it defines the program; it doesn't insert CMMC into a contract | Yes — it adds the DFARS clause and provision that make CMMC an award and performance condition when included |
When did the 48 CFR CMMC rule take effect, and what phase are we in?
The 48 CFR CMMC final rule took effect November 10, 2025 — 60 days after publication, under 41 U.S.C. § 1707. That same date started Phase 1 of the four-phase rollout defined in 32 CFR § 170.3(e). As of July 2026, we are in Phase 1, which runs through November 9, 2026.
The four phases each begin one calendar year after the last. DoD deliberately staged it so the assessment ecosystem — and contractors — could catch up. Here is the full chronology, including the 2026 clause overhaul that most timelines skip:
| Date | Milestone | Source |
|---|---|---|
| Dec 26, 2023 | 32 CFR CMMC proposed rule | 88 FR 89058 |
| Aug 15, 2024 | 48 CFR CMMC proposed rule (DFARS Case 2019-D041) | 89 FR 66327 |
| Oct 15, 2024 | 32 CFR CMMC final rule published | 89 FR 83092 |
| Dec 16, 2024 | 32 CFR program rule effective — the CMMC Program exists | 32 CFR Part 170 |
| Jul 22, 2025 | DoD sends the 48 CFR final rule to OIRA/OMB for review | OMB/OIRA docket |
| Aug 25, 2025 | 48 CFR final rule clears regulatory review | OIRA |
| Sep 10, 2025 | 48 CFR CMMC final rule published | 90 FR 43560 (doc 2025-17359) |
| Nov 10, 2025 | 48 CFR rule effective; CMMC Phase 1 begins | 90 FR 43560; 32 CFR § 170.3(e) |
| Feb 1, 2026 | Revolutionary FAR Overhaul deviations effective — DFARS 7019 eliminated; 7020 renumbered to 252.240-7997 | DoD DFARS RFO class-deviation page |
| Nov 10, 2026 | Phase 2 begins — Level 2 (C3PAO) requirements widen | 32 CFR § 170.3(e) |
| Nov 10, 2027 | Phase 3 begins — Level 3 (DIBCAC) requirements added | 32 CFR § 170.3(e) |
| Nov 10, 2028 | Phase 4 — full implementation | 32 CFR § 170.3(e) |
Here is how the phases translate into what actually shows up in solicitations:
| Phase | Starts | What gets required (in applicable, non-COTS contracts) | Assessment type |
|---|---|---|---|
| Phase 1 (current) | Nov 10, 2025 | Level 1 (Self) or Level 2 (Self); DoD may, at its discretion, require Level 2 (C3PAO) | Self-assessment; C3PAO at DoD discretion |
| Phase 2 | Nov 10, 2026 | Adds Level 2 (C3PAO); DoD may, at its discretion, require Level 3 (DIBCAC) | Third-party (C3PAO) |
| Phase 3 | Nov 10, 2027 | Adds Level 3 (DIBCAC) as a condition of award | Government (DIBCAC) |
| Phase 4 | Nov 10, 2028 | Full implementation across all applicable solicitations and contracts, including option periods | All levels |
A word of caution on “effective date.” The effective date tells you when the acquisition rule can operate. It does not tell you your obligation. Even in Phase 1, primes can flow CMMC-related requirements down through subcontract terms — and many already have — and a contracting officer can require a higher assessment type when the program office decides the risk warrants it. Read the solicitation. The clause governs, not the calendar.
What changed from the proposed rule to the final rule?
If you have older notes or a saved PDF, they may describe the proposed 48 CFR rule from August 15, 2024 (89 FR 66327). A few things moved between proposed and final:
- →The final rule updated and codified the definitions at DFARS 204.7501 to align with 32 CFR Part 170, and placed them in the 252.204-7021 clause and the 252.204-7025 provision.
- →It renamed the "DoD unique identifier" to the CMMC unique identifier (CMMC UID) to match SPRS.
- →It removed certain proposed notification requirements (such as separately reporting compliance lapses to the contracting officer), relying instead on the 7012 incident-reporting clause and the annual affirmation.
- →It confirmed that subcontractors also submit affirmations and self-assessment results in SPRS, and that primes cannot view a subcontractor's SPRS record.
Which DFARS clauses should you look for?
The two CMMC-specific instruments are DFARS 252.204-7025 (the solicitation provision) and DFARS 252.204-7021 (the contract clause). The provision is where the contracting officer writes in your required CMMC level and where you supply your CMMC unique identifiers; the clause governs your compliance, affirmation, and flow-down obligations during performance. You also need to know how three older clauses — 7012, 7019, and 7020 — fit around them, because two of those changed in 2026.
Read your solicitation for these. This is your clause map, with current status as of July 1, 2026.
| Clause / provision | Type | What it does | Status (Jul 1, 2026) |
|---|---|---|---|
| DFARS 252.204-7021 | Contract clause (NOV 2025) | Contractor Compliance With the CMMC Level Requirements. Your performance obligation: maintain a current CMMC status, submit the annual affirmation and CMMC UID in SPRS, and flow the correct level down to subcontractors. | Active — unchanged by the 2026 overhaul |
| DFARS 252.204-7025 | Solicitation provision (NOV 2025) | Notice of CMMC Level Requirements. The fill-in block where the contracting officer states the required level (Level 1 Self / Level 2 Self / Level 2 C3PAO / Level 3 DIBCAC) and where you provide CMMC UIDs. | Active — unchanged by the 2026 overhaul |
| DFARS 252.204-7012 | Contract clause (MAY 2024) | Safeguarding Covered Defense Information and Cyber Incident Reporting. Implement NIST SP 800-171 for covered defense information and report cyber incidents within 72 hours. Predates CMMC and still applies. | Active |
| DFARS 252.204-7019 | Solicitation provision | Notice of NIST SP 800-171 DoD Assessment Requirements. Formerly required a "Basic" self-assessment score in SPRS. | Eliminated — Feb 1, 2026 |
| DFARS 252.204-7020 | Contract clause | NIST SP 800-171 DoD Assessment Requirements. DoD's authority to conduct Medium/High assessments. | Renumbered to DFARS 252.240-7997 — Feb 1, 2026; "Basic" references removed |
| FAR 52.204-21 | Contract clause (FAR) | Basic Safeguarding of Covered Contractor Information Systems — the 15 basic safeguards that form the FCI baseline behind CMMC Level 1. | Renumbered to FAR 52.240-93 under the overhaul deviation; same 15 requirements still define Level 1 |
How to read the 7025 fill-in. When you open a solicitation with a CMMC requirement, the 252.204-7025 provision tells you four things: the required CMMC level, the assessment type (self, C3PAO, or DIBCAC), that you must have a current status and current affirmation in SPRS before award, and that you must provide your CMMC UID(s) for each information system that will process, store, or transmit FCI or CUI. Do not self-select a level from a generic checklist — the fill-in and the acquisition documentation control.
For a full explanation of each clause and its current text, see our dedicated guides: DFARS 252.204-7021 explained, DFARS 252.204-7025 explained, DFARS 252.204-7012 explained, and DFARS 7019 and 7020 after the 2026 overhaul.
Map your clause to a path.
Tell us your level, scope, assessment type, environment, and timeline in Find My CMMC Path, and we will point you to the source-checked provider category that fits — before you request quotes.
Find My CMMC Path →What changed on February 1, 2026 (the FAR Overhaul)?
On February 1, 2026, the Revolutionary FAR Overhaul (RFO) took effect through Department of Defense class deviations and renumbered several clauses around CMMC. Under DoD Class Deviation 2026-O0025 (Revolutionary FAR Overhaul Part 40 / new DFARS Part 240), DFARS 252.240-7997 now carries the NIST SP 800-171 DoD Assessment Requirements clause, DFARS 252.204-7019 was eliminated, and “Basic” assessments were removed so only government-led Medium and High assessments remain. Critically, the CMMC clauses themselves — 252.204-7021 and 252.204-7025 — were not changed, and DFARS 252.204-7012 remains fully in force.
We flag this because it is the single most common way a competing page is now out of date. Many of the top results for “48 CFR CMMC final rule” were written between September and November 2025 and still list 7019 and 7020 as active clauses. As of February 1, 2026, that is no longer accurate. Here is what actually happened — and, just as important, what did not.
What was eliminated (7019) and what moved (7020 → 240-7997). DFARS 7019 was the provision that required contractors to post a “Basic” NIST SP 800-171 self-assessment score in SPRS. Under the RFO Part 40 / DFARS Part 240 deviation text, that older standalone Basic-assessment mechanism is not carried forward in the same 7019/7020 form. DFARS 7020 — DoD’s authority to run Medium and High assessments — moved to the new DFARS Part 240 and is now numbered 252.240-7997. For CMMC solicitations, the CMMC-specific status, CMMC UID, self-assessment-result, and affirmation obligations now sit in the 252.204-7025 provision and the 252.204-7021 clause.
What did not change — and why it matters more than the renumbering. Your underlying obligations are intact. If you handle CUI, you still implement all 110 NIST SP 800-171 Revision 2 requirements, still maintain a System Security Plan (SSP), still report cyber incidents within 72 hours under 7012, and still self-assess or obtain a C3PAO assessment as your contract specifies. The DoD did not weaken enforcement here. It removed a parallel, pre-CMMC self-attestation mechanism and elevated CMMC as the primary path.
Why you may see two clause numbers at once. The RFO changes were made through class deviations while the formal rulemaking catches up during 2026 — meaning the codified DFARS still shows 7021 and 7025 as the CMMC clauses, and you may see both the old and new numbers referenced in the same solicitation during the transition. The safe rule: match the clause number to the document in front of you, and confirm with your contracting officer if anything looks inconsistent.
What must be current in SPRS before award?
When the CMMC requirement applies, the Supplier Performance Risk System (SPRS) becomes the government’s verification point — and stale information there can quietly cost you an award. The final DFARS rule directs contracting officers to check SPRS for a current CMMC status and current affirmation at the required level before award, and again before exercising an option period or extending performance where a CMMC requirement applies. “We were fine at original award” is not a defense if your status or affirmation has since lapsed.
Here is what needs to be in order:
| Item | Who needs to care | What to verify |
|---|---|---|
| Current CMMC status | Any contractor with a CMMC requirement | The required level and status are current in SPRS. |
| Annual affirmation | All levels where required | The affirming official has submitted a current affirmation of continuous compliance. |
| CMMC UID | Contractors with in-scope systems | A UID exists and maps to each system used for FCI/CUI. |
| Self-assessment result | Level 1 and Level 2 (Self) | The result is submitted to SPRS as required. |
| Conditional POA&M closeout | Level 2/3 conditional status | Closeout happens inside the 180-day window. |
| CAGE / entity alignment | Multi-entity or multi-system contractors | Scope and CAGE information match the systems used in performance. |
One nuance people miss: SPRS stores assessment and scoring information — assessment date, score, scope, CAGE code, SSP name, confidence level — but you do not perform the assessment inside SPRS. Here is the regulation-stated obligation versus where you actually confirm it:
| What the rule requires | Where you confirm it, operationally |
|---|---|
| Current CMMC status at the required level | SPRS, accessed through PIEE (piee.eb.mil) |
| Annual affirmation of continuous compliance | SPRS, submitted by your affirming official |
| CMMC UID for each in-scope system | The SPRS record for each information system |
| Self-assessment result (Level 1 / Level 2 Self) | Posted by you in SPRS |
| Level 2 (C3PAO) / Level 3 (DIBCAC) results | Reach SPRS through the government assessment pathway (e.g., eMASS) — not posted by you |
Getting that last row wrong is how contractors assume they are “in SPRS” when the required result is not actually there.
Before you bid, make sure your SPRS record backs you up.
If your solicitation carries the 252.204-7025 provision, map your required level, CMMC UID and affirmation status, and award deadline to your next step with Find My CMMC Path.
Find My CMMC Path →How do Level 1, Level 2 (Self), Level 2 (C3PAO), and Level 3 differ?
The 48 CFR rule does not collapse CMMC into one universal certificate — there are four distinct paths, and your clause picks one. Level 1 covers FCI and 15 basic safeguards. Level 2 maps to the 110 NIST SP 800-171 Revision 2 requirements across 14 control families, either self-assessed or assessed by a C3PAO depending on the contract. Level 3 adds a selected subset of NIST SP 800-172 enhanced requirements and is assessed by the government. Treating these as interchangeable is the fastest way to over-buy or under-prepare.
| CMMC path | Info type | Requirements | Assessor | Frequency | Affirmation | POA&M / conditional |
|---|---|---|---|---|---|---|
| Level 1 | FCI | 15 basic safeguards (FAR 52.204-21) | Self | Annual | Annual | No POA&Ms — Level 1 must be Final |
| Level 2 (Self) | CUI, where self-assessment is specified | 110 NIST SP 800-171 Rev. 2 requirements (14 families) | Self | Every 3 years | Annual | Conditional status possible under POA&M rules, with a closeout window |
| Level 2 (C3PAO) | CUI, where third-party assessment is specified | 110 NIST SP 800-171 Rev. 2 requirements (14 families) | Certified Third-Party Assessment Organization (C3PAO) | Every 3 years | Annual | Conditional status possible under POA&M rules, with a closeout window |
| Level 3 | Most sensitive CUI / higher-risk programs | Selected NIST SP 800-172 requirements (24 for CMMC), plus a Final Level 2 (C3PAO) prerequisite | DCMA DIBCAC | Every 3 years | Annual | Conditional status possible under POA&M rules, with a closeout window |
Do not substitute Revision 3. CMMC Level 2 currently maps to NIST SP 800-171 Revision 2, not Revision 3. Here is the wrinkle: DFARS 252.204-7012 points to the NIST SP 800-171 version in effect when a solicitation is issued, and the current published version is Revision 3 — but CMMC Level 2 under 32 CFR Part 170 is tied to Revision 2. DoD resolved that mismatch with Class Deviation 2024-O0013 (May 2024), which directs contractors to implement Revision 2 (not Revision 3) when 7012 appears in a contract. Bottom line: do not treat Revision 3 as the CMMC Level 2 baseline unless DoD amends the CMMC rule or your contract says otherwise.
For the full comparison of self-assessment vs. third-party paths, see our CMMC self-assessment vs. C3PAO guide and CMMC levels overview.
Does the 48 CFR rule require a C3PAO assessment?
Not always — and for most contractors reading this, not first. A Certified Third-Party Assessment Organization (C3PAO) assessment is required when your contract specifies Level 2 (C3PAO) or when you are on the Level 3 path (which requires a Final Level 2 C3PAO certification before the DIBCAC assessment). It is not the right opening move for a company that has not yet scoped its CUI, written its SSP, closed its major gaps, or confirmed its SPRS and affirmation posture.
- →When Level 2 (Self) may be enough: some CUI-handling contractors are permitted to self-assess when the contract specifies Level 2 (Self). You cannot self-select this path if the clause requires Level 2 (C3PAO) — the fill-in decides.
- →When a C3PAO is the wrong first hire:if your evidence is not assessment-ready, booking a scarce C3PAO slot early usually means paying for readiness twice. In DoD’s own framing, the assessment verifies what you have already implemented — it is not where implementation happens. The sequence that saves money is readiness first, assessment when ready, and the two kept appropriately separate: a C3PAO must manage strict conflict-of-interest and impartiality requirements for Level 2 certification assessments, so the firm that remediates your environment generally cannot also serve as your C3PAO for that same engagement.
Figure out whether you need readiness help or an assessment — before you book either.
Find My CMMC Path maps your required level, assessment type, CUI scope, current environment, and timeline to the provider category that actually fits your stage.
Prefer to move at your own pace first? Start with our CMMC Readiness Checklist.
Find My CMMC Path →The DCR 48 CFR Award-Eligibility Action Matrix
This is the asset we built because no single competing page had it: a map from each rule and clause to the trigger, the evidence you need, what can block or slow your award, and the provider category that usually comes first. We assembled it by reading the Federal Register final rule, cross-checking 32 CFR Part 170, and confirming the current clause text on Acquisition.gov.
| Rule / clause | What it controls | Trigger | Evidence or status needed | What can block or slow award | Provider category usually needed first |
|---|---|---|---|---|---|
| 48 CFR 204.7502 (policy) | Award eligibility | Solicitation or award carries a CMMC requirement | Current CMMC status at the required level + current affirmation | No award without required current status; Level 1 must be Final; Level 2/3 conditional limited to 180 days | Clause interpretation + readiness triage (RP/RPO) |
| 48 CFR 204.7503 (procedures) | Contracting-officer checks | Award, option exercise, extension, or a new UID | CO checks SPRS for status and CMMC UID | Missing or stale SPRS status/UID delays award or option action | SPRS readiness (RP/RPO or GRC) |
| 48 CFR 204.7504 (clause use) | When 7021/7025 appear | Phased in through Nov 9, 2028; broader use after Nov 10, 2028 | Clause/provision included when the program office requires it during phase-in | Misreading phase-in as "everything now" or "nothing yet" | Clause review |
| DFARS 252.204-7025 | Required-level notice | Proposal stage | Required level + assessment type; CMMC UID in the proposal | Proposal ineligible if status/affirmation not current in SPRS | Clause interpretation + SPRS prep |
| DFARS 252.204-7021 | Compliance during performance | Performance + flow-down | Maintain current status, annual affirmation, CMMC UID; self-assessment posting where applicable | Processing FCI/CUI on a system without the required status; missing flow-down | Readiness → MSP/MSSP/GRC/enclave → assessment path |
| 32 CFR 170.16 | Level 2 (Self) mechanics | Level 2 (Self) specified | 110 NIST 800-171 Rev. 2 requirements; SPRS score every 3 years; annual affirmation | Treating Level 2 (Self) as equivalent to Level 2 (C3PAO) | RP/RPO, GRC, readiness |
| 32 CFR 170.17 | Level 2 (C3PAO) | Level 2 (C3PAO) specified | Authorized C3PAO assessment; result to SPRS; annual affirmation | Booking the assessment before evidence is ready | Readiness first, C3PAO when ready |
| 32 CFR 170.18 | Level 3 (DIBCAC) | Level 3 specified | Final Level 2 (C3PAO) first, then DIBCAC against selected 800-172 requirements | Assuming Level 3 is "just a harder Level 2 self-assessment" | Specialized readiness + DIBCAC-aware path |
| Subcontract flow-down | Supplier CMMC status | FCI/CUI flows to a sub | Prime/next-tier verification before subcontract award | Supplier that cannot or will not evidence status | Supplier verification workflow + RP/RPO |
| Solely COTS exception | Exclusion boundary | Contract exclusively for COTS items | Confirm the contract is solely COTS before assuming exclusion | Mistaking "commercial" for "solely COTS" | Contract review |
Who does DoD estimate the rule actually affects?
DoD’s own numbers are the best argument against panic — and against the “everyone needs a C3PAO” reflex. In the rule’s regulatory analysis, DoD estimated that by the fourth year of implementation, roughly 337,968 entities would be affected, of which about 229,818 were small entities — meaning small businesses make up close to 68%of the impacted universe. And DoD’s projected assessment mix skews heavily toward self-assessment, not third-party certification.
Here is that estimated Year-4 mix, reframed for a decision instead of a headline:
| DoD-estimated Year-4 category | Approx. share | Approx. entities | What it means for you |
|---|---|---|---|
| Level 1 (Self-Assessment) | ~62% | ~209,540 | Most impacted entities in DoD's estimate are not third-party assessed. |
| Level 2 (Self-Assessment) | ~2% | ~6,759 | A small slice of CUI-handling contractors may self-assess where specified. |
| Level 2 (C3PAO Certification) | ~35% | ~118,289 | A large segment will need a C3PAO when specified — but not before readiness. |
| Level 3 (DIBCAC Certification) | ~1% | ~3,380 | A very small set faces government-led Level 3. |
| Total | 100% | ~337,968 | Route by level, scope, and assessment type — not by fear. |
The phase-in was also deliberately gentle on small business early: DoD estimated only 1,104 small entities affected in year one, rising to 5,565 in year two and 18,554in year three. Two honest reads of this data: first, if you are small and handle only FCI, your likely path is a Level 1 self-assessment, not a six-figure certification. Second, “small” and “later” are not “exempt” — most impacted entities are small, and the requirement is coming for the majority of the base. The winning move is to know your number, not to assume you are outside the rule.
What does the 48 CFR rule mean for subcontractors and flow-down?
If FCI or CUI flows to you, the rule reaches you — even if you never signed a prime contract with DoD. Under DFARS 252.204-7021 and 32 CFR § 170.23, primes and higher-tier subcontractors must flow the appropriate CMMC level down to any subcontractor that will process, store, or transmit FCI or CUI on its own systems. A subcontractor handling only FCI needs Level 1, even if the prime holds a higher level; when a prime contract is Level 3, a subcontractor handling CUI needs at least Level 2 (C3PAO).
Who sets a subcontractor’s level? For the prime, the program office or requiring activity sets it. For subcontractors, the prime (or the next higher-tier contractor) determines it using the scoping rules, based on the information being flowed down. There is a practical catch: a prime cannotsimply look up a subcontractor’s status in SPRS, so primes have to verify compliance independently, contractually.
If you are a prime building a supplier-verification request, ask for what confirms status — without ever collecting sensitive data:
| Request | Why | Guardrail |
|---|---|---|
| Required level + assessment type | Confirms the correct flow-down path | Don't ask the supplier to upload CUI |
| Evidence of current CMMC status | Confirms status | Use approved evidence channels only |
| CMMC UID (where applicable) | Ties the status to the system used in performance | Don't request sensitive system diagrams |
| Affirmation date | Confirms the obligation is current | No CUI needed |
| High-level scope statement | Confirms whether the supplier's system touches FCI/CUI | Keep it high-level — no drawings or data |
| POA&M / conditional summary (if relevant) | Surfaces timeline risk | Don't request vulnerability detail through unsecured channels |
What if a subcontractor refuses to provide proof? Do not assume compliance. Escalate to procurement, contracts, and legal or your CMMC lead, and confirm what the clause requires before you send any FCI or CUI. Sending CUI to a supplier that cannot evidence the required status is exactly the kind of exposure the rule is designed to prevent.
What is conditional CMMC status, and can it support an award?
Conditional status can support an award — but only for Level 2 and Level 3, only for up to 180 days, and only if you close your Plan of Action and Milestones in time. The final rule allows a Conditional CMMC status for Levels 2 and 3 for a period not to exceed 180 days from the conditional status date, during which you can compete for and receive awards while you finish remediation. Level 1 gets no such grace: for Level 1, all requirements must be Met for a Final status before award.
Treat conditional status as a countdown, not a workaround. A Plan of Action and Milestones (POA&M) is a document that lists your open items, the resources to fix them, and scheduled completion dates. You reach Finalstatus by closing out a valid POA&M inside the window — closeout is performed by you (for self-assessed levels), your C3PAO (for Level 2 C3PAO), or DIBCAC (for Level 3). Miss the 180 days and the CMMC status expires, which can put a current award and future eligibility at risk. Note too that not every requirement is POA&M-eligible; some must be fully implemented before any status is issued. For the full rules, see our Conditional Level 2 and POA&M closeout guide.
What contracts are excluded, delayed, or phased in?
The 48 CFR rule does not mean every DoD transaction instantly carries the same CMMC requirement. During the phase-in, whether the clause appears depends on the program office’s determination; after the phase-in completes, use broadens to all applicable contracts involving FCI or CUI on contractor systems — with one clear exclusion: acquisitions solely for commercially available off-the-shelf (COTS) items. The COTS definition is aligned with FAR 2.101, so this is a specific, checkable boundary.
- →Watch the “commercial vs. solely COTS” trap.A contract can be “commercial” under FAR Part 12 and still carry a CMMC requirement. The exclusion is narrow — it applies only when the acquisition is exclusivelyfor COTS items. Do not assume “we sell commercial products” means “we are exempt.”
- →Existing contracts, options, and modifications. A contracting officer can, at their discretion, add CMMC requirements when exercising an option or modifying a contract. That is why a lapsed SPRS status or affirmation can matter on a contract you already hold, not just on a new bid.
- →“Small business” is not a blanket exemption.As DoD’s own estimates show, most impacted entities are small businesses. The right posture for a small DIB supplier is not “we’re too small to matter” — it is to read the clause, confirm your FCI/CUI scope, and verify your SPRS status. Being small usually changes your level, not your obligation to check.
The fastest compliant next step after reading the 48 CFR rule
The fastest safe move is not “hire a C3PAO.” It is to nail down seven facts, in order, and only then choose the kind of help you need. Once you know your clause, level, assessment type, scope, systems, SPRS status, and timeline, you can buy the right help instead of the expensive wrong help.
- Find DFARS 252.204-7025 in the solicitation.
- Identify the required CMMC level and assessment type in the fill-in.
- Confirm whether DFARS 252.204-7021 is in the contract or expected at award.
- Confirm whether the work involves FCI, CUI, or solely COTS.
- Identify the systems that will process, store, or transmit FCI/CUI.
- Verify your current SPRS status, CMMC UID, and affirmation.
- Match the gap to a provider category — RP/RPO, MSP/MSSP, GRC platform, CUI enclave, or C3PAO.
That last step is where most of the money is won or lost. Our CMMC Path Framework exists to route you to the right category — never a ranking, never compliance advice — based on the facts above.
| Your situation | Likely first category | Why |
|---|---|---|
| "I don't know what 7025/7021 requires." | RP/RPO or a federal-contracts attorney | Your first problem is clause and scope interpretation. |
| "We're Level 1 or Level 2 (Self) and need SPRS/affirmation discipline." | RP/RPO, GRC platform, readiness provider | Your first problem is evidence, score, and process. |
| "We handle CUI but our environment isn't ready." | MSP/MSSP, CUI enclave, GCC High/GovCloud implementation, GRC | Your first problem is the environment and control implementation. |
| "Our clause requires Level 2 (C3PAO) and our evidence is mature." | C3PAO assessment path | A formal assessment may be appropriate now. |
| "We're Level 3 or expect the most sensitive CUI." | Specialized readiness + DIBCAC-aware path | Level 3 requires a Final Level 2 (C3PAO) first, then DIBCAC. |
| "We're a subcontractor receiving CUI from a prime." | RP/RPO + supplier-verification workflow | You need flow-down clarity and a clean evidence package. |
Get the category right before you spend a dollar.
Tell us your required level, assessment type, CUI scope, environment, and timeline in Find My CMMC Path, and we’ll match you with source-checked provider categories that fit your situation.
Find My CMMC Path →Common mistakes that cost a bid or slow an award
The costliest CMMC mistakes are usually not failed controls — they are misreadings of the rule. Contractors lose time and eligibility by confusing the two rules, assuming every Level 2 path needs a C3PAO, missing an SPRS or affirmation requirement, or treating conditional status as permanent. Here are the ones we see most often:
- ×Reading the 32 CFR program rule as if it set your contract deadline (the 48 CFR clause does).
- ×Treating 7012 / 7019 / 7020 as identical to the CMMC clauses 7021 / 7025.
- ×Relying on 7019/7020 clause numbers that were eliminated or renumbered on February 1, 2026.
- ×Ignoring the 252.204-7025 fill-in and self-selecting a level.
- ×Missing a current annual affirmation in SPRS.
- ×A missing or mismatched CMMC UID.
- ×Assuming Level 2 always means C3PAO.
- ×Booking a C3PAO before remediation and evidence are ready.
- ×Treating conditional status as a long-term posture instead of a 180-day countdown.
- ×Accepting a subcontractor's verbal assurance instead of contractual evidence.
- ×Sending CUI to a supplier before verifying the required status path.
- ×Reading "commercial" as "solely COTS."
- ×Using NIST 800-171 Revision 3 language as if it controlled CMMC Level 2 today.
How we verified this page
This page is built from primary-source rule text and official program materials — not vendor marketing. We verified the 48 CFR DFARS final rule, the 32 CFR CMMC program rule, the relevant clause text, the phased-implementation schedule, the NIST publication mappings, and the February 2026 clause changes as of the last-verified date below. We did not evaluate named providers on this page.
| Source we checked | What we used it for |
|---|---|
| Federal Register — 48 CFR CMMC final rule (90 FR 43560, pp. 43560–43577; doc 2025-17359) | Effective date, DFARS structure, award eligibility, SPRS checks, phase-in, COTS exclusion, impact estimates |
| eCFR — 32 CFR Part 170 (incl. § 170.3(e), §§ 170.14–170.18, § 170.23) | CMMC levels, assessment types, scoping, affirmation, conditional/POA&M mechanics, four-phase schedule, subcontractor flow-down |
| Acquisition.gov — DFARS 252.204-7012 (MAY 2024), 7021 (NOV 2025), 7025 (NOV 2025) | Current clause and provision text |
| DoD DFARS Revolutionary FAR Overhaul class-deviation page | The February 1, 2026 elimination of 7019 and renumbering of 7020 to 252.240-7997 (Class Deviation 2026-O0025) |
| NIST CSRC | NIST SP 800-171 Rev. 2 and NIST SP 800-172 references |
| SPRS official documentation | What SPRS stores and how assessment information is represented |
Frequently asked questions about the 48 CFR CMMC final rule
What is the 48 CFR CMMC final rule?
It is DoD’s final DFARS acquisition rule that incorporates CMMC requirements into DoD solicitations and contracts. It was published September 10, 2025 (90 FR 43560) and took effect November 10, 2025.
Is the 48 CFR CMMC final rule the same as the 2024 “CMMC Final Rule”?
No. The 2024 rule was 32 CFR Part 170, the program rule that created CMMC. The 48 CFR rule is the second final rule and tells contracting officers how to put CMMC into contracts. Both are final; they do different jobs.
What is DFARS 252.204-7021?
It is the CMMC contract clause governing contractor compliance: current CMMC status, annual affirmation, CMMC UID, and flow-down to subcontractors. It was not changed by the February 2026 FAR Overhaul.
What is DFARS 252.204-7025?
It is the solicitation provision that states the required CMMC level and assessment type and requires the offeror to provide CMMC unique identifiers in the proposal.
Did the 2026 FAR Overhaul cancel CMMC?
No. It eliminated DFARS 252.204-7019 and renumbered 252.204-7020 to 252.240-7997, but DFARS 252.204-7021, 252.204-7025, and 252.204-7012 were not changed. CMMC remains a condition of award.
If DFARS 252.204-7019 is gone, do I still post anything in SPRS?
Yes, when a CMMC requirement applies. Under DFARS 252.204-7021 and 252.204-7025 you still need a current CMMC status, your CMMC UID(s), self-assessment results where the level is self-assessed, and a current annual affirmation in SPRS. What went away on February 1, 2026 was the older standalone “Basic” NIST SP 800-171 self-assessment mechanism under the prior 7019/7020 structure — not your CMMC SPRS obligations.
Does every DoD contract now require CMMC?
No. The rule phases in through 2028 and excludes acquisitions solely for commercially available off-the-shelf (COTS) items. Whether a specific contract requires CMMC depends on the phase and the program office’s determination, stated in the DFARS 252.204-7025 provision. Read the solicitation.
Does Level 2 always require a C3PAO?
No. Level 2 can be self-assessed or assessed by a C3PAO depending on what the contract specifies. A contractor cannot self-select the self-assessment path if the clause requires a C3PAO.
What is a CMMC UID?
A CMMC unique identifier is a 10-character identifier assigned to each CMMC assessment and reflected in SPRS for a contractor information system. You provide the relevant UID(s) for the systems used in performance.
Can conditional CMMC status support an award?
Yes, for Level 2 and Level 3, for up to 180 days, if the Plan of Action and Milestones is closed out in time. Level 1 must be Final for award.
Are COTS contracts excluded from CMMC?
Yes. Acquisitions exclusively for commercially available off-the-shelf (COTS) items are excluded; the COTS definition aligns with FAR 2.101.
Does NIST SP 800-171 Revision 3 control CMMC Level 2?
Not under the current rule. CMMC Level 2 maps to NIST SP 800-171 Revision 2 unless DoD amends the CMMC rule or the applicable contract requirement.
Does DFARS 252.204-7012 still matter?
Yes. It remains in force for safeguarding covered defense information and includes the 72-hour cyber incident reporting requirement.
My purchase order includes 7021 but no clear level — what do I do?
Don’t guess. Ask the contracting officer, prime, or next-tier customer for the required CMMC level and assessment type, and confirm with a Registered Practitioner (RP/RPO) or contracts counsel.
Is The Defense Compliance Report affiliated with the Cyber AB or DoD?
No. The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance and is not affiliated with the Cyber AB, DoD, DCMA DIBCAC, NIST, or any U.S. government agency.
Your next move
You now know what the 48 CFR CMMC final rule is, when it took effect, which clauses control, what changed in 2026, and what can block an award. The one thing a general page can’t do is tell you yourrequired level, scope, and path — that comes from your clause and your FCI/CUI handling. Don’t buy the wrong kind of help to solve a problem you haven’t scoped.
Need help deciding what type of CMMC provider you need?
Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.
Find My CMMC Path →Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification. See our editorial and advertising policy.