The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base

Last reviewed: · By The Defense Compliance Report Editorial Team

The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We are not affiliated with the Cyber AB, the Department of Defense, DCMA DIBCAC, NIST, or any U.S. government agency. This is educational research, not legal, contractual, or compliance advice. Confirm scope and applicability for your contract with a CMMC Registered Practitioner / Registered Provider Organization (RP/RPO) or a qualified federal-contracts attorney.

48 CFR CMMC Final Rule: What DFARS 252.204-7021 and 252.204-7025 Mean for Your Contracts

The 48 CFR CMMC final rule is the Department of Defense acquisition rule that turned the Cybersecurity Maturity Model Certification (CMMC) from a program on paper into a hard condition of award for the DoD contracts it applies to. It was published in the Federal Register on September 10, 2025 90 FR 43560, pages 43560–43577 — and took effect November 10, 2025.

What the rule requires of you comes down to one thing: the CMMC level and assessment type written into your specific contract. And here is the wrinkle most articles published in 2025 miss — on February 1, 2026, a separate federal overhaul quietly renumbered several of the clauses sitting right next to CMMC. We read the rule, the clause text on Acquisition.gov, and the Department of Defense deviation memos so you can see exactly what is current, what changed, and what to do about it.

The Defense Compliance Report is the independent trade publication and decision resource for CMMC and Defense Industrial Base compliance — explaining the CMMC Final Rule with primary-source citation on every claim and mapping a contractor’s level, CUI scope, assessment type, and timeline to the right provider category, so DIB contractors choose the right CMMC path before they spend six figures.

Who this page is for:primes, subcontractors, and the people who own the decision — CISOs, IT directors, FSOs, compliance managers, contracts officers, and small-business owners — who just saw CMMC show up in a solicitation, a contract mod, or a prime’s flow-down notice and need to know what it actually requires.

Who this page is not for:anyone looking for a “CMMC in five minutes” explainer or a ranked list of “best” providers. This is the contract-rule page. It tells you what changed, what can block an award, and how to figure out your path before you spend money.

The bottom line, in one screen

Quick-reference answers to the most common 48 CFR CMMC final rule questions
Your questionThe direct answer
Is the 48 CFR CMMC final rule actually final?Yes. DoD issued the final DFARS rule on September 10, 2025, effective November 10, 2025.
Is it the same thing as “the CMMC Final Rule” from 2024?No. That was 32 CFR Part 170 (the program rule). This is the 48 CFR DFARS rule that puts CMMC into contracts. Two rules, two jobs.
Which clauses matter most?DFARS 252.204-7025 in the solicitation (states your required level) and DFARS 252.204-7021 in the contract (your compliance obligation).
What can block an award?Not having a current CMMC status in SPRS at the required level — plus a current affirmation of continuous compliance — when the solicitation requires them.
Does everyone now need a third-party assessment?No. Level 1, Level 2 self-assessment, Level 2 third-party (C3PAO), and Level 3 are four different paths. The clause sets which one.
Is Level 2 based on NIST 800-171 Revision 3?No — not for CMMC. CMMC Level 2 currently maps to NIST SP 800-171 Revision 2 (110 requirements, 14 families).
Are contracts solely for off-the-shelf products excluded?Yes. Acquisitions exclusively for commercially available off-the-shelf (COTS) items are excluded.
Did anything change in 2026?Yes. On February 1, 2026, the Revolutionary FAR Overhaul eliminated one nearby clause and renumbered another. The CMMC clauses themselves (7021, 7025) did not change.

The one honest caveat before you read further

Here is the thing no vendor wants to lead with: the 48 CFR rule will not tell you which provider to hire — and, by itself, it will not even tell you which CMMC level you need. Your required level and assessment type come from the fill-in block in your solicitation and from whether you handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). That is actually good news. It means the correct first move is almost never “panic and book a third-party assessment.” It is to understand your clause, scope your environment, and match the gap to a category.

Start with your clause, not a sales call.

Use The Defense Compliance Report’s Find My CMMC Path tool to map your required level, FCI/CUI scope, assessment type, environment, and timeline to the right provider category — before you request a single quote.

Do not submit CUI, drawings, or sensitive contract details. If a match leads to an introduction, we may earn a referral fee, disclosed at the point of recommendation. It never changes our regulatory analysis or which category we point you to.

Find My CMMC Path →

The right CMMC provider isn’t the same for every contractor — the category you need (a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave) depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. The contract clause sets your level, not a checklist.


What is the 48 CFR CMMC final rule?

The 48 CFR CMMC final rule is DoD’s final DFARS acquisition rule for incorporating CMMC into defense solicitations and contracts. The separate 32 CFR Part 170 rule established the CMMC Program — the levels, the assessments, the scoping rules. The 48 CFR rule tells contracting officers when and how to actually put CMMC into a contract. That distinction is not academic: you do not lose award eligibility because of a blog post or a checklist. You are exposed when the clause and your status don’t match.

“48 CFR” is simply Title 48 of the Code of Federal Regulations — the Federal Acquisition Regulation (FAR) system. DFARS is DoD’s supplement to it. So when someone says “the 48 CFR CMMC rule,” they mean the contracting side of CMMC, not the program side. The rule amends four parts of the DFARS: Part 204 (administrative and cybersecurity procedures), Part 212 (commercial products and services), Part 217 (special contracting methods), and Part 252 (the solicitation provisions and contract clauses).

What we verified in the rule record:

  • Federal Register document:2025-17359
  • Citation:90 FR 43560 (pages 43560–43577, 18 pages)
  • DFARS Case:2019-D041 (RIN 0750-AK81; Docket DARS-2020-0034)
  • CFR parts amended:48 CFR 204, 212, 217, 252
  • Effective date:November 10, 2025

We read the final rule text on the Federal Register and the codified DFARS at 48 CFR Subpart 204.75 on July 1, 2026.

One precision point worth getting right: this rule was issued by the Department of Defense. You may see “Department of War” used in some 2025–2026 materials, but the FAR and DFARS — the regulations that actually govern your contract — still use “DoD,” and that is what we use here.

48 CFR vs. 32 CFR: the two CMMC rules, side by side

This single table clears up more confusion than anything else on the page. If you only remember one thing: 32 CFR is the program; 48 CFR is the contract hook.

Side-by-side comparison of 32 CFR Part 170 (CMMC Program Rule) and 48 CFR (CMMC Acquisition Rule)
32 CFR Part 170 — the Program Rule48 CFR — the Acquisition (DFARS) Rule
Its jobEstablishes the CMMC Program: levels, assessment types, scoping, affirmations, the assessor ecosystem, and the phased-implementation schedulePuts CMMC into contracts: adds the clause + provision, tells contracting officers how to require a level, and conditions award on SPRS status
Common names"Program Rule""Acquisition Rule," "DFARS Rule," "Procurement Rule"
Where it livesTitle 32, Part 170Title 48 — DFARS Parts 204, 212, 217, 252 (new Subpart 204.75)
Federal Register89 FR 8309290 FR 43560 (doc 2025-17359)
PublishedOctober 15, 2024September 10, 2025
EffectiveDecember 16, 2024November 10, 2025
Can it put CMMC in your contract by itself?No — it defines the program; it doesn't insert CMMC into a contractYes — it adds the DFARS clause and provision that make CMMC an award and performance condition when included

Sources: 32 CFR Part 170 final rule (89 FR 83092); 48 CFR CMMC final rule (90 FR 43560); eCFR 48 CFR Subpart 204.75.


When did the 48 CFR CMMC rule take effect, and what phase are we in?

The 48 CFR CMMC final rule took effect November 10, 2025 — 60 days after publication, under 41 U.S.C. § 1707. That same date started Phase 1 of the four-phase rollout defined in 32 CFR § 170.3(e). As of July 2026, we are in Phase 1, which runs through November 9, 2026.

The four phases each begin one calendar year after the last. DoD deliberately staged it so the assessment ecosystem — and contractors — could catch up. Here is the full chronology, including the 2026 clause overhaul that most timelines skip:

CMMC 48 CFR rule full chronology from proposed rulemaking through Phase 4 implementation
DateMilestoneSource
Dec 26, 202332 CFR CMMC proposed rule88 FR 89058
Aug 15, 202448 CFR CMMC proposed rule (DFARS Case 2019-D041)89 FR 66327
Oct 15, 202432 CFR CMMC final rule published89 FR 83092
Dec 16, 202432 CFR program rule effective — the CMMC Program exists32 CFR Part 170
Jul 22, 2025DoD sends the 48 CFR final rule to OIRA/OMB for reviewOMB/OIRA docket
Aug 25, 202548 CFR final rule clears regulatory reviewOIRA
Sep 10, 202548 CFR CMMC final rule published90 FR 43560 (doc 2025-17359)
Nov 10, 202548 CFR rule effective; CMMC Phase 1 begins90 FR 43560; 32 CFR § 170.3(e)
Feb 1, 2026Revolutionary FAR Overhaul deviations effective — DFARS 7019 eliminated; 7020 renumbered to 252.240-7997DoD DFARS RFO class-deviation page
Nov 10, 2026Phase 2 begins — Level 2 (C3PAO) requirements widen32 CFR § 170.3(e)
Nov 10, 2027Phase 3 begins — Level 3 (DIBCAC) requirements added32 CFR § 170.3(e)
Nov 10, 2028Phase 4 — full implementation32 CFR § 170.3(e)

Here is how the phases translate into what actually shows up in solicitations:

CMMC four-phase implementation: what gets required per phase, starts date, and assessment type
PhaseStartsWhat gets required (in applicable, non-COTS contracts)Assessment type
Phase 1 (current)Nov 10, 2025Level 1 (Self) or Level 2 (Self); DoD may, at its discretion, require Level 2 (C3PAO)Self-assessment; C3PAO at DoD discretion
Phase 2Nov 10, 2026Adds Level 2 (C3PAO); DoD may, at its discretion, require Level 3 (DIBCAC)Third-party (C3PAO)
Phase 3Nov 10, 2027Adds Level 3 (DIBCAC) as a condition of awardGovernment (DIBCAC)
Phase 4Nov 10, 2028Full implementation across all applicable solicitations and contracts, including option periodsAll levels

Source: 32 CFR § 170.3(e). The regulation sets four phases, each beginning one calendar year after the prior phase; dates are derived from the November 10, 2025 anchor.

A word of caution on “effective date.” The effective date tells you when the acquisition rule can operate. It does not tell you your obligation. Even in Phase 1, primes can flow CMMC-related requirements down through subcontract terms — and many already have — and a contracting officer can require a higher assessment type when the program office decides the risk warrants it. Read the solicitation. The clause governs, not the calendar.

What changed from the proposed rule to the final rule?

If you have older notes or a saved PDF, they may describe the proposed 48 CFR rule from August 15, 2024 (89 FR 66327). A few things moved between proposed and final:


Which DFARS clauses should you look for?

The two CMMC-specific instruments are DFARS 252.204-7025 (the solicitation provision) and DFARS 252.204-7021 (the contract clause). The provision is where the contracting officer writes in your required CMMC level and where you supply your CMMC unique identifiers; the clause governs your compliance, affirmation, and flow-down obligations during performance. You also need to know how three older clauses — 7012, 7019, and 7020 — fit around them, because two of those changed in 2026.

Read your solicitation for these. This is your clause map, with current status as of July 1, 2026.

DFARS clause status map as of July 1, 2026 — CMMC and related clauses with current status
Clause / provisionTypeWhat it doesStatus (Jul 1, 2026)
DFARS 252.204-7021Contract clause (NOV 2025)Contractor Compliance With the CMMC Level Requirements. Your performance obligation: maintain a current CMMC status, submit the annual affirmation and CMMC UID in SPRS, and flow the correct level down to subcontractors.Active — unchanged by the 2026 overhaul
DFARS 252.204-7025Solicitation provision (NOV 2025)Notice of CMMC Level Requirements. The fill-in block where the contracting officer states the required level (Level 1 Self / Level 2 Self / Level 2 C3PAO / Level 3 DIBCAC) and where you provide CMMC UIDs.Active — unchanged by the 2026 overhaul
DFARS 252.204-7012Contract clause (MAY 2024)Safeguarding Covered Defense Information and Cyber Incident Reporting. Implement NIST SP 800-171 for covered defense information and report cyber incidents within 72 hours. Predates CMMC and still applies.Active
DFARS 252.204-7019Solicitation provisionNotice of NIST SP 800-171 DoD Assessment Requirements. Formerly required a "Basic" self-assessment score in SPRS.Eliminated — Feb 1, 2026
DFARS 252.204-7020Contract clauseNIST SP 800-171 DoD Assessment Requirements. DoD's authority to conduct Medium/High assessments.Renumbered to DFARS 252.240-7997 — Feb 1, 2026; "Basic" references removed
FAR 52.204-21Contract clause (FAR)Basic Safeguarding of Covered Contractor Information Systems — the 15 basic safeguards that form the FCI baseline behind CMMC Level 1.Renumbered to FAR 52.240-93 under the overhaul deviation; same 15 requirements still define Level 1

Sources: Acquisition.gov clause text for DFARS 252.204-7021, 252.204-7025 (both NOV 2025), and 252.204-7012 (MAY 2024); the DoD DFARS RFO class-deviation page. Codified regulation pages and class-deviation text can show different clause numbers during the transition.

How to read the 7025 fill-in. When you open a solicitation with a CMMC requirement, the 252.204-7025 provision tells you four things: the required CMMC level, the assessment type (self, C3PAO, or DIBCAC), that you must have a current status and current affirmation in SPRS before award, and that you must provide your CMMC UID(s) for each information system that will process, store, or transmit FCI or CUI. Do not self-select a level from a generic checklist — the fill-in and the acquisition documentation control.

For a full explanation of each clause and its current text, see our dedicated guides: DFARS 252.204-7021 explained, DFARS 252.204-7025 explained, DFARS 252.204-7012 explained, and DFARS 7019 and 7020 after the 2026 overhaul.

Map your clause to a path.

Tell us your level, scope, assessment type, environment, and timeline in Find My CMMC Path, and we will point you to the source-checked provider category that fits — before you request quotes.

Do not submit CUI, drawings, or contract specifics.

Find My CMMC Path →

What changed on February 1, 2026 (the FAR Overhaul)?

On February 1, 2026, the Revolutionary FAR Overhaul (RFO) took effect through Department of Defense class deviations and renumbered several clauses around CMMC. Under DoD Class Deviation 2026-O0025 (Revolutionary FAR Overhaul Part 40 / new DFARS Part 240), DFARS 252.240-7997 now carries the NIST SP 800-171 DoD Assessment Requirements clause, DFARS 252.204-7019 was eliminated, and “Basic” assessments were removed so only government-led Medium and High assessments remain. Critically, the CMMC clauses themselves — 252.204-7021 and 252.204-7025 — were not changed, and DFARS 252.204-7012 remains fully in force.

We flag this because it is the single most common way a competing page is now out of date. Many of the top results for “48 CFR CMMC final rule” were written between September and November 2025 and still list 7019 and 7020 as active clauses. As of February 1, 2026, that is no longer accurate. Here is what actually happened — and, just as important, what did not.

What was eliminated (7019) and what moved (7020 → 240-7997). DFARS 7019 was the provision that required contractors to post a “Basic” NIST SP 800-171 self-assessment score in SPRS. Under the RFO Part 40 / DFARS Part 240 deviation text, that older standalone Basic-assessment mechanism is not carried forward in the same 7019/7020 form. DFARS 7020 — DoD’s authority to run Medium and High assessments — moved to the new DFARS Part 240 and is now numbered 252.240-7997. For CMMC solicitations, the CMMC-specific status, CMMC UID, self-assessment-result, and affirmation obligations now sit in the 252.204-7025 provision and the 252.204-7021 clause.

What did not change — and why it matters more than the renumbering. Your underlying obligations are intact. If you handle CUI, you still implement all 110 NIST SP 800-171 Revision 2 requirements, still maintain a System Security Plan (SSP), still report cyber incidents within 72 hours under 7012, and still self-assess or obtain a C3PAO assessment as your contract specifies. The DoD did not weaken enforcement here. It removed a parallel, pre-CMMC self-attestation mechanism and elevated CMMC as the primary path.

Why you may see two clause numbers at once. The RFO changes were made through class deviations while the formal rulemaking catches up during 2026 — meaning the codified DFARS still shows 7021 and 7025 as the CMMC clauses, and you may see both the old and new numbers referenced in the same solicitation during the transition. The safe rule: match the clause number to the document in front of you, and confirm with your contracting officer if anything looks inconsistent.


What must be current in SPRS before award?

When the CMMC requirement applies, the Supplier Performance Risk System (SPRS) becomes the government’s verification point — and stale information there can quietly cost you an award. The final DFARS rule directs contracting officers to check SPRS for a current CMMC status and current affirmation at the required level before award, and again before exercising an option period or extending performance where a CMMC requirement applies. “We were fine at original award” is not a defense if your status or affirmation has since lapsed.

Here is what needs to be in order:

SPRS pre-award checklist: items, who needs to care, and what to verify
ItemWho needs to careWhat to verify
Current CMMC statusAny contractor with a CMMC requirementThe required level and status are current in SPRS.
Annual affirmationAll levels where requiredThe affirming official has submitted a current affirmation of continuous compliance.
CMMC UIDContractors with in-scope systemsA UID exists and maps to each system used for FCI/CUI.
Self-assessment resultLevel 1 and Level 2 (Self)The result is submitted to SPRS as required.
Conditional POA&M closeoutLevel 2/3 conditional statusCloseout happens inside the 180-day window.
CAGE / entity alignmentMulti-entity or multi-system contractorsScope and CAGE information match the systems used in performance.

One nuance people miss: SPRS stores assessment and scoring information — assessment date, score, scope, CAGE code, SSP name, confidence level — but you do not perform the assessment inside SPRS. Here is the regulation-stated obligation versus where you actually confirm it:

What the CMMC rule requires in SPRS versus where you operationally confirm each item
What the rule requiresWhere you confirm it, operationally
Current CMMC status at the required levelSPRS, accessed through PIEE (piee.eb.mil)
Annual affirmation of continuous complianceSPRS, submitted by your affirming official
CMMC UID for each in-scope systemThe SPRS record for each information system
Self-assessment result (Level 1 / Level 2 Self)Posted by you in SPRS
Level 2 (C3PAO) / Level 3 (DIBCAC) resultsReach SPRS through the government assessment pathway (e.g., eMASS) — not posted by you

Getting that last row wrong is how contractors assume they are “in SPRS” when the required result is not actually there.

Before you bid, make sure your SPRS record backs you up.

If your solicitation carries the 252.204-7025 provision, map your required level, CMMC UID and affirmation status, and award deadline to your next step with Find My CMMC Path.

Do not submit CUI, drawings, or sensitive contract details.

Find My CMMC Path →

How do Level 1, Level 2 (Self), Level 2 (C3PAO), and Level 3 differ?

The 48 CFR rule does not collapse CMMC into one universal certificate — there are four distinct paths, and your clause picks one. Level 1 covers FCI and 15 basic safeguards. Level 2 maps to the 110 NIST SP 800-171 Revision 2 requirements across 14 control families, either self-assessed or assessed by a C3PAO depending on the contract. Level 3 adds a selected subset of NIST SP 800-172 enhanced requirements and is assessed by the government. Treating these as interchangeable is the fastest way to over-buy or under-prepare.

CMMC four-path comparison: Level 1, Level 2 Self, Level 2 C3PAO, Level 3 — information type, requirements, assessor, frequency, affirmation, and POA&M rules
CMMC pathInfo typeRequirementsAssessorFrequencyAffirmationPOA&M / conditional
Level 1FCI15 basic safeguards (FAR 52.204-21)SelfAnnualAnnualNo POA&Ms — Level 1 must be Final
Level 2 (Self)CUI, where self-assessment is specified110 NIST SP 800-171 Rev. 2 requirements (14 families)SelfEvery 3 yearsAnnualConditional status possible under POA&M rules, with a closeout window
Level 2 (C3PAO)CUI, where third-party assessment is specified110 NIST SP 800-171 Rev. 2 requirements (14 families)Certified Third-Party Assessment Organization (C3PAO)Every 3 yearsAnnualConditional status possible under POA&M rules, with a closeout window
Level 3Most sensitive CUI / higher-risk programsSelected NIST SP 800-172 requirements (24 for CMMC), plus a Final Level 2 (C3PAO) prerequisiteDCMA DIBCACEvery 3 yearsAnnualConditional status possible under POA&M rules, with a closeout window

Source: 32 CFR Part 170 (§ 170.14 for the model; §§ 170.15–170.18 for assessment mechanics). NIST SP 800-171 Rev. 2 supplies the 110 Level 2 requirements; NIST SP 800-172 supplies the Level 3 enhanced subset.

Do not substitute Revision 3. CMMC Level 2 currently maps to NIST SP 800-171 Revision 2, not Revision 3. Here is the wrinkle: DFARS 252.204-7012 points to the NIST SP 800-171 version in effect when a solicitation is issued, and the current published version is Revision 3 — but CMMC Level 2 under 32 CFR Part 170 is tied to Revision 2. DoD resolved that mismatch with Class Deviation 2024-O0013 (May 2024), which directs contractors to implement Revision 2 (not Revision 3) when 7012 appears in a contract. Bottom line: do not treat Revision 3 as the CMMC Level 2 baseline unless DoD amends the CMMC rule or your contract says otherwise.

For the full comparison of self-assessment vs. third-party paths, see our CMMC self-assessment vs. C3PAO guide and CMMC levels overview.


Does the 48 CFR rule require a C3PAO assessment?

Not always — and for most contractors reading this, not first. A Certified Third-Party Assessment Organization (C3PAO) assessment is required when your contract specifies Level 2 (C3PAO) or when you are on the Level 3 path (which requires a Final Level 2 C3PAO certification before the DIBCAC assessment). It is not the right opening move for a company that has not yet scoped its CUI, written its SSP, closed its major gaps, or confirmed its SPRS and affirmation posture.

Figure out whether you need readiness help or an assessment — before you book either.

Find My CMMC Path maps your required level, assessment type, CUI scope, current environment, and timeline to the provider category that actually fits your stage.

Prefer to move at your own pace first? Start with our CMMC Readiness Checklist.

Do not submit CUI, drawings, or sensitive contract details.

Find My CMMC Path →

The DCR 48 CFR Award-Eligibility Action Matrix

This is the asset we built because no single competing page had it: a map from each rule and clause to the trigger, the evidence you need, what can block or slow your award, and the provider category that usually comes first. We assembled it by reading the Federal Register final rule, cross-checking 32 CFR Part 170, and confirming the current clause text on Acquisition.gov.

DCR award-eligibility action matrix mapping each 48 CFR CMMC rule and clause to trigger, required evidence, award blockers, and first provider category
Rule / clauseWhat it controlsTriggerEvidence or status neededWhat can block or slow awardProvider category usually needed first
48 CFR 204.7502 (policy)Award eligibilitySolicitation or award carries a CMMC requirementCurrent CMMC status at the required level + current affirmationNo award without required current status; Level 1 must be Final; Level 2/3 conditional limited to 180 daysClause interpretation + readiness triage (RP/RPO)
48 CFR 204.7503 (procedures)Contracting-officer checksAward, option exercise, extension, or a new UIDCO checks SPRS for status and CMMC UIDMissing or stale SPRS status/UID delays award or option actionSPRS readiness (RP/RPO or GRC)
48 CFR 204.7504 (clause use)When 7021/7025 appearPhased in through Nov 9, 2028; broader use after Nov 10, 2028Clause/provision included when the program office requires it during phase-inMisreading phase-in as "everything now" or "nothing yet"Clause review
DFARS 252.204-7025Required-level noticeProposal stageRequired level + assessment type; CMMC UID in the proposalProposal ineligible if status/affirmation not current in SPRSClause interpretation + SPRS prep
DFARS 252.204-7021Compliance during performancePerformance + flow-downMaintain current status, annual affirmation, CMMC UID; self-assessment posting where applicableProcessing FCI/CUI on a system without the required status; missing flow-downReadiness → MSP/MSSP/GRC/enclave → assessment path
32 CFR 170.16Level 2 (Self) mechanicsLevel 2 (Self) specified110 NIST 800-171 Rev. 2 requirements; SPRS score every 3 years; annual affirmationTreating Level 2 (Self) as equivalent to Level 2 (C3PAO)RP/RPO, GRC, readiness
32 CFR 170.17Level 2 (C3PAO)Level 2 (C3PAO) specifiedAuthorized C3PAO assessment; result to SPRS; annual affirmationBooking the assessment before evidence is readyReadiness first, C3PAO when ready
32 CFR 170.18Level 3 (DIBCAC)Level 3 specifiedFinal Level 2 (C3PAO) first, then DIBCAC against selected 800-172 requirementsAssuming Level 3 is "just a harder Level 2 self-assessment"Specialized readiness + DIBCAC-aware path
Subcontract flow-downSupplier CMMC statusFCI/CUI flows to a subPrime/next-tier verification before subcontract awardSupplier that cannot or will not evidence statusSupplier verification workflow + RP/RPO
Solely COTS exceptionExclusion boundaryContract exclusively for COTS itemsConfirm the contract is solely COTS before assuming exclusionMistaking "commercial" for "solely COTS"Contract review

Methodology: We read the 48 CFR final rule (90 FR 43560), compared it against 32 CFR Part 170, and confirmed clause text for 7012, 7021, and 7025 on Acquisition.gov, plus the February 2026 RFO deviations. We did not rank named providers or verify any provider’s Cyber AB Marketplace status on this page.


Who does DoD estimate the rule actually affects?

DoD’s own numbers are the best argument against panic — and against the “everyone needs a C3PAO” reflex. In the rule’s regulatory analysis, DoD estimated that by the fourth year of implementation, roughly 337,968 entities would be affected, of which about 229,818 were small entities — meaning small businesses make up close to 68%of the impacted universe. And DoD’s projected assessment mix skews heavily toward self-assessment, not third-party certification.

Here is that estimated Year-4 mix, reframed for a decision instead of a headline:

DoD-estimated Year 4 CMMC assessment mix by level showing approximate share, entity count, and what it means for contractors
DoD-estimated Year-4 categoryApprox. shareApprox. entitiesWhat it means for you
Level 1 (Self-Assessment)~62%~209,540Most impacted entities in DoD's estimate are not third-party assessed.
Level 2 (Self-Assessment)~2%~6,759A small slice of CUI-handling contractors may self-assess where specified.
Level 2 (C3PAO Certification)~35%~118,289A large segment will need a C3PAO when specified — but not before readiness.
Level 3 (DIBCAC Certification)~1%~3,380A very small set faces government-led Level 3.
Total100%~337,968Route by level, scope, and assessment type — not by fear.

Source: DoD’s regulatory flexibility analysis in the CMMC rulemaking, published with the final rule. The 337,968 total and 229,818 small-entity figure are stated in that analysis; DoD notes the assessment mix is an estimate that will shift with program-office discretion.

The phase-in was also deliberately gentle on small business early: DoD estimated only 1,104 small entities affected in year one, rising to 5,565 in year two and 18,554in year three. Two honest reads of this data: first, if you are small and handle only FCI, your likely path is a Level 1 self-assessment, not a six-figure certification. Second, “small” and “later” are not “exempt” — most impacted entities are small, and the requirement is coming for the majority of the base. The winning move is to know your number, not to assume you are outside the rule.


What does the 48 CFR rule mean for subcontractors and flow-down?

If FCI or CUI flows to you, the rule reaches you — even if you never signed a prime contract with DoD. Under DFARS 252.204-7021 and 32 CFR § 170.23, primes and higher-tier subcontractors must flow the appropriate CMMC level down to any subcontractor that will process, store, or transmit FCI or CUI on its own systems. A subcontractor handling only FCI needs Level 1, even if the prime holds a higher level; when a prime contract is Level 3, a subcontractor handling CUI needs at least Level 2 (C3PAO).

Who sets a subcontractor’s level? For the prime, the program office or requiring activity sets it. For subcontractors, the prime (or the next higher-tier contractor) determines it using the scoping rules, based on the information being flowed down. There is a practical catch: a prime cannotsimply look up a subcontractor’s status in SPRS, so primes have to verify compliance independently, contractually.

If you are a prime building a supplier-verification request, ask for what confirms status — without ever collecting sensitive data:

Supplier CMMC verification request guide — what to request, why, and guardrails for primes
RequestWhyGuardrail
Required level + assessment typeConfirms the correct flow-down pathDon't ask the supplier to upload CUI
Evidence of current CMMC statusConfirms statusUse approved evidence channels only
CMMC UID (where applicable)Ties the status to the system used in performanceDon't request sensitive system diagrams
Affirmation dateConfirms the obligation is currentNo CUI needed
High-level scope statementConfirms whether the supplier's system touches FCI/CUIKeep it high-level — no drawings or data
POA&M / conditional summary (if relevant)Surfaces timeline riskDon't request vulnerability detail through unsecured channels

What if a subcontractor refuses to provide proof? Do not assume compliance. Escalate to procurement, contracts, and legal or your CMMC lead, and confirm what the clause requires before you send any FCI or CUI. Sending CUI to a supplier that cannot evidence the required status is exactly the kind of exposure the rule is designed to prevent.


What is conditional CMMC status, and can it support an award?

Conditional status can support an award — but only for Level 2 and Level 3, only for up to 180 days, and only if you close your Plan of Action and Milestones in time. The final rule allows a Conditional CMMC status for Levels 2 and 3 for a period not to exceed 180 days from the conditional status date, during which you can compete for and receive awards while you finish remediation. Level 1 gets no such grace: for Level 1, all requirements must be Met for a Final status before award.

Treat conditional status as a countdown, not a workaround. A Plan of Action and Milestones (POA&M) is a document that lists your open items, the resources to fix them, and scheduled completion dates. You reach Finalstatus by closing out a valid POA&M inside the window — closeout is performed by you (for self-assessed levels), your C3PAO (for Level 2 C3PAO), or DIBCAC (for Level 3). Miss the 180 days and the CMMC status expires, which can put a current award and future eligibility at risk. Note too that not every requirement is POA&M-eligible; some must be fully implemented before any status is issued. For the full rules, see our Conditional Level 2 and POA&M closeout guide.


What contracts are excluded, delayed, or phased in?

The 48 CFR rule does not mean every DoD transaction instantly carries the same CMMC requirement. During the phase-in, whether the clause appears depends on the program office’s determination; after the phase-in completes, use broadens to all applicable contracts involving FCI or CUI on contractor systems — with one clear exclusion: acquisitions solely for commercially available off-the-shelf (COTS) items. The COTS definition is aligned with FAR 2.101, so this is a specific, checkable boundary.


The fastest compliant next step after reading the 48 CFR rule

The fastest safe move is not “hire a C3PAO.” It is to nail down seven facts, in order, and only then choose the kind of help you need. Once you know your clause, level, assessment type, scope, systems, SPRS status, and timeline, you can buy the right help instead of the expensive wrong help.

  1. Find DFARS 252.204-7025 in the solicitation.
  2. Identify the required CMMC level and assessment type in the fill-in.
  3. Confirm whether DFARS 252.204-7021 is in the contract or expected at award.
  4. Confirm whether the work involves FCI, CUI, or solely COTS.
  5. Identify the systems that will process, store, or transmit FCI/CUI.
  6. Verify your current SPRS status, CMMC UID, and affirmation.
  7. Match the gap to a provider category — RP/RPO, MSP/MSSP, GRC platform, CUI enclave, or C3PAO.

That last step is where most of the money is won or lost. Our CMMC Path Framework exists to route you to the right category — never a ranking, never compliance advice — based on the facts above.

Situation-to-provider-category routing table for CMMC path decisions
Your situationLikely first categoryWhy
"I don't know what 7025/7021 requires."RP/RPO or a federal-contracts attorneyYour first problem is clause and scope interpretation.
"We're Level 1 or Level 2 (Self) and need SPRS/affirmation discipline."RP/RPO, GRC platform, readiness providerYour first problem is evidence, score, and process.
"We handle CUI but our environment isn't ready."MSP/MSSP, CUI enclave, GCC High/GovCloud implementation, GRCYour first problem is the environment and control implementation.
"Our clause requires Level 2 (C3PAO) and our evidence is mature."C3PAO assessment pathA formal assessment may be appropriate now.
"We're Level 3 or expect the most sensitive CUI."Specialized readiness + DIBCAC-aware pathLevel 3 requires a Final Level 2 (C3PAO) first, then DIBCAC.
"We're a subcontractor receiving CUI from a prime."RP/RPO + supplier-verification workflowYou need flow-down clarity and a clean evidence package.

This is editorial category routing based on verified regulatory facts — not a ranking, an endorsement, or compliance advice. The category you actually need depends on your contract.

Get the category right before you spend a dollar.

Tell us your required level, assessment type, CUI scope, environment, and timeline in Find My CMMC Path, and we’ll match you with source-checked provider categories that fit your situation.

Do not submit CUI, drawings, or sensitive contract details.

Find My CMMC Path →

Common mistakes that cost a bid or slow an award

The costliest CMMC mistakes are usually not failed controls — they are misreadings of the rule. Contractors lose time and eligibility by confusing the two rules, assuming every Level 2 path needs a C3PAO, missing an SPRS or affirmation requirement, or treating conditional status as permanent. Here are the ones we see most often:


How we verified this page

This page is built from primary-source rule text and official program materials — not vendor marketing. We verified the 48 CFR DFARS final rule, the 32 CFR CMMC program rule, the relevant clause text, the phased-implementation schedule, the NIST publication mappings, and the February 2026 clause changes as of the last-verified date below. We did not evaluate named providers on this page.

Primary sources verified for this page and what each was used for
Source we checkedWhat we used it for
Federal Register — 48 CFR CMMC final rule (90 FR 43560, pp. 43560–43577; doc 2025-17359)Effective date, DFARS structure, award eligibility, SPRS checks, phase-in, COTS exclusion, impact estimates
eCFR — 32 CFR Part 170 (incl. § 170.3(e), §§ 170.14–170.18, § 170.23)CMMC levels, assessment types, scoping, affirmation, conditional/POA&M mechanics, four-phase schedule, subcontractor flow-down
Acquisition.gov — DFARS 252.204-7012 (MAY 2024), 7021 (NOV 2025), 7025 (NOV 2025)Current clause and provision text
DoD DFARS Revolutionary FAR Overhaul class-deviation pageThe February 1, 2026 elimination of 7019 and renumbering of 7020 to 252.240-7997 (Class Deviation 2026-O0025)
NIST CSRCNIST SP 800-171 Rev. 2 and NIST SP 800-172 references
SPRS official documentationWhat SPRS stores and how assessment information is represented

What we did not verify here:any named provider’s Cyber AB Marketplace status, provider pricing, provider success claims, or customer outcomes. We publish no reviews, ratings, or “best provider” awards on this page, and we imply no endorsement by Cyber AB, DoD, DIBCAC, or NIST.

Last verified: . Regulatory dates, DFARS clause text, SPRS procedures, and NIST mappings should be re-verified before each major CMMC phase change — the next is Phase 2 on November 10, 2026.


Frequently asked questions about the 48 CFR CMMC final rule

What is the 48 CFR CMMC final rule?

It is DoD’s final DFARS acquisition rule that incorporates CMMC requirements into DoD solicitations and contracts. It was published September 10, 2025 (90 FR 43560) and took effect November 10, 2025.

Is the 48 CFR CMMC final rule the same as the 2024 “CMMC Final Rule”?

No. The 2024 rule was 32 CFR Part 170, the program rule that created CMMC. The 48 CFR rule is the second final rule and tells contracting officers how to put CMMC into contracts. Both are final; they do different jobs.

What is DFARS 252.204-7021?

It is the CMMC contract clause governing contractor compliance: current CMMC status, annual affirmation, CMMC UID, and flow-down to subcontractors. It was not changed by the February 2026 FAR Overhaul.

What is DFARS 252.204-7025?

It is the solicitation provision that states the required CMMC level and assessment type and requires the offeror to provide CMMC unique identifiers in the proposal.

Did the 2026 FAR Overhaul cancel CMMC?

No. It eliminated DFARS 252.204-7019 and renumbered 252.204-7020 to 252.240-7997, but DFARS 252.204-7021, 252.204-7025, and 252.204-7012 were not changed. CMMC remains a condition of award.

If DFARS 252.204-7019 is gone, do I still post anything in SPRS?

Yes, when a CMMC requirement applies. Under DFARS 252.204-7021 and 252.204-7025 you still need a current CMMC status, your CMMC UID(s), self-assessment results where the level is self-assessed, and a current annual affirmation in SPRS. What went away on February 1, 2026 was the older standalone “Basic” NIST SP 800-171 self-assessment mechanism under the prior 7019/7020 structure — not your CMMC SPRS obligations.

Does every DoD contract now require CMMC?

No. The rule phases in through 2028 and excludes acquisitions solely for commercially available off-the-shelf (COTS) items. Whether a specific contract requires CMMC depends on the phase and the program office’s determination, stated in the DFARS 252.204-7025 provision. Read the solicitation.

Does Level 2 always require a C3PAO?

No. Level 2 can be self-assessed or assessed by a C3PAO depending on what the contract specifies. A contractor cannot self-select the self-assessment path if the clause requires a C3PAO.

What is a CMMC UID?

A CMMC unique identifier is a 10-character identifier assigned to each CMMC assessment and reflected in SPRS for a contractor information system. You provide the relevant UID(s) for the systems used in performance.

Can conditional CMMC status support an award?

Yes, for Level 2 and Level 3, for up to 180 days, if the Plan of Action and Milestones is closed out in time. Level 1 must be Final for award.

Are COTS contracts excluded from CMMC?

Yes. Acquisitions exclusively for commercially available off-the-shelf (COTS) items are excluded; the COTS definition aligns with FAR 2.101.

Does NIST SP 800-171 Revision 3 control CMMC Level 2?

Not under the current rule. CMMC Level 2 maps to NIST SP 800-171 Revision 2 unless DoD amends the CMMC rule or the applicable contract requirement.

Does DFARS 252.204-7012 still matter?

Yes. It remains in force for safeguarding covered defense information and includes the 72-hour cyber incident reporting requirement.

My purchase order includes 7021 but no clear level — what do I do?

Don’t guess. Ask the contracting officer, prime, or next-tier customer for the required CMMC level and assessment type, and confirm with a Registered Practitioner (RP/RPO) or contracts counsel.

Is The Defense Compliance Report affiliated with the Cyber AB or DoD?

No. The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance and is not affiliated with the Cyber AB, DoD, DCMA DIBCAC, NIST, or any U.S. government agency.


Your next move

You now know what the 48 CFR CMMC final rule is, when it took effect, which clauses control, what changed in 2026, and what can block an award. The one thing a general page can’t do is tell you yourrequired level, scope, and path — that comes from your clause and your FCI/CUI handling. Don’t buy the wrong kind of help to solve a problem you haven’t scoped.

Need help deciding what type of CMMC provider you need?

Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.

Do not submit CUI, drawings, export-controlled technical data, security plans, vulnerability details, or sensitive contract attachments through this form.

Find My CMMC Path →

Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification. See our editorial and advertising policy.