The CMMC Final Rule, Explained: What Changed, When It Hits, and What to Do Now
Phase 1 is active now: November 10, 2025 – November 9, 2026.
If a CMMC clause just landed in your solicitation — or a prime just emailed to say you "need CMMC" — here's the short version: the CMMC Final Rule is real, it's in effect, and it is already deciding who can win Department of Defense work. "The CMMC Final Rule" isn't one document. It's two rulemakings working together, plus a third change from February 2026 that quietly renumbered the very clauses you were trained to look for. This page covers all of it — every claim sourced to the rule itself.
The bottom line, up front
The CMMC Final Rule is active in two parts. The program rule — 32 CFR Part 170 — created the Cybersecurity Maturity Model Certification (CMMC) program and took effect December 16, 2024. The acquisition rule — the DFARS rule (DFARS Case 2019-D041) — put CMMC into DoD contracts and took effect November 10, 2025. Both are live today. [Federal Register, 89 FR 83092; Federal Register, DFARS final rule 2025-17359]
Three things decide what you actually owe:
- Your data. Do you handle Federal Contract Information (FCI), Controlled Unclassified Information (CUI), both, or neither? That sets your CMMC level.
- Your contract clause. A provision called DFARS 252.204-7025in the solicitation tells you the exact CMMC status required to be eligible for award — Level 1 (Self), Level 2 (Self), Level 2 (C3PAO), or Level 3 (DIBCAC). The clause sets your level. A checklist can't.
- Your phase.We're in Phase 1, which leans on self-assessment. The pressure point for most contractors handling CUI is Phase 2, which begins November 10, 2026, when third-party certification becomes the standard for Level 2. [32 CFR 170.3(e)]
One honest caveat before we go deep
No page — including this one — can tell you your required CMMC level. Only your contract clause can. Anyone who quotes you a "CMMC package" before reading your solicitation is guessing. Once you know your clause, your data type, and your scope, the rest of the decision gets a lot smaller — and this page will show you exactly where to find each piece and what it means.
Who this is for — and who should read something else
This page is for the people who have to make the call: CISOs, IT directors, compliance managers, FSOs, contracts officers, and owners of small DIB suppliers.
- If you only sell COTS products to the DoD, CMMC generally does not apply to you. [32 CFR 170; Federal Register] Confirm it with your contracts lead and move on.
- If you already know your level and want the step-by-step process, start with our CMMC certification process guide instead.
- If you're trying to size an isolated CUI environment, our CMMC enclave cost breakdown is the better door.
Is the CMMC Final Rule actually in effect right now?
Yes. The CMMC program rule (32 CFR Part 170) took effect December 16, 2024, and the DFARS acquisition rule took effect November 10, 2025. As of mid-2026, Phase 1 of the rollout is active and runs through November 9, 2026. [Federal Register, 89 FR 83092; 32 CFR 170.3(e)] The requirement is not "coming." It is here — it is simply phasing in.
"Effective" does not mean every contract changed overnight. DoD is rolling CMMC into solicitations over four annual phases, and Phase 1 starts with the lightest-touch options — Level 1 and Level 2 self-assessments — while third-party assessments become standard later. [32 CFR 170.3(e)]
CMMC can't be forced into a contract you already signed.
DoD officials have been explicit that CMMC applies to new solicitations and to option or extension years — not retroactively to a base contract already in effect. [Cyber AB Town Hall, Nov. 2025] If your contract is up for renewal, certification can become a condition of that renewal.
The clock that matters most is Phase 2.
For contractors that handle CUI, November 10, 2026 is when a certified third-party assessment becomes the default. Given that readiness commonly takes 12–18 months, "we'll deal with it later" is, for a lot of companies, already late.
Why does everyone keep calling it "two rules"?
The CMMC Final Rule is two separate rulemakings. 32 CFR Part 170 is the program rule — it defines how CMMC works. The DFARS acquisition rule is the contract rule — it puts CMMC into solicitations and makes your status a condition of award. You need both to understand your obligation. [Federal Register, 89 FR 83092; Federal Register, DFARS final rule]
The program rule (32 CFR Part 170) is the rulebook. Published October 15, 2024 (89 FR 83092), effective December 16, 2024. It defines the levels, assessment types, scoping, scoring, plans of action, the annual affirmation, and the roles in the assessment ecosystem. When you want to know what CMMC requires, you're asking about 32 CFR Part 170. [Federal Register, 89 FR 83092]
The acquisition rule (the DFARS rule) is the switch that turns it on inside contracts. Published September 10, 2025, took effect November 10, 2025. [Federal Register, DFARS final rule]It works through two instruments you'll actually see in your paperwork:
- DFARS 252.204-7025 (a solicitation provision) — the notice that tells offerors which CMMC status is required to be eligible for award. [Acquisition.gov, 252.204-7025]
- DFARS 252.204-7021 (a contract clause) — the requirement to hold and maintain that status through performance and flow it down to subcontractors. [Acquisition.gov, 252.204-7021]
The two rules, side by side
| Program rule | Acquisition rule | |
|---|---|---|
| Citation | 32 CFR Part 170 | 48 CFR (DFARS), Case 2019-D041 |
| Published | Oct. 15, 2024 (89 FR 83092) | Sept. 10, 2025 |
| Effective | Dec. 16, 2024 | Nov. 10, 2025 |
| What it does | Defines the CMMC program: levels, assessment types, scoping, scoring, POA&Ms, affirmations, ecosystem roles | Puts CMMC into solicitations and contracts as a condition of award and performance |
| Key instruments | The CMMC model and assessment framework | Provision 252.204-7025 (notice) and clause 252.204-7021 (compliance) |
| The question it answers | What does CMMC require? | When does it apply to my contract, and what happens if I don't meet it? |
Does the CMMC Final Rule apply to me?
CMMC applies to any DoD contractor or subcontractor whose systems process, store, or transmit FCI or CUI in the course of a contract. If you only handle FCI, you're generally looking at Level 1. If you handle CUI, you're at Level 2 or higher. If you deal exclusively in COTS products, you're generally exempt. [32 CFR 170; Federal Register]
Two data types drive everything:
- Federal Contract Information (FCI):information provided by or generated for the government under a contract that's not intended for public release. FCI puts you at Level 1.
- Controlled Unclassified Information (CUI): information the government requires to be safeguarded under law, regulation, or government-wide policy. CUI puts you at Level 2 — and, for the most sensitive programs, Level 3.
The mistake we watch small manufacturers make is assuming "DoD subcontract" automatically means Level 2. It doesn't. If a prime only flows you FCI, you're likely at Level 1. If they flow you CUI, you're at least Level 2. The trigger is the data, not the size of the contract or your tier in the supply chain.
Three applicability rules worth knowing:
- Flow-down is real and it reaches deep. Under 32 CFR 170.23, primes must flow CMMC requirements down to any subcontractor that will process, store, or transmit FCI or CUI — including second- and third-tier subs that never contract directly with the DoD. [32 CFR 170.23]
- Cloud for CUI has a hard bar. If a cloud service provider (CSP) stores, processes, or transmits your CUI, that environment must meet the FedRAMP Moderate baseline (or demonstrate FedRAMP Moderate equivalency). [32 CFR 170.19; DFARS 252.204-7012]"We use the cloud" is not the same as "we're compliant."
- COTS-only is the main exemption. Contractors dealing exclusively in commercially available off-the-shelf products are generally outside CMMC. [Federal Register]
Read the clause first
You cannot reason your way to your required level from a blog post. The number lives in your solicitation, your contract, or your prime's written flow-down. So before you price anything:
The right CMMC provider isn't the same for every contractor — the category you need (a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave) depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. The contract clause sets your level, not a checklist. Use The Defense Compliance Report's Find My CMMC Path tool to map your situation to the right provider category before you request quotes — and do not submit CUI, drawings, or sensitive contract details.
The CMMC Final Rule Trigger Map
| What just happened to you | Governing source | What status/evidence matters | Where it lives | First provider category to consider | Costly mistake to avoid |
|---|---|---|---|---|---|
| Solicitation lists Level 1 (Self) | 252.204-7025 + 32 CFR 170 | All 15 Level 1 requirements met; no POA&M allowed | SPRS + annual affirmation | Internal owner, or light RP/RPO help | Buying Level 2 tooling before confirming you even handle CUI |
| Solicitation lists Level 2 (Self) | 252.204-7025 + 32 CFR 170.16 | Conditional or Final Level 2 (Self) vs. NIST SP 800-171 Rev. 2 | You post the score in SPRS; affirm | RPO/RP; MSSP or GRC platform if evidence is thin | Treating "self" as "no proof needed" |
| Solicitation lists Level 2 (C3PAO) | 252.204-7025 + 32 CFR 170.17 | Conditional or Final Level 2 (C3PAO) | C3PAO enters results in eMASS → flows to SPRS | Readiness (RPO/MSSP) first if not ready; a separate C3PAO when you are | Hiring the assessor before scope, SSP, and evidence are stable |
| Solicitation lists Level 3 (DIBCAC) | 32 CFR 170 | Final Level 2 (C3PAO) first, then 24 added 800-172 requirements | DIBCAC assessment → eMASS/SPRS | Experienced RP/RPO + federal-contracts counsel | Assuming a C3PAO performs the Level 3 assessment (the government does) |
| Prime says "you need CMMC" but names no level | 32 CFR 170.23 + DFARS flow-down | Depends on the data flowed to you and the prime's requirement | Written flow-down, subcontract, or PO | Contracts lead + RP/RPO | Spending money on a vague email |
| You're a sub handling FCI only | 32 CFR 170.23 | Level 1 (Self), if flowed down | SPRS + affirmation | Internal owner or RP/RPO | Over-scoping to Level 2 you don't need |
| You're a sub handling CUI | 32 CFR 170.23 | At least Level 2; assessment type set by the flow-down | Subcontract flow-down + SPRS | RPO/MSSP/enclave first; C3PAO when ready | Under-scoping CUI hiding in email and file shares |
| You hold Conditional Level 2 | 32 CFR 170.21 | POA&M open items must close in 180 days | SPRS/eMASS | Remediation support | Assuming every open item can sit on a POA&M (it can't) |
| You put CUI in a cloud/CSP/ESP | 32 CFR 170.19 + 252.204-7012 | CSP at FedRAMP Moderate (or equivalency); ESP scope documented | SSP + CMMC scope | CUI enclave / GovCloud / secure-collaboration specialist | Assuming "cloud" is automatically compliant |
| Your contract only has 252.204-7012 today | 252.204-7012 | NIST SP 800-171 and safeguarding duties already apply | Contract, SSP, SPRS | Gap assessment before any purchase | Ignoring 7012 because the CMMC clause isn't there yet |
Not sure which row is yours?
Find My CMMC Path walks through your clause, data type, level, environment, and timeline and points you to the provider category that fits — before you request a single quote. Free, and built for exactly this moment. Do not submit CUI, drawings, contract numbers, or sensitive system details.
Find My CMMC Path →What does the CMMC Final Rule actually require? The three levels
CMMC has three levels, and they are not interchangeable. Level 1 protects FCI with 15 requirements and an annual self-assessment. Level 2 protects CUI with 110 requirements from NIST SP 800-171 Revision 2. Level 3 adds 24 requirements from NIST SP 800-172 for the most sensitive programs and is assessed by the government. [32 CFR 170.14; Federal Register] Your contract clause tells you which one you need.
Level 1 — Foundational (FCI)
Fifteen basic safeguarding requirements, drawn from the federal clause historically numbered FAR 52.204-21. [Federal Register] You self-assess annually, post the result in SPRS, and submit an annual affirmation. There is no POA&M at Level 1 — all 15 must be fully met, no exceptions. A false Level 1 affirmation in SPRS is still a false statement to the government.
Level 2 — Advanced (CUI)
This is where most of the Defense Industrial Base lives. Level 2 requires all 110 security requirements from NIST SP 800-171 Revision 2, organized into 14 control families. [32 CFR 170.14; NIST SP 800-171 Rev. 2] Those 110 requirements break down into 320 discrete assessment objectives — the individual pass/fail checkpoints an assessor actually scores under NIST SP 800-171A. "We do MFA" is not the same as passing every objective tied to it.
Level 2 comes in two flavors, and the difference is worth real money:
- Level 2 (Self): you assess yourself and post the score. Available for applicable contracts, especially during Phase 1.
- Level 2 (C3PAO): a Certified Third-Party Assessment Organization (C3PAO) — an independent firm authorized by the Cyber AB — assesses you. The C3PAO enters results into the government's eMASS system, which transmits your status to SPRS. [Federal Register]
Both paths are valid for three years, with an annual affirmation in between. Which one you owe is set by the clause, not by the phrase "Level 2" alone.
Level 3 — Expert (most sensitive CUI)
Level 3 layers 24 selected requirements from NIST SP 800-172 on top of all 110 Level 2 requirements — 134 in total. [Federal Register; NIST SP 800-172, Feb. 2021] You must already hold a Final Level 2 (C3PAO)status before you can pursue it, and the assessment is performed by the government's Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) — not a C3PAO. It's reserved for programs facing nation-state-level threats.
Level 2 (Self) vs. Level 2 (C3PAO): the expensive mix-up
Seeing "Level 2" in a clause does not tell you whether you can self-assess or must hire a C3PAO. That is a separate specification in your contract's required CMMC status. Assuming "Level 2 means C3PAO" — or that "self-assessment means easy" — is one of the most common and costly errors we see. [Acquisition.gov, 252.204-7025]
| Your clause specifies | Assessment path | Who assesses | Where results go |
|---|---|---|---|
| Level 2 (Self) | Self-assessment | You | SPRS |
| Level 2 (C3PAO) | Certification assessment | Authorized C3PAO | eMASS → SPRS |
| Level 3 (DIBCAC) | Government assessment | DCMA DIBCAC | eMASS → SPRS |
What will the CMMC Final Rule cost?
The DoD's published cost estimates are assessment-and-affirmation figures, not full implementation budgets. For a small entity, DoD estimates roughly $6,000 a year for Level 1, about $37,000 over three years for Level 2 (Self), and about $104,670 over three years for Level 2 (C3PAO). Crucially, those numbers exclude the cost of actually building your security environment. [Federal Register, 32 CFR Part 170 Regulatory Impact Analysis] The real budget is almost always larger — but it's also more controllable than the scary headline suggests.
When DoD priced the program, it assumed you've been implementing NIST SP 800-171 since DFARS 252.204-7012 first appeared in 2017. So its estimates cover only the cost to prove compliance — not the cost to achieve it. [Federal Register]In DoD's words, those implementation costs "should already have been incurred."
DoD's own estimates vs. the real buying decision
| Path | DoD small-entity estimate | What it does not include |
|---|---|---|
| Level 1 (Self) | ~$6,000 / year (small); ~$4,000 (larger) | Any remediation if basic safeguards are missing |
| Level 2 (Self) | ~$37,000 over 3 years | Tooling, documentation, managed security, remediation |
| Level 2 (C3PAO) | ~$104,670 over 3 years (small); ~$118,000 (larger) | Building the environment, enclave, evidence rebuild |
| Level 3 (DIBCAC) | Level 2 cost + advanced 800-172 work | Program-specific complexity (industry estimates add ~$40,000+) |
In the open market, a C3PAO assessment fee alone commonly runs $30,000–$75,000, and assessment fees are typically only about a quarter of total compliance cost. Full first-year spend to reach Level 2 frequently lands in the $100,000–$300,000+ range depending on scope and starting maturity. [Industry-reported; PreVeil, Secureframe, and others]
Three levers control that number, in order of impact:
- Scope. If CUI flows through your entire network, your entire network is in scope. Isolating CUI into a defined boundary — an enclave — is the single biggest cost reducer available to most small contractors.
- Starting maturity. A contractor that has genuinely run NIST 800-171 since 2017 pays to verify. One starting from scratch pays to build.
- Whether you need an enclave, managed security, documentation help, or GRC tooling — and whether you buy those before or after you've defined scope.
And a note of genuine hope: cost offsets exist. Some states fund CMMC readiness directly (Connecticut has offered grants up to $35,000), and on cost-reimbursable work, compliance spend can be treated as an allowable cost under FAR Part 31. [State program materials; FAR Part 31] Talk to your accountant and your contracts lead before you assume the whole bill is out of pocket.
For a deeper breakdown by scope, environment, and provider type, see our CMMC Level 2 cost guide.
Want a starting point you can act on today?
Download our CMMC Readiness Checklist, mapped to the 14 NIST SP 800-171 Rev. 2 families, and see where your gaps actually are before you price a single vendor. It's a self-serve first step — no forms, no CUI, no sensitive details.
Download Readiness Checklist →When do the requirements hit? The four-phase rollout
CMMC phases in over four annual steps. Phase 1 began November 10, 2025; Phase 2 begins November 10, 2026; Phase 3 begins November 10, 2027; and Phase 4 — full implementation — begins November 10, 2028. Each phase widens which assessment types appear in contracts. [32 CFR 170.3(e); DoD CIO CMMC resources]
Notably, Phase 1 was extended six months from what the proposed rule floated — a small mercy, and a sign DoD is watching capacity. [Federal Register] But the phases move quickly, and the one that matters to most CUI-handling contractors is Phase 2.
| Phase | Dates | What DoD intends to include | What it means for you |
|---|---|---|---|
| Phase 1 | Nov. 10, 2025 – Nov. 9, 2026 | Level 1 (Self) and Level 2 (Self) in applicable contracts; Level 2 (C3PAO) at DoD's discretion | Self-assessment obligations — and some C3PAO requirements — can already affect your bids. Don't wait to define scope. |
| Phase 2 | Nov. 10, 2026 – Nov. 9, 2027 | Level 2 (C3PAO) becomes the standard for applicable contracts; Level 3 at DoD's discretion | If you handle CUI, be scoped and evidence-ready before this window. This is the deadline that matters. |
| Phase 3 | Nov. 10, 2027 – Nov. 9, 2028 | Level 2 (C3PAO) more broadly; Level 3 for applicable contracts | Higher pressure on assessed Level 2 and Level 3 programs. |
| Phase 4 | Starts Nov. 10, 2028 | Full implementation across applicable DoD solicitations and contracts, including option periods | CMMC becomes normal across FCI/CUI contract actions. |
The math is unforgiving. Readiness commonly takes 12–18 months, and C3PAO scheduling is already running months out. If you handle CUI and you haven't started, Phase 2 is not a future problem — it's a current one.
What changed in 2026? The FAR overhaul and clause renumbering
On February 1, 2026, a set of class deviations under the Revolutionary FAR Overhaul renumbered the cybersecurity clauses. DFARS 252.204-7019 was eliminated, DFARS 252.204-7020 was moved to DFARS 252.240-7997, and FAR 52.204-21 was renumbered to FAR 52.240-93. The CMMC clauses — 252.204-7021 and 252.204-7025 — and the safeguarding clause 252.204-7012 did not change. [DoD class deviation 2026-O0025; DFARS Part 240; DFARS Part 40]
The Revolutionary FAR Overhaul (RFO) began with Executive Order 14275 in April 2025 and is being implemented in two steps: interim class deviations now, formal rulemaking later. The first tranche — 31-plus DFARS class deviations — took effect February 1, 2026, creating a new FAR Part 40 and DFARS Part 240 to consolidate cybersecurity and supply-chain requirements. [DoD class deviations; industry legal analysis, incl. Wiley]The renumbering is administrative, but the practical effects are real.
The 2026 CMMC clause crosswalk
| Old citation | New citation (eff. Feb. 1, 2026) | What actually changed |
|---|---|---|
| FAR 52.204-21 (Basic Safeguarding) | FAR 52.240-93 | Renumbered; same 15 requirements, same text. (CMMC Level 1 assessment guidance still references 52.204-21 during the transition.) |
| DFARS 252.204-7019 (Notice of NIST 800-171 Assessment) | Eliminated | Removed as a standalone provision. |
| DFARS 252.204-7020 (NIST 800-171 DoD Assessment Reqs.) | DFARS 252.240-7997 | Relocated to DFARS Part 240; the standalone “Basic self-assessment” concept was removed. Now defines only government-performed Medium and High assessments. |
| DFARS 252.204-7012 (Safeguarding/Incident Reporting) | Unchanged | Still in full effect: NIST 800-171, 72-hour incident reporting, cloud requirements, flow-down. |
| DFARS 252.204-7021 (CMMC compliance clause) | Unchanged | Still the clause that requires you to hold and maintain your CMMC status. |
| DFARS 252.204-7025 (CMMC level notice) | Unchanged | Still the solicitation provision that states your required status. |
The critical nuance — do not misread this
Some headlines claimed contractors "no longer have to self-assess or post scores in SPRS." That is dangerously incomplete. What the RFO did was remove the old, parallel "Basic" NIST 800-171 self-assessment track and fold assessment obligations into CMMC itself. [Redstone GCI; Peerless; DoD class deviation] If you handle CUI, you must still implement all 110 NIST 800-171 Rev. 2 requirements, maintain a System Security Plan, report incidents within 72 hours, and obtain CMMC certification when your contract requires it. SPRS remains the system of record.
Two things to do about all this:
- Expect to juggle both numbering systems. Solicitations issued after February 1, 2026 use the new numbers; older contracts and the current Code of Federal Regulations still show the old ones — until formal rulemaking catches up. [DoD class deviations]
- Update your proposal boilerplate and compliance mappings. If your SSP, templates, or training reference 52.204-21 or 7019/7020 by number, add the new citations now.
Does CMMC use NIST SP 800-171 Rev. 2 or Rev. 3?
Under the current CMMC Final Rule, Level 2 maps to NIST SP 800-171 Revision 2 — the 110 requirements across 14 families. NIST published Revision 3 in May 2024, but CMMC has not adopted it; DoD pinned the program to Rev. 2 through a class deviation. Do not build to Rev. 3 for CMMC purposes unless and until DoD amends the rule. [32 CFR 170.14; NIST SP 800-171 Rev. 2; DoD class deviation]
NIST SP 800-171 Revision 3 exists. It restructures the controls (roughly 97 requirements, three new families, and a set of organization-defined parameters) and its assessment companion, NIST SP 800-171A Rev. 3, changed accordingly. [NIST CSRC] But CMMC Level 2 is still tied to Revision 2, held in place by a DoD class deviation issued in 2024. A transition to Rev. 3 is expected eventually, with DoD signaling 12–24 months of advance notice. [DoD CIO CMMC materials]
Your assessment today is against Rev. 2. Watch NIST's Computer Security Resource Center and the DoD CIO CMMC page for the transition, but don't let a vendor sell you a "Rev. 3-ready" program as if it were the current requirement. It isn't.
What if I'm not fully compliant? POA&Ms, conditional status, and the 80% rule
A Plan of Action and Milestones (POA&M) is not blanket permission to pass with gaps. Level 1 allows no POA&M at all. At Level 2, you can earn a Conditional status only if you score at least 80% (meeting at least 88 of the 110 requirements), certain high-value requirements cannot be deferred at all, and every open item must be closed within 180 days or the conditional status expires. [32 CFR 170.21; Federal Register]
- Level 1: no POA&M. All 15 requirements must be fully met. [32 CFR 170.15]
- Level 2 — the 80% gate: you can achieve Conditional Level 2 if your score is at least 80% of the total — meeting at least 88 of the 110 requirements at the time of assessment. [32 CFR 170.21]Fall below that, and a POA&M won't save the assessment.
- Not everything can go on a POA&M. The highest-weighted requirements — including multifactor authentication — generally cannot be deferred. A narrow exception exists around FIPS-validated encryption when encryption is deployed but not yet validated. [32 CFR 170.21; DoD Assessment Methodology]
- The 180-day clock is hard.If a closeout assessment doesn't confirm every item is met within 180 days, the Conditional Level 2 status expires, and standard contractual remedies apply. [Federal Register] Close the items and you convert to a Final status.
The 180-day conditional status milestone schedule
| Day | Milestone |
|---|---|
| Day 0 | Conditional status date recorded in SPRS |
| Days 30 / 60 / 90 | Remediation checkpoints — evidence, not intentions |
| Day 150 | Closeout evidence assembled and reviewed |
| Day 180 | Closeout deadline — Final status or the status expires |
SPRS scoring starts at 110 and subtracts points by severity (1, 3, or 5 per requirement), with no partial credit, down to a floor of −203. [DoD NIST SP 800-171 Assessment Methodology] A handful of high-weight misses can put a real number deep underwater — which is exactly why documentation and evidence, not optimism, decide outcomes.
How is the CMMC Final Rule actually enforced?
Enforcement runs through SPRS and the annual affirmation, and the real teeth are civil, not administrative. A senior company official must affirm your compliance in SPRS, and an inaccurate affirmation can trigger False Claims Act liability — the same mechanism the Department of Justice has already used to pursue contractors over cybersecurity misrepresentations. [Federal Register; DOJ Civil Cyber-Fraud Initiative]
The Supplier Performance Risk System (SPRS) is the system of record for your CMMC status and affirmations. Your status can be valid for up to three years, but it must be affirmed annually by a senior "affirming official" who is personally attesting that your company meets the requirements. [Federal Register] That signature is where the risk concentrates.
Because a CMMC status is now a condition of award, a knowingly inaccurate affirmation can be a false statement to the government under the False Claims Act (FCA), which carries treble damages and whistleblower (qui tam) exposure. The DOJ's Civil Cyber-Fraud Initiative, launched in 2021, exists specifically to bring these cases. Aerospace-and-defense contractor Aerojet Rocketdyne agreed to a $9 million settlement in 2022 to resolve allegations it misrepresented its compliance with federal cybersecurity requirements. [DOJ; public court records]The lesson isn't to fear the rule — it's that the affirmation is a legal instrument, and it should be true.
The C3PAO problem you need to know about — and what to do
In January 2025, the DoD Office of Inspector General reported that DoD had not effectively implemented the process for authorizing the very organizations that perform Level 2 assessments. [DoD OIG, Report DODIG-2025-056] Reviewing 11 of the then-48 authorized C3PAOs, the OIG found:
- Two were authorized without a signed C3PAO Agreement and Code of Professional Conduct;
- Four had quality-control leads whose certifications were never verified; and
- All 11 were authorized without adequately confirming that certified assessors and quality-control leads were actually on staff or under contract. [DoD OIG, DODIG-2025-056; MeriTalk]
Why this matters to you: relying on a flawed or inadequately authorized assessor could later be viewed as reckless — feeding back into that same FCA risk. [Wiley]
Buyer-protective move: verify authorization yourself.
Before you sign with a C3PAO, confirm its current authorization status on the Cyber AB Marketplace, get a dated screenshot, and verify that authorization is current as of your assessment date — not just your engagement date. Certification integrity matters as much as certification attainment.
For a curated list of authorized C3PAOs and what to verify, see our guide to the best C3PAOs for Level 2.
Where does the Defense Industrial Base actually stand?
Enforcement is live, but the ecosystem is small and readiness is smaller. As of the March 2026 Cyber AB Town Hall, there were about 103 authorized C3PAOs and roughly 759 certified assessors, and approximately 1,000 organizations had achieved Level 2 certification — against a DoD estimate of about 80,000 that will need it. That's roughly 1% readiness across the DIB. [Cyber AB Town Hall, March 2026]
| Metric | Figure (as of March 2026) |
|---|---|
| Authorized C3PAOs | ~103 |
| Certified CMMC Assessors (CCAs) | ~759 |
| New Level 2 certifications issued (March 2026) | ~178 |
| Total Level 2 certifications to date | ~1,000 |
| Organizations DoD estimates need Level 2 | ~80,000 |
| Approximate DIB readiness | ~1% |
| Typical C3PAO scheduling lead time | 6–12 months |
Two conclusions fall out of this data, and both are actionable:
- The bottleneck is readiness, not assessors. At ~178 certifications a month against ~80,000 needed, the constraint is you being ready, not a C3PAO being available. Fix readiness first.
- But book early anyway. Scheduling already runs 6–12 months out, and demand will spike as Phase 2 approaches in November 2026.
Assessor credentialing moved to ISACA (as the CMMC Assessor & Instructor Certification Organization, CAICO) in April 2026, and the Cyber AB is shifting from "standing up capacity" to accrediting assessors for consistency. [Cyber AB Town Hall, 2026]
Find My CMMC Path
The right CMMC provider isn't the same for every contractor. The category you need — a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave — depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. (The contract clause sets your level, not a checklist.) Because a general answer can't resolve those for you, use The Defense Compliance Report's Find My CMMC Path tool to map your situation to the right provider category before you request quotes.
- What it asks: your required CMMC level, FCI vs CUI handling, assessment type, IT/cloud environment, and contract timeline
- What you get: the provider category that fits your situation and the readiness steps to get there, with the questions to ask before requesting quotes
- Educational triage only: free · 2-minute assessment · no obligation · do not submit CUI, drawings, or sensitive contract details
What should you do now?
Your next step is not "hire a C3PAO." It's to confirm your required CMMC status, verify whether you handle FCI or CUI, define your assessment scope, check your SPRS record, and only then choose the provider category that matches your gap. [Acquisition.gov, 252.204-7025; 32 CFR 170] Sequence matters — buying before scoping is how contractors waste six figures.
Here's the checklist we'd run, in order:
- Pull the paperwork — the solicitation, contract, subcontract, or prime flow-down.
- Search it for the clauses — DFARS 252.204-7025 (your required status) and 252.204-7021 (your obligation to maintain it). Remember the new numbering for anything issued after February 1, 2026.
- Identify your required CMMC status — Level 1 (Self), Level 2 (Self), Level 2 (C3PAO), or Level 3 (DIBCAC).
- Confirm your data — FCI, CUI, both, or neither.
- Map where FCI/CUI actually lives — email, ERP, file shares, CAD, supplier portals, removable media. This is your scope, and scope is your cost.
- Check SPRS — is your status current? Are your CAGE codes, score, scope, and affirmation right?
- Choose the provider category that fits the gap — internal, RP/RPO, MSSP/MSP, GRC platform, CUI enclave, or C3PAO.
Which provider category fits your next step?
| Category | Use it when | Verify before you hire | Don't use it for |
|---|---|---|---|
| RP / RPO (Registered Practitioner / Organization) | Scoping, gap assessment, SSP/POA&M, readiness planning | Cyber AB Marketplace status; relevant experience; scoping method | The formal certification assessment |
| MSP / MSSP (Managed [Security] Service Provider) | Operating controls: logging, identity, endpoint, monitoring | CUI-environment fit; evidence support; incident response | Replacing your ownership of compliance |
| GRC platform (governance, risk, compliance software) | Evidence tracking, tasks, dashboards, SSP/POA&M support | 800-171 Rev. 2 / CMMC mapping and exports | Making you compliant by itself — software alone never satisfies CMMC |
| CUI enclave | Reducing scope by isolating CUI | Data flow; cloud boundary; FedRAMP Moderate/equivalency assumptions | Avoiding organizational controls entirely |
| C3PAO | The formal Level 2 certification assessment | Current authorization/accreditation and independence | Readiness consulting for the same engagement it will assess — that separation is required |
A word on that last row: a firm that prepares you generally cannot also be the C3PAO that assesses that same work. Readiness and assessment must stay separate. [32 CFR 170.8; Cyber AB Code of Professional Conduct; CMMC Assessment Process] If a single vendor offers to "get you ready and certify you," that's a flag, not a convenience.
For small businesses, see our guide to CMMC providers for small businesses.
Ready to map your situation to the right provider category?
The right provider isn't the same for every contractor. The category you need depends on your required level, your FCI/CUI handling, your assessment type, your environment, and your timeline — and the contract clause sets your level, not a checklist. Do not submit CUI, drawings, contract numbers, or sensitive system details — this is for provider-category routing only.
Find My CMMC Path →What we actually verified for this guide
We don't ask you to take our word for it. Here's the source behind each major claim, verified in June 2026 against primary or authoritative sources.
- The two rules and their effective dates — Federal Register (32 CFR Part 170, 89 FR 83092, effective Dec. 16, 2024) and the DFARS final rule (effective Nov. 10, 2025).
- The four-phase schedule — 32 CFR 170.3(e) and the DoD CIO CMMC resources page.
- Levels, scoping, POA&M limits, and the 80% rule — eCFR (32 CFR Part 170, incl. §§170.14, 170.16, 170.17, 170.19, 170.21, 170.23) and the Federal Register discussion of the final rule.
- NIST versions — NIST SP 800-171 Rev. 2 and NIST SP 800-172 (Feb. 2021) via NIST CSRC; Rev. 2 pinning via DoD class deviation.
- The 2026 clause renumbering — DoD class deviation 2026-O0025 (DFARS Part 240 / FAR Part 40), corroborated by Wiley, Summit 7, and other 2026 legal analyses.
- Cost estimates — the Regulatory Impact Analysis in 32 CFR Part 170 (Federal Register); market ranges attributed to industry sources, not to DoD.
- Enforcement and the C3PAO audit — Acquisition.gov (252.204-7012, 252.204-7021, 252.204-7025), SPRS documentation, and DoD OIG Report DODIG-2025-056.
- Ecosystem counts — the Cyber AB Town Hall (March 2026) and Cyber AB Marketplace; verify live figures at cyberab.org/marketplace.
- The department-naming note — Executive Order 14347 (Sept. 2025) and the National Security Act of 1947.
CMMC Final Rule FAQ
Is the CMMC Final Rule final?
Yes. Both parts are final and effective: the program rule (32 CFR Part 170) since December 16, 2024, and the DFARS acquisition rule since November 10, 2025. The remaining variable is when a required CMMC status appears in your specific solicitation, contract, option, or subcontract flow-down. [Federal Register]
What’s the difference between the 32 CFR rule and the 48 CFR/DFARS rule?
32 CFR Part 170 defines the CMMC program — the levels, assessments, scoping, and scoring. The 48 CFR (DFARS) rule implements CMMC in contracts through provision 252.204-7025 (which states your required status) and clause 252.204-7021 (which requires you to maintain it). [eCFR; Acquisition.gov]
When did CMMC Phase 1 start, and when does Phase 2 begin?
Phase 1 started November 10, 2025 and runs through November 9, 2026, focused mainly on Level 1 and Level 2 self-assessments. Phase 2 begins November 10, 2026, when a Level 2 third-party (C3PAO) assessment becomes the standard for applicable contracts. [32 CFR 170.3(e); DoD CIO]
Does CMMC Level 2 always require a C3PAO?
No. Level 2 can be either Level 2 (Self) or Level 2 (C3PAO). Which one applies is set by the required CMMC status in your solicitation or flow-down — not by the phrase “Level 2” alone. [Acquisition.gov, 252.204-7025]
Does CMMC use NIST SP 800-171 Rev. 2 or Rev. 3?
Level 2 currently maps to NIST SP 800-171 Revision 2. NIST published Rev. 3 in May 2024, but CMMC has not adopted it, and DoD pinned the program to Rev. 2 by class deviation. Don’t build to Rev. 3 for CMMC unless DoD amends the rule. [32 CFR 170.14; NIST CSRC]
Did the 2026 FAR overhaul eliminate self-assessments and SPRS scores?
No — this is a common misreading. The February 1, 2026 class deviations removed the old standalone “Basic” NIST 800-171 self-assessment track (eliminating DFARS 252.204-7019 and moving 7020 to 252.240-7997) and folded assessment obligations into CMMC. If you handle CUI, you still implement all 110 controls, keep an SSP, report incidents, and certify under CMMC. SPRS is still the system of record. [DoD class deviation 2026-O0025]
What is DFARS 252.204-7025?
It’s the solicitation provision that tells offerors which CMMC status is required to be eligible for award — Level 1 (Self), Level 2 (Self), Level 2 (C3PAO), or Level 3 (DIBCAC). It’s the first place to look to learn your required level. It was not renumbered in the 2026 overhaul. [Acquisition.gov]
What is DFARS 252.204-7021?
It’s the contract clause that requires you to hold and maintain the required CMMC status throughout performance and to flow the requirement down to subcontractors handling FCI or CUI. It was not renumbered in the 2026 overhaul. [Acquisition.gov]
Does the CMMC Final Rule apply to subcontractors?
Yes, when a subcontract involves FCI or CUI and the requirement is flowed down. FCI-only subs generally look at Level 1; subs handling CUI are at least Level 2, with the assessment type set by the prime’s flow-down. [32 CFR 170.23]
Are POA&Ms allowed?
Level 1 allows none. Level 2 and Level 3 allow them only under limited conditions — you must score at least 80% (meet at least 88 of 110 at Level 2), certain high-value requirements can’t be deferred, and every open item must close within 180 days or the conditional status expires. [32 CFR 170.21]
Do I need a C3PAO right now?
Only if your required status is Level 2 (C3PAO) and you’re assessment-ready, or you’re preparing for a contract that will require it. Many contractors first need scoping, an SSP, evidence, remediation, an enclave decision, or an SPRS cleanup before engaging an assessor. [32 CFR 170]
How much does CMMC cost?
DoD’s small-entity estimates are roughly $6,000/year for Level 1, about $37,000 over three years for Level 2 (Self), and about $104,670 over three years for Level 2 (C3PAO) — and those figures exclude the cost of building your environment. Real first-year spend to reach Level 2 often runs $100,000–$300,000+ depending on scope and maturity. [Federal Register RIA; industry-reported]
Related reading
- CMMC Certification Process — step-by-step from scoping to SPRS
- CMMC Level 2 Assessment Guide — self vs. C3PAO, evidence, POA&M, and SPRS
- CMMC Level 2 Cost — DoD estimates vs. real market budgets
- CMMC Enclave Cost — how scope isolation changes your budget
- Best C3PAOs for Level 2 — what to verify before you sign
- CMMC Providers for Small Business — categories that fit small DIB budgets
- CMMC 2.0 Overview — the complete contractor decision resource