The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base

The CMMC Final Rule, Explained: What Changed, When It Hits, and What to Do Now

By The Defense Compliance Report Editorial Team — an independent trade publication on CMMC 2.0 and DIB compliance.

Last reviewed:

The Defense Compliance Report is not affiliated with, endorsed by, or sponsored by the U.S. Department of Defense, the Cyber AB, DCMA DIBCAC, NIST, or any U.S. Government agency. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification. This is educational research, not legal, contractual, or compliance advice. Confirm scope and applicability with a CMMC Registered Practitioner (RP/RPO) or a qualified federal-contracts attorney.

Phase 1 is active now: November 10, 2025 – November 9, 2026.

If a CMMC clause just landed in your solicitation — or a prime just emailed to say you "need CMMC" — here's the short version: the CMMC Final Rule is real, it's in effect, and it is already deciding who can win Department of Defense work. "The CMMC Final Rule" isn't one document. It's two rulemakings working together, plus a third change from February 2026 that quietly renumbered the very clauses you were trained to look for. This page covers all of it — every claim sourced to the rule itself.

The bottom line, up front

The CMMC Final Rule is active in two parts. The program rule — 32 CFR Part 170 — created the Cybersecurity Maturity Model Certification (CMMC) program and took effect December 16, 2024. The acquisition rule — the DFARS rule (DFARS Case 2019-D041) — put CMMC into DoD contracts and took effect November 10, 2025. Both are live today. [Federal Register, 89 FR 83092; Federal Register, DFARS final rule 2025-17359]

Three things decide what you actually owe:

  1. Your data. Do you handle Federal Contract Information (FCI), Controlled Unclassified Information (CUI), both, or neither? That sets your CMMC level.
  2. Your contract clause. A provision called DFARS 252.204-7025in the solicitation tells you the exact CMMC status required to be eligible for award — Level 1 (Self), Level 2 (Self), Level 2 (C3PAO), or Level 3 (DIBCAC). The clause sets your level. A checklist can't.
  3. Your phase.We're in Phase 1, which leans on self-assessment. The pressure point for most contractors handling CUI is Phase 2, which begins November 10, 2026, when third-party certification becomes the standard for Level 2. [32 CFR 170.3(e)]

The Defense Compliance Report is the independent trade publication and decision resource for CMMC and Defense Industrial Base compliance — explaining the CMMC Final Rule with primary-source citation on every claim and mapping a contractor's level, CUI scope, assessment type, and timeline to the right provider category, so DIB contractors choose the right CMMC path before they spend six figures.

One honest caveat before we go deep

No page — including this one — can tell you your required CMMC level. Only your contract clause can. Anyone who quotes you a "CMMC package" before reading your solicitation is guessing. Once you know your clause, your data type, and your scope, the rest of the decision gets a lot smaller — and this page will show you exactly where to find each piece and what it means.

Who this is for — and who should read something else

This page is for the people who have to make the call: CISOs, IT directors, compliance managers, FSOs, contracts officers, and owners of small DIB suppliers.


Is the CMMC Final Rule actually in effect right now?

Yes. The CMMC program rule (32 CFR Part 170) took effect December 16, 2024, and the DFARS acquisition rule took effect November 10, 2025. As of mid-2026, Phase 1 of the rollout is active and runs through November 9, 2026. [Federal Register, 89 FR 83092; 32 CFR 170.3(e)] The requirement is not "coming." It is here — it is simply phasing in.

"Effective" does not mean every contract changed overnight. DoD is rolling CMMC into solicitations over four annual phases, and Phase 1 starts with the lightest-touch options — Level 1 and Level 2 self-assessments — while third-party assessments become standard later. [32 CFR 170.3(e)]

CMMC can't be forced into a contract you already signed.

DoD officials have been explicit that CMMC applies to new solicitations and to option or extension years — not retroactively to a base contract already in effect. [Cyber AB Town Hall, Nov. 2025] If your contract is up for renewal, certification can become a condition of that renewal.

The clock that matters most is Phase 2.

For contractors that handle CUI, November 10, 2026 is when a certified third-party assessment becomes the default. Given that readiness commonly takes 12–18 months, "we'll deal with it later" is, for a lot of companies, already late.


Why does everyone keep calling it "two rules"?

The CMMC Final Rule is two separate rulemakings. 32 CFR Part 170 is the program rule — it defines how CMMC works. The DFARS acquisition rule is the contract rule — it puts CMMC into solicitations and makes your status a condition of award. You need both to understand your obligation. [Federal Register, 89 FR 83092; Federal Register, DFARS final rule]

The program rule (32 CFR Part 170) is the rulebook. Published October 15, 2024 (89 FR 83092), effective December 16, 2024. It defines the levels, assessment types, scoping, scoring, plans of action, the annual affirmation, and the roles in the assessment ecosystem. When you want to know what CMMC requires, you're asking about 32 CFR Part 170. [Federal Register, 89 FR 83092]

The acquisition rule (the DFARS rule) is the switch that turns it on inside contracts. Published September 10, 2025, took effect November 10, 2025. [Federal Register, DFARS final rule]It works through two instruments you'll actually see in your paperwork:

The two rules, side by side

CMMC program rule vs. acquisition rule comparison
Program ruleAcquisition rule
Citation32 CFR Part 17048 CFR (DFARS), Case 2019-D041
PublishedOct. 15, 2024 (89 FR 83092)Sept. 10, 2025
EffectiveDec. 16, 2024Nov. 10, 2025
What it doesDefines the CMMC program: levels, assessment types, scoping, scoring, POA&Ms, affirmations, ecosystem rolesPuts CMMC into solicitations and contracts as a condition of award and performance
Key instrumentsThe CMMC model and assessment frameworkProvision 252.204-7025 (notice) and clause 252.204-7021 (compliance)
The question it answersWhat does CMMC require?When does it apply to my contract, and what happens if I don't meet it?

Sources: Federal Register (89 FR 83092); Federal Register (DFARS final rule); Acquisition.gov (252.204-7021, 252.204-7025).


Does the CMMC Final Rule apply to me?

CMMC applies to any DoD contractor or subcontractor whose systems process, store, or transmit FCI or CUI in the course of a contract. If you only handle FCI, you're generally looking at Level 1. If you handle CUI, you're at Level 2 or higher. If you deal exclusively in COTS products, you're generally exempt. [32 CFR 170; Federal Register]

Two data types drive everything:

The mistake we watch small manufacturers make is assuming "DoD subcontract" automatically means Level 2. It doesn't. If a prime only flows you FCI, you're likely at Level 1. If they flow you CUI, you're at least Level 2. The trigger is the data, not the size of the contract or your tier in the supply chain.

Three applicability rules worth knowing:

Read the clause first

You cannot reason your way to your required level from a blog post. The number lives in your solicitation, your contract, or your prime's written flow-down. So before you price anything:

The right CMMC provider isn't the same for every contractor — the category you need (a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave) depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. The contract clause sets your level, not a checklist. Use The Defense Compliance Report's Find My CMMC Path tool to map your situation to the right provider category before you request quotes — and do not submit CUI, drawings, or sensitive contract details.


The CMMC Final Rule Trigger Map

Most guides explain the rule. Almost none tell you what to do when a specific thing happens to you. This is the core of The CMMC Path Framework— our logic for mapping a contractor's situation to the right next step. It routes you to a provider category, never a named provider, and it is not a score, a ranking, or compliance advice.

CMMC Final Rule Trigger Map: situation-to-provider-category routing
What just happened to youGoverning sourceWhat status/evidence mattersWhere it livesFirst provider category to considerCostly mistake to avoid
Solicitation lists Level 1 (Self)252.204-7025 + 32 CFR 170All 15 Level 1 requirements met; no POA&M allowedSPRS + annual affirmationInternal owner, or light RP/RPO helpBuying Level 2 tooling before confirming you even handle CUI
Solicitation lists Level 2 (Self)252.204-7025 + 32 CFR 170.16Conditional or Final Level 2 (Self) vs. NIST SP 800-171 Rev. 2You post the score in SPRS; affirmRPO/RP; MSSP or GRC platform if evidence is thinTreating "self" as "no proof needed"
Solicitation lists Level 2 (C3PAO)252.204-7025 + 32 CFR 170.17Conditional or Final Level 2 (C3PAO)C3PAO enters results in eMASS → flows to SPRSReadiness (RPO/MSSP) first if not ready; a separate C3PAO when you areHiring the assessor before scope, SSP, and evidence are stable
Solicitation lists Level 3 (DIBCAC)32 CFR 170Final Level 2 (C3PAO) first, then 24 added 800-172 requirementsDIBCAC assessment → eMASS/SPRSExperienced RP/RPO + federal-contracts counselAssuming a C3PAO performs the Level 3 assessment (the government does)
Prime says "you need CMMC" but names no level32 CFR 170.23 + DFARS flow-downDepends on the data flowed to you and the prime's requirementWritten flow-down, subcontract, or POContracts lead + RP/RPOSpending money on a vague email
You're a sub handling FCI only32 CFR 170.23Level 1 (Self), if flowed downSPRS + affirmationInternal owner or RP/RPOOver-scoping to Level 2 you don't need
You're a sub handling CUI32 CFR 170.23At least Level 2; assessment type set by the flow-downSubcontract flow-down + SPRSRPO/MSSP/enclave first; C3PAO when readyUnder-scoping CUI hiding in email and file shares
You hold Conditional Level 232 CFR 170.21POA&M open items must close in 180 daysSPRS/eMASSRemediation supportAssuming every open item can sit on a POA&M (it can't)
You put CUI in a cloud/CSP/ESP32 CFR 170.19 + 252.204-7012CSP at FedRAMP Moderate (or equivalency); ESP scope documentedSSP + CMMC scopeCUI enclave / GovCloud / secure-collaboration specialistAssuming "cloud" is automatically compliant
Your contract only has 252.204-7012 today252.204-7012NIST SP 800-171 and safeguarding duties already applyContract, SSP, SPRSGap assessment before any purchaseIgnoring 7012 because the CMMC clause isn't there yet

Regulatory basis: 32 CFR Part 170 defines applicability, phases, levels, scoping, assessment paths, POA&M limits, and flow-down; DFARS 252.204-7025 requires the solicitation to state the required status; DFARS 252.204-7021 requires you to maintain that status; SPRS is where status and affirmations are posted. [eCFR, 32 CFR Part 170; Acquisition.gov]

Not sure which row is yours?

Find My CMMC Path walks through your clause, data type, level, environment, and timeline and points you to the provider category that fits — before you request a single quote. Free, and built for exactly this moment. Do not submit CUI, drawings, contract numbers, or sensitive system details.

Find My CMMC Path →

What does the CMMC Final Rule actually require? The three levels

CMMC has three levels, and they are not interchangeable. Level 1 protects FCI with 15 requirements and an annual self-assessment. Level 2 protects CUI with 110 requirements from NIST SP 800-171 Revision 2. Level 3 adds 24 requirements from NIST SP 800-172 for the most sensitive programs and is assessed by the government. [32 CFR 170.14; Federal Register] Your contract clause tells you which one you need.

Level 1 — Foundational (FCI)

Fifteen basic safeguarding requirements, drawn from the federal clause historically numbered FAR 52.204-21. [Federal Register] You self-assess annually, post the result in SPRS, and submit an annual affirmation. There is no POA&M at Level 1 — all 15 must be fully met, no exceptions. A false Level 1 affirmation in SPRS is still a false statement to the government.

Level 2 — Advanced (CUI)

This is where most of the Defense Industrial Base lives. Level 2 requires all 110 security requirements from NIST SP 800-171 Revision 2, organized into 14 control families. [32 CFR 170.14; NIST SP 800-171 Rev. 2] Those 110 requirements break down into 320 discrete assessment objectives — the individual pass/fail checkpoints an assessor actually scores under NIST SP 800-171A. "We do MFA" is not the same as passing every objective tied to it.

Level 2 comes in two flavors, and the difference is worth real money:

Both paths are valid for three years, with an annual affirmation in between. Which one you owe is set by the clause, not by the phrase "Level 2" alone.

Level 3 — Expert (most sensitive CUI)

Level 3 layers 24 selected requirements from NIST SP 800-172 on top of all 110 Level 2 requirements — 134 in total. [Federal Register; NIST SP 800-172, Feb. 2021] You must already hold a Final Level 2 (C3PAO)status before you can pursue it, and the assessment is performed by the government's Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) — not a C3PAO. It's reserved for programs facing nation-state-level threats.

Level 2 (Self) vs. Level 2 (C3PAO): the expensive mix-up

Seeing "Level 2" in a clause does not tell you whether you can self-assess or must hire a C3PAO. That is a separate specification in your contract's required CMMC status. Assuming "Level 2 means C3PAO" — or that "self-assessment means easy" — is one of the most common and costly errors we see. [Acquisition.gov, 252.204-7025]

Level 2 Self vs C3PAO vs Level 3 assessment path comparison
Your clause specifiesAssessment pathWho assessesWhere results go
Level 2 (Self)Self-assessmentYouSPRS
Level 2 (C3PAO)Certification assessmentAuthorized C3PAOeMASS → SPRS
Level 3 (DIBCAC)Government assessmentDCMA DIBCACeMASS → SPRS

What will the CMMC Final Rule cost?

The DoD's published cost estimates are assessment-and-affirmation figures, not full implementation budgets. For a small entity, DoD estimates roughly $6,000 a year for Level 1, about $37,000 over three years for Level 2 (Self), and about $104,670 over three years for Level 2 (C3PAO). Crucially, those numbers exclude the cost of actually building your security environment. [Federal Register, 32 CFR Part 170 Regulatory Impact Analysis] The real budget is almost always larger — but it's also more controllable than the scary headline suggests.

When DoD priced the program, it assumed you've been implementing NIST SP 800-171 since DFARS 252.204-7012 first appeared in 2017. So its estimates cover only the cost to prove compliance — not the cost to achieve it. [Federal Register]In DoD's words, those implementation costs "should already have been incurred."

DoD's own estimates vs. the real buying decision

CMMC cost comparison: DoD estimates vs. excluded costs by level
PathDoD small-entity estimateWhat it does not include
Level 1 (Self)~$6,000 / year (small); ~$4,000 (larger)Any remediation if basic safeguards are missing
Level 2 (Self)~$37,000 over 3 yearsTooling, documentation, managed security, remediation
Level 2 (C3PAO)~$104,670 over 3 years (small); ~$118,000 (larger)Building the environment, enclave, evidence rebuild
Level 3 (DIBCAC)Level 2 cost + advanced 800-172 workProgram-specific complexity (industry estimates add ~$40,000+)

DoD figures: 32 CFR Part 170 Regulatory Impact Analysis, published in the Federal Register Oct. 15, 2024. Market figures are industry-reported ranges, not DoD estimates.

In the open market, a C3PAO assessment fee alone commonly runs $30,000–$75,000, and assessment fees are typically only about a quarter of total compliance cost. Full first-year spend to reach Level 2 frequently lands in the $100,000–$300,000+ range depending on scope and starting maturity. [Industry-reported; PreVeil, Secureframe, and others]

Three levers control that number, in order of impact:

  1. Scope. If CUI flows through your entire network, your entire network is in scope. Isolating CUI into a defined boundary — an enclave — is the single biggest cost reducer available to most small contractors.
  2. Starting maturity. A contractor that has genuinely run NIST 800-171 since 2017 pays to verify. One starting from scratch pays to build.
  3. Whether you need an enclave, managed security, documentation help, or GRC tooling — and whether you buy those before or after you've defined scope.

And a note of genuine hope: cost offsets exist. Some states fund CMMC readiness directly (Connecticut has offered grants up to $35,000), and on cost-reimbursable work, compliance spend can be treated as an allowable cost under FAR Part 31. [State program materials; FAR Part 31] Talk to your accountant and your contracts lead before you assume the whole bill is out of pocket.

For a deeper breakdown by scope, environment, and provider type, see our CMMC Level 2 cost guide.

Want a starting point you can act on today?

Download our CMMC Readiness Checklist, mapped to the 14 NIST SP 800-171 Rev. 2 families, and see where your gaps actually are before you price a single vendor. It's a self-serve first step — no forms, no CUI, no sensitive details.

Download Readiness Checklist →

When do the requirements hit? The four-phase rollout

CMMC phases in over four annual steps. Phase 1 began November 10, 2025; Phase 2 begins November 10, 2026; Phase 3 begins November 10, 2027; and Phase 4 — full implementation — begins November 10, 2028. Each phase widens which assessment types appear in contracts. [32 CFR 170.3(e); DoD CIO CMMC resources]

Notably, Phase 1 was extended six months from what the proposed rule floated — a small mercy, and a sign DoD is watching capacity. [Federal Register] But the phases move quickly, and the one that matters to most CUI-handling contractors is Phase 2.

CMMC four-phase rollout schedule with dates and contractor implications
PhaseDatesWhat DoD intends to includeWhat it means for you
Phase 1Nov. 10, 2025 – Nov. 9, 2026Level 1 (Self) and Level 2 (Self) in applicable contracts; Level 2 (C3PAO) at DoD's discretionSelf-assessment obligations — and some C3PAO requirements — can already affect your bids. Don't wait to define scope.
Phase 2Nov. 10, 2026 – Nov. 9, 2027Level 2 (C3PAO) becomes the standard for applicable contracts; Level 3 at DoD's discretionIf you handle CUI, be scoped and evidence-ready before this window. This is the deadline that matters.
Phase 3Nov. 10, 2027 – Nov. 9, 2028Level 2 (C3PAO) more broadly; Level 3 for applicable contractsHigher pressure on assessed Level 2 and Level 3 programs.
Phase 4Starts Nov. 10, 2028Full implementation across applicable DoD solicitations and contracts, including option periodsCMMC becomes normal across FCI/CUI contract actions.

Source: 32 CFR 170.3(e); DoD CIO CMMC resources.

The math is unforgiving. Readiness commonly takes 12–18 months, and C3PAO scheduling is already running months out. If you handle CUI and you haven't started, Phase 2 is not a future problem — it's a current one.


What changed in 2026? The FAR overhaul and clause renumbering

On February 1, 2026, a set of class deviations under the Revolutionary FAR Overhaul renumbered the cybersecurity clauses. DFARS 252.204-7019 was eliminated, DFARS 252.204-7020 was moved to DFARS 252.240-7997, and FAR 52.204-21 was renumbered to FAR 52.240-93. The CMMC clauses — 252.204-7021 and 252.204-7025 — and the safeguarding clause 252.204-7012 did not change. [DoD class deviation 2026-O0025; DFARS Part 240; DFARS Part 40]

The Revolutionary FAR Overhaul (RFO) began with Executive Order 14275 in April 2025 and is being implemented in two steps: interim class deviations now, formal rulemaking later. The first tranche — 31-plus DFARS class deviations — took effect February 1, 2026, creating a new FAR Part 40 and DFARS Part 240 to consolidate cybersecurity and supply-chain requirements. [DoD class deviations; industry legal analysis, incl. Wiley]The renumbering is administrative, but the practical effects are real.

The 2026 CMMC clause crosswalk

Print this one. It's the freshest, hardest-to-copy thing on this page, and it will save you from citing a clause that no longer exists.

2026 CMMC clause crosswalk: old to new citation numbers effective February 1, 2026
Old citationNew citation (eff. Feb. 1, 2026)What actually changed
FAR 52.204-21 (Basic Safeguarding)FAR 52.240-93Renumbered; same 15 requirements, same text. (CMMC Level 1 assessment guidance still references 52.204-21 during the transition.)
DFARS 252.204-7019 (Notice of NIST 800-171 Assessment)EliminatedRemoved as a standalone provision.
DFARS 252.204-7020 (NIST 800-171 DoD Assessment Reqs.)DFARS 252.240-7997Relocated to DFARS Part 240; the standalone “Basic self-assessment” concept was removed. Now defines only government-performed Medium and High assessments.
DFARS 252.204-7012 (Safeguarding/Incident Reporting)UnchangedStill in full effect: NIST 800-171, 72-hour incident reporting, cloud requirements, flow-down.
DFARS 252.204-7021 (CMMC compliance clause)UnchangedStill the clause that requires you to hold and maintain your CMMC status.
DFARS 252.204-7025 (CMMC level notice)UnchangedStill the solicitation provision that states your required status.

Sources: DoD class deviation 2026-O0025 (DFARS 240.370-5); DFARS Part 40 / Part 240; corroborated by Wiley, Summit 7, and other 2026 legal and practitioner analyses.

The critical nuance — do not misread this

Some headlines claimed contractors "no longer have to self-assess or post scores in SPRS." That is dangerously incomplete. What the RFO did was remove the old, parallel "Basic" NIST 800-171 self-assessment track and fold assessment obligations into CMMC itself. [Redstone GCI; Peerless; DoD class deviation] If you handle CUI, you must still implement all 110 NIST 800-171 Rev. 2 requirements, maintain a System Security Plan, report incidents within 72 hours, and obtain CMMC certification when your contract requires it. SPRS remains the system of record.

Two things to do about all this:

A quick naming note, because you'll see it in the wild: an executive order in September 2025 authorized "Department of War" as a secondary title for the Department of Defense in non-statutory communications. The CMMC rule (32 CFR Part 170) and the DFARS are statutory and regulatory, so they still say "Department of Defense." We use "DoD" throughout for that reason. [EO 14347; National Security Act of 1947]


Does CMMC use NIST SP 800-171 Rev. 2 or Rev. 3?

Under the current CMMC Final Rule, Level 2 maps to NIST SP 800-171 Revision 2 — the 110 requirements across 14 families. NIST published Revision 3 in May 2024, but CMMC has not adopted it; DoD pinned the program to Rev. 2 through a class deviation. Do not build to Rev. 3 for CMMC purposes unless and until DoD amends the rule. [32 CFR 170.14; NIST SP 800-171 Rev. 2; DoD class deviation]

NIST SP 800-171 Revision 3 exists. It restructures the controls (roughly 97 requirements, three new families, and a set of organization-defined parameters) and its assessment companion, NIST SP 800-171A Rev. 3, changed accordingly. [NIST CSRC] But CMMC Level 2 is still tied to Revision 2, held in place by a DoD class deviation issued in 2024. A transition to Rev. 3 is expected eventually, with DoD signaling 12–24 months of advance notice. [DoD CIO CMMC materials]

Your assessment today is against Rev. 2. Watch NIST's Computer Security Resource Center and the DoD CIO CMMC page for the transition, but don't let a vendor sell you a "Rev. 3-ready" program as if it were the current requirement. It isn't.


What if I'm not fully compliant? POA&Ms, conditional status, and the 80% rule

A Plan of Action and Milestones (POA&M) is not blanket permission to pass with gaps. Level 1 allows no POA&M at all. At Level 2, you can earn a Conditional status only if you score at least 80% (meeting at least 88 of the 110 requirements), certain high-value requirements cannot be deferred at all, and every open item must be closed within 180 days or the conditional status expires. [32 CFR 170.21; Federal Register]

The 180-day conditional status milestone schedule

180-day POA&M closeout milestone schedule for Conditional Level 2 CMMC status
DayMilestone
Day 0Conditional status date recorded in SPRS
Days 30 / 60 / 90Remediation checkpoints — evidence, not intentions
Day 150Closeout evidence assembled and reviewed
Day 180Closeout deadline — Final status or the status expires

SPRS scoring starts at 110 and subtracts points by severity (1, 3, or 5 per requirement), with no partial credit, down to a floor of −203. [DoD NIST SP 800-171 Assessment Methodology] A handful of high-weight misses can put a real number deep underwater — which is exactly why documentation and evidence, not optimism, decide outcomes.


How is the CMMC Final Rule actually enforced?

Enforcement runs through SPRS and the annual affirmation, and the real teeth are civil, not administrative. A senior company official must affirm your compliance in SPRS, and an inaccurate affirmation can trigger False Claims Act liability — the same mechanism the Department of Justice has already used to pursue contractors over cybersecurity misrepresentations. [Federal Register; DOJ Civil Cyber-Fraud Initiative]

The Supplier Performance Risk System (SPRS) is the system of record for your CMMC status and affirmations. Your status can be valid for up to three years, but it must be affirmed annually by a senior "affirming official" who is personally attesting that your company meets the requirements. [Federal Register] That signature is where the risk concentrates.

Because a CMMC status is now a condition of award, a knowingly inaccurate affirmation can be a false statement to the government under the False Claims Act (FCA), which carries treble damages and whistleblower (qui tam) exposure. The DOJ's Civil Cyber-Fraud Initiative, launched in 2021, exists specifically to bring these cases. Aerospace-and-defense contractor Aerojet Rocketdyne agreed to a $9 million settlement in 2022 to resolve allegations it misrepresented its compliance with federal cybersecurity requirements. [DOJ; public court records]The lesson isn't to fear the rule — it's that the affirmation is a legal instrument, and it should be true.

The C3PAO problem you need to know about — and what to do

In January 2025, the DoD Office of Inspector General reported that DoD had not effectively implemented the process for authorizing the very organizations that perform Level 2 assessments. [DoD OIG, Report DODIG-2025-056] Reviewing 11 of the then-48 authorized C3PAOs, the OIG found:

Why this matters to you: relying on a flawed or inadequately authorized assessor could later be viewed as reckless — feeding back into that same FCA risk. [Wiley]

Buyer-protective move: verify authorization yourself.

Before you sign with a C3PAO, confirm its current authorization status on the Cyber AB Marketplace, get a dated screenshot, and verify that authorization is current as of your assessment date — not just your engagement date. Certification integrity matters as much as certification attainment.

For a curated list of authorized C3PAOs and what to verify, see our guide to the best C3PAOs for Level 2.


Where does the Defense Industrial Base actually stand?

Enforcement is live, but the ecosystem is small and readiness is smaller. As of the March 2026 Cyber AB Town Hall, there were about 103 authorized C3PAOs and roughly 759 certified assessors, and approximately 1,000 organizations had achieved Level 2 certification — against a DoD estimate of about 80,000 that will need it. That's roughly 1% readiness across the DIB. [Cyber AB Town Hall, March 2026]

DIB CMMC readiness snapshot as of March 2026
MetricFigure (as of March 2026)
Authorized C3PAOs~103
Certified CMMC Assessors (CCAs)~759
New Level 2 certifications issued (March 2026)~178
Total Level 2 certifications to date~1,000
Organizations DoD estimates need Level 2~80,000
Approximate DIB readiness~1%
Typical C3PAO scheduling lead time6–12 months

Source: Cyber AB Town Hall (March 2026) and Cyber AB Marketplace analysis. Verify live counts at cyberab.org/marketplace before relying on them.

Two conclusions fall out of this data, and both are actionable:

Assessor credentialing moved to ISACA (as the CMMC Assessor & Instructor Certification Organization, CAICO) in April 2026, and the Cyber AB is shifting from "standing up capacity" to accrediting assessors for consistency. [Cyber AB Town Hall, 2026]

Your situation changes the answer

Find My CMMC Path

The right CMMC provider isn't the same for every contractor. The category you need — a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave — depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. (The contract clause sets your level, not a checklist.) Because a general answer can't resolve those for you, use The Defense Compliance Report's Find My CMMC Path tool to map your situation to the right provider category before you request quotes.

  • What it asks: your required CMMC level, FCI vs CUI handling, assessment type, IT/cloud environment, and contract timeline
  • What you get: the provider category that fits your situation and the readiness steps to get there, with the questions to ask before requesting quotes
  • Educational triage only: free · 2-minute assessment · no obligation · do not submit CUI, drawings, or sensitive contract details
Find My CMMC Path →

What should you do now?

Your next step is not "hire a C3PAO." It's to confirm your required CMMC status, verify whether you handle FCI or CUI, define your assessment scope, check your SPRS record, and only then choose the provider category that matches your gap. [Acquisition.gov, 252.204-7025; 32 CFR 170] Sequence matters — buying before scoping is how contractors waste six figures.

Here's the checklist we'd run, in order:

  1. Pull the paperwork — the solicitation, contract, subcontract, or prime flow-down.
  2. Search it for the clauses — DFARS 252.204-7025 (your required status) and 252.204-7021 (your obligation to maintain it). Remember the new numbering for anything issued after February 1, 2026.
  3. Identify your required CMMC status — Level 1 (Self), Level 2 (Self), Level 2 (C3PAO), or Level 3 (DIBCAC).
  4. Confirm your data — FCI, CUI, both, or neither.
  5. Map where FCI/CUI actually lives — email, ERP, file shares, CAD, supplier portals, removable media. This is your scope, and scope is your cost.
  6. Check SPRS — is your status current? Are your CAGE codes, score, scope, and affirmation right?
  7. Choose the provider category that fits the gap — internal, RP/RPO, MSSP/MSP, GRC platform, CUI enclave, or C3PAO.

Which provider category fits your next step?

The rule doesn't point you to one universal vendor. It points you to a category based on your gap. Note the independence rule baked into the last row.

CMMC provider category routing guide by situation and gap type
CategoryUse it whenVerify before you hireDon't use it for
RP / RPO (Registered Practitioner / Organization)Scoping, gap assessment, SSP/POA&M, readiness planningCyber AB Marketplace status; relevant experience; scoping methodThe formal certification assessment
MSP / MSSP (Managed [Security] Service Provider)Operating controls: logging, identity, endpoint, monitoringCUI-environment fit; evidence support; incident responseReplacing your ownership of compliance
GRC platform (governance, risk, compliance software)Evidence tracking, tasks, dashboards, SSP/POA&M support800-171 Rev. 2 / CMMC mapping and exportsMaking you compliant by itself — software alone never satisfies CMMC
CUI enclaveReducing scope by isolating CUIData flow; cloud boundary; FedRAMP Moderate/equivalency assumptionsAvoiding organizational controls entirely
C3PAOThe formal Level 2 certification assessmentCurrent authorization/accreditation and independenceReadiness consulting for the same engagement it will assess — that separation is required

A word on that last row: a firm that prepares you generally cannot also be the C3PAO that assesses that same work. Readiness and assessment must stay separate. [32 CFR 170.8; Cyber AB Code of Professional Conduct; CMMC Assessment Process] If a single vendor offers to "get you ready and certify you," that's a flag, not a convenience.

For small businesses, see our guide to CMMC providers for small businesses.

Ready to map your situation to the right provider category?

The right provider isn't the same for every contractor. The category you need depends on your required level, your FCI/CUI handling, your assessment type, your environment, and your timeline — and the contract clause sets your level, not a checklist. Do not submit CUI, drawings, contract numbers, or sensitive system details — this is for provider-category routing only.

Find My CMMC Path →

What we actually verified for this guide

We don't ask you to take our word for it. Here's the source behind each major claim, verified in June 2026 against primary or authoritative sources.

What we could not independently verify to the dollar: the exact market price of any specific assessment or provider engagement. Treat all market pricing here as ranges, not quotes.


CMMC Final Rule FAQ

Is the CMMC Final Rule final?

Yes. Both parts are final and effective: the program rule (32 CFR Part 170) since December 16, 2024, and the DFARS acquisition rule since November 10, 2025. The remaining variable is when a required CMMC status appears in your specific solicitation, contract, option, or subcontract flow-down. [Federal Register]

What’s the difference between the 32 CFR rule and the 48 CFR/DFARS rule?

32 CFR Part 170 defines the CMMC program — the levels, assessments, scoping, and scoring. The 48 CFR (DFARS) rule implements CMMC in contracts through provision 252.204-7025 (which states your required status) and clause 252.204-7021 (which requires you to maintain it). [eCFR; Acquisition.gov]

When did CMMC Phase 1 start, and when does Phase 2 begin?

Phase 1 started November 10, 2025 and runs through November 9, 2026, focused mainly on Level 1 and Level 2 self-assessments. Phase 2 begins November 10, 2026, when a Level 2 third-party (C3PAO) assessment becomes the standard for applicable contracts. [32 CFR 170.3(e); DoD CIO]

Does CMMC Level 2 always require a C3PAO?

No. Level 2 can be either Level 2 (Self) or Level 2 (C3PAO). Which one applies is set by the required CMMC status in your solicitation or flow-down — not by the phrase “Level 2” alone. [Acquisition.gov, 252.204-7025]

Does CMMC use NIST SP 800-171 Rev. 2 or Rev. 3?

Level 2 currently maps to NIST SP 800-171 Revision 2. NIST published Rev. 3 in May 2024, but CMMC has not adopted it, and DoD pinned the program to Rev. 2 by class deviation. Don’t build to Rev. 3 for CMMC unless DoD amends the rule. [32 CFR 170.14; NIST CSRC]

Did the 2026 FAR overhaul eliminate self-assessments and SPRS scores?

No — this is a common misreading. The February 1, 2026 class deviations removed the old standalone “Basic” NIST 800-171 self-assessment track (eliminating DFARS 252.204-7019 and moving 7020 to 252.240-7997) and folded assessment obligations into CMMC. If you handle CUI, you still implement all 110 controls, keep an SSP, report incidents, and certify under CMMC. SPRS is still the system of record. [DoD class deviation 2026-O0025]

What is DFARS 252.204-7025?

It’s the solicitation provision that tells offerors which CMMC status is required to be eligible for award — Level 1 (Self), Level 2 (Self), Level 2 (C3PAO), or Level 3 (DIBCAC). It’s the first place to look to learn your required level. It was not renumbered in the 2026 overhaul. [Acquisition.gov]

What is DFARS 252.204-7021?

It’s the contract clause that requires you to hold and maintain the required CMMC status throughout performance and to flow the requirement down to subcontractors handling FCI or CUI. It was not renumbered in the 2026 overhaul. [Acquisition.gov]

Does the CMMC Final Rule apply to subcontractors?

Yes, when a subcontract involves FCI or CUI and the requirement is flowed down. FCI-only subs generally look at Level 1; subs handling CUI are at least Level 2, with the assessment type set by the prime’s flow-down. [32 CFR 170.23]

Are POA&Ms allowed?

Level 1 allows none. Level 2 and Level 3 allow them only under limited conditions — you must score at least 80% (meet at least 88 of 110 at Level 2), certain high-value requirements can’t be deferred, and every open item must close within 180 days or the conditional status expires. [32 CFR 170.21]

Do I need a C3PAO right now?

Only if your required status is Level 2 (C3PAO) and you’re assessment-ready, or you’re preparing for a contract that will require it. Many contractors first need scoping, an SSP, evidence, remediation, an enclave decision, or an SPRS cleanup before engaging an assessor. [32 CFR 170]

How much does CMMC cost?

DoD’s small-entity estimates are roughly $6,000/year for Level 1, about $37,000 over three years for Level 2 (Self), and about $104,670 over three years for Level 2 (C3PAO) — and those figures exclude the cost of building your environment. Real first-year spend to reach Level 2 often runs $100,000–$300,000+ depending on scope and maturity. [Federal Register RIA; industry-reported]


Related reading

The Defense Compliance Report is the independent CMMC decision layer for defense contractors — mapping contract requirements, FCI/CUI scope, environments, provider categories, costs, and evidence into the next correct step before you hire. Choose the right CMMC path before you hire. This article is educational research, not legal, contractual, or compliance advice; confirm your requirements with a CMMC Registered Practitioner (RP/RPO) or a qualified federal-contracts attorney. Last reviewed June 2026.

Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification.