CMMC Program Rule vs Acquisition Rule: 32 CFR vs 48 CFR
Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. It is not affiliated with the Cyber AB, the Department of Defense, DCMA DIBCAC, NIST, or any U.S. government agency. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification.
Not legal advice. This is educational research, not legal, contractual, or compliance advice. Confirm scope and applicability with a CMMC Registered Practitioner (RP/RPO) or a qualified federal-contracts attorney. The contract clause and your CUI handling set your level — not a checklist.
CMMC Program Rule vs Acquisition Rulecomes down to one fact that trips up even seasoned contracts teams: there isn’t one CMMC rule. There are two. They do two completely different jobs, and knowing which one controls you is the difference between spending money on the right thing and spending it on the wrong thing.
Here’s the bottom line. The CMMC Program Rule (32 CFR Part 170) defines CMMC — the three levels, the security requirements behind each, how assessments and scoring work, and roles like the C3PAO (Certified Third-Party Assessment Organization). It became effective December 16, 2024. The CMMC Acquisition Rule — the DFARS rule that revised the CMMC contract clause (DFARS 252.204-7021) and added the new solicitation provision (DFARS 252.204-7025) — puts CMMC into your contract. It became effective November 10, 2025. One rule tells you what CMMC is. The other tells you when the government can require it on a specific award.
So if a vendor just emailed to say “the CMMC rule changed, you need to buy our thing,” this is the lens to evaluate that with. And there’s a February 2026 twist that’s fooling even experienced teams — a clause renumbering that made a lot of people think CMMC changed when it didn’t. We’ll get to exactly what moved and what didn’t, with the primary sources, below.
First, the fast orientation. Here’s which rule to look at, depending on what you’re actually asking:
| If you’re asking… | Look here first |
|---|---|
| "What does CMMC actually require?" | 32 CFR Part 170 (the Program Rule) |
| "When does this affect my ability to win the award?" | DFARS 252.204-7025 (solicitation) and 252.204-7021 (contract) |
| "What level do I need?" | The solicitation/contract, then 32 CFR Part 170 |
| "Do I need a C3PAO?" | The assessment type inserted in the solicitation |
| "What kind of provider should I even talk to?" | Depends on your level, FCI/CUI scope, environment, and timeline |
CMMC Program Rule vs Acquisition Rule: what’s the difference?
The CMMC Program Rule is 32 CFR Part 170; it defines the CMMC Program itself — levels, security-requirement sources, assessment types, scoring, POA&M limits, affirmations, and subcontractor flow-down logic. The CMMC Acquisition Rule is the 48 CFR/DFARS rule finalized September 10, 2025; it puts those requirements into DoD solicitations and contracts through DFARS 252.204-7025 and 252.204-7021. One rule tells you what CMMC is. The other tells you when the government can require it of you on a specific award.
The cleanest way to hold it in your head: 32 CFR Part 170 is the engine. The DFARS acquisition rule is the ignition. The engine defines how everything works. The ignition is what actually turns it on inside a specific contract. You can have a fully built engine sitting in the garage — that’s where CMMC was between December 2024 and November 2025 — and nothing new happens on your contracts until someone turns the key.
Here’s the full side-by-side. We built this from the rules themselves, not from other people’s summaries.
The two-rule crosswalk
| Dimension | CMMC Program Rule | CMMC Acquisition Rule (the DFARS rule) |
|---|---|---|
| What it is | The rule that creates and defines CMMC | The rule that puts CMMC into DoD contracts |
| Plain-English role | The engine — how CMMC works | The ignition — turns CMMC on in a contract |
| Where it lives | Title 32 CFR Part 170 | Title 48 CFR (the DFARS) — codified across Parts 204, 212, 217, 252 |
| Key instruments | Defines levels, controls, assessment types, scoring, POA&M rules, affirmations, ecosystem roles | DFARS Subpart 204.75; revised clause 252.204-7021; new solicitation provision 252.204-7025 |
| What it does | Establishes 3 levels, the security requirements, the C3PAO/DIBCAC assessment process, SPRS posting, conditional/final status | Makes a CMMC level a condition of award; sets contracting-officer procedures, the SPRS check, and flow-down mechanics |
| Federal Register | Proposed 88 FR 89058 (Dec 26, 2023); Final 89 FR 83092 (Oct 15, 2024) | Proposed 89 FR 66327 (Aug 15, 2024); Final 90 FR 43560 (Sep 10, 2025), DFARS Case 2019-D041 |
| Effective date | December 16, 2024 | November 10, 2025 (60 days after publication) |
| What that date unlocked | Authorized voluntary C3PAO certification assessments to begin | Started Phase 1; DoD may now include CMMC in solicitations/contracts |
| Applies to | The standard itself — it exists regardless of any one contract | DoD acquisitions only |
| When it actually binds you | The standard exists whether or not your current contracts reference it | Only when the contracting officer includes 252.204-7021 (or adds it by bilateral modification) |
| NIST mapping | L1 → FAR 52.204-21 (15 requirements); L2 → NIST SP 800-171 Rev. 2 (110 requirements, 14 families); L3 → 24 selected enhanced requirements from NIST SP 800-172 (Feb 2021 version) | References the Program Rule's mapping — it does not change the controls |
One point worth pinning down, because it feeds a lot of the confusion: the 2025 acquisition rule did not invent DFARS 252.204-7021. That clause traces back to a 2020 interim DFARS rule (which introduced the 7019/7020/7021 series). The 2025 final rule revised 252.204-7021 for CMMC 2.0 and added 252.204-7025 as a genuinely new solicitation provision. So when you read that the rule “added the CMMC clause,” read it as updated an existing one and added a new companion. For detail on the earlier clause history, see our CMMC Final Rule guide and the 32 CFR Part 170 deep-dive.
And a naming note, since it comes up: some 2025–2026 materials refer to the “Department of War.” We use “Department of Defense (DoD)” here because the FAR and DFARS — the regulations that actually govern your contract — still use “DoD.”
The right CMMC provider isn’t the same for every contractor — the category you need (a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave) depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. The contract clause sets your level, not a checklist. Use Find My CMMC Path to map your situation to the right provider category before you request quotes. Do not submit CUI, drawings, or sensitive contract details.
What does the CMMC Program Rule (32 CFR Part 170) actually define?
The Program Rule defines the CMMC model and how a contractor achieves and keeps a status. It covers the requirement sources for Level 1, Level 2, and Level 3; the assessment types; the scoring methodology; scoping; the narrow POA&M rules; the affirmation duty; and how requirements flow to subcontractors. It is the “what” and the “how.” It is not, by itself, a contract clause.
Think of everything below as living inside 32 CFR Part 170. None of it changes because a solicitation does or doesn’t mention CMMC — it’s the fixed standard the contract points to.
The three levels and where their requirements come from
Level 1 uses the 15 basic safeguarding requirements in FAR 52.204-21. Level 2 is identical to the 110 security requirements in NIST SP 800-171 Revision 2, organized into 14 control families and measured against 320 assessment objectives. Level 3 layers 24 selected enhanced requirements from the February 2021 version of NIST SP 800-172 on top of Level 2.
That last row of the crosswalk is the one that saves people money, so it’s worth stating plainly: Level 2 is the big one. It’s the CMMC path for contractor systems that will process, store, or transmit Controlled Unclassified Information (CUI) when CMMC applies — and the solicitation decides whether that path is Level 2 (Self) or Level 2 (C3PAO). It maps to NIST SP 800-171 Revision 2, not Revision 3 (more on that trap shortly). Level 1 is the FCI-only floor. Level 3 is the small universe of priority DoD programs that need the highest assurance, assessed by DIBCAC. See our CMMC levels overview for the full breakdown and our FCI vs CUI guide for the information-type distinction.
Assessment types and CMMC statuses
CMMC statuses come in Conditional and Final flavors, and they’re tied to a specific assessment type: Level 1 (Self), Level 2 (Self), Level 2 (C3PAO), and Level 3 (DIBCAC). Level 1 and Level 2 self-assessments are done by the contractor; a Level 2 certification assessment is done by an authorized C3PAO; a Level 3 assessment is done by the government’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
This is the distinction to never blur: a Level 2 (Self) status is nota Level 2 (C3PAO) status. If your contract requires C3PAO certification, a self-assessment doesn’t satisfy it — no matter how thorough your self-assessment was. Which assessment type you need is set by the contract, using the level definitions in the Program Rule. For a full walk-through of the four assessment paths and what each involves, see our CMMC certification process guide.
Scoring, POA&Ms, and conditional status
For Level 2, scoring starts at 110 and deducts points for unmet requirements. To earn a Conditional Level 2 status, your score divided by the total requirements must be at least 0.8 — that’s a minimum of 88 out of 110— and only certain gaps can go on a Plan of Action and Milestones (POA&M). Level 1 does not allow POA&Ms at all.
The POA&M rules are stricter than most people assume, and this is where contractors get burned. Only requirements worth 1 point can go on a POA&M; the 3- and 5-point requirements must be fully implemented before your assessment. There’s one narrow exception for CUI encryption that isn’t yet FIPS-validated. Six specific 1-point controls are prohibited from a POA&M entirely. And the clock is real: you have 180 daysfrom your Conditional CMMC Status Date to close out every POA&M item, or your Conditional status expires and standard contractual remedies apply. For the full rules, see our Conditional Level 2 and POA&M closeout page.
Annual affirmation and the CMMC UID
The Program Rule requires an affirmation of continuing compliance — an initial one after assessment (and after POA&M closeout, where applicable) and then annually — submitted electronically in the Supplier Performance Risk System (SPRS). Each assessed system also gets a CMMC Unique Identifier (UID): a ten-character alphanumeric code that lives in SPRS.
Two things people miss here. First, the affirmation is a separate, recurring duty — you can have a passing score and still fall out of compliance by missing your annual affirmation. Second, the affirmation is signed by a designated “affirming official”(the acquisition rule replaced the older term “senior company official” with “affirming official”), so there’s a named human on the hook for it. Sources: 32 CFR § 170.22 and the DFARS acquisition rule.
What does the CMMC Acquisition Rule (the DFARS rule) actually do?
The Acquisition Rule amends the DFARS to make CMMC operational in DoD acquisitions. It tells contracting officers when to use the CMMC contract clause and solicitation provision, and it ties your eligibility for award and performance to a current CMMC status and affirmation in SPRS. It doesn’t touch the security controls — it’s the contracting machinery that turns the Program Rule’s standard into a hard requirement on a specific procurement.
Two DFARS clauses do the work. Here’s what each one is and what to look for.
DFARS 252.204-7025 — the solicitation provision (your early warning)
DFARS 252.204-7025, “Notice of Cybersecurity Maturity Model Certification Level Requirements,” is the provision that appears in the solicitation. It’s where the contracting officer inserts the required level and assessment type — Level 1 (Self), Level 2 (Self), Level 2 (C3PAO), or Level 3 (DIBCAC) — and it makes an offeror ineligible for award without the required current CMMC status and a current affirmation in SPRS for the systems that will touch FCI or CUI. It also requires offerors to provide the CMMC UIDs for those systems.
Practical translation: -7025 in a solicitation is your signal. When your capture or contracts team sees it, treat it as an instruction to (1) confirm the required level, (2) confirm which of your systems will process, store, or transmit FCI or CUI, and (3) verify your CMMC status and affirmation are current in SPRS before the award decision — not after. Source: DFARS 252.204-7025 on Acquisition.gov.
DFARS 252.204-7021 — the contract clause (your ongoing obligation)
DFARS 252.204-7021, “Contractor Compliance With the Cybersecurity Maturity Model Certification Level Requirements,” is the clause that lands in the contract. It requires you to maintain the required current CMMC status for the period of performance, file annual affirmations in SPRS, report your CMMC UIDs, process FCI or CUI only on systems that hold the required status, and flow the requirement down to applicable subcontractors.
Two words in this clause carry a lot of weight. “Current” isn’t marketing language — the rule defines it precisely and differently depending on whether your status is conditional, Final Level 1, Final Level 2, or Final Level 3, and whether your affirmation is up to date. And “maintain” means this isn’t a one-time gate; if a Level 2 (C3PAO) or Level 3 certification expires during performance, you’re expected to renew at or above the required level, and failure can trigger standard contractual remedies. Source: DFARS 252.204-7021 on Acquisition.gov.
DFARS 204.7504 — when contracting officers must use the clauses
Codified DFARS 204.7504 prescribes when officers use -7021 and -7025. It carries the COTS-only exclusion and a phase-specific structure that runs through November 9, 2028 before full Phase 4 use. (During the February 2026 FAR overhaul transition, DoD reorganized these information-security provisions under a new DFARS Part 240 through class deviations, so you may see them cited under both the codified Part 204 structure and the deviation’s Part 240 structure — the requirement itself is the same. More on that below.)
The load-bearing point:CMMC isn’t automatically bolted onto your existing contracts. It attaches to new solicitations and awards on or after November 10, 2025 when the officer includes the clause — or to an existing contract by a bilateral modification both parties agree to. If -7021 isn’t in your current contract and nobody has modified it in, that contract doesn’t carry a CMMC requirement yet. Source: DFARS 204.7504 on Acquisition.gov.
You’ve got the clause — not sure what it means for you?
Use The Defense Compliance Report’s Find My CMMC Pathtool to map the required level, assessment type, FCI/CUI scope, and timeline to the right provider category before you request quotes. It takes a few minutes and it’s free.
Find My CMMC Path →Which rule actually creates your obligation?
For most contractors, the rule that bites is the Acquisition Rule — but only when a contracting officer includes DFARS 252.204-7021 in your solicitation or contract. The Program Rule defines what the obligation is; the Acquisition Rule is what attaches it to a specific procurement. The practical trigger isn’t a calendar date. It’s a clause in your paperwork.
So when a question comes up, the useful move is to figure out which rule answers it. We built this matrix to do exactly that — map the real question to the controlling rule, the source, and where to look.
Which rule answers my question?
| If your question is… | The rule that governs is… | Where to look |
|---|---|---|
| "What are the 110 controls / 14 families?" | Program Rule → NIST SP 800-171 Rev. 2 | 32 CFR § 170.14; NIST SP 800-171 R2 |
| "What's the minimum score for Conditional Level 2?" | Program Rule (≥ 0.8 → 88 of 110) | 32 CFR § 170.21; scoring at § 170.24 |
| "Self-assessment or C3PAO for Level 2?" | Set by the contract, using Program Rule level definitions | Solicitation (DFARS 252.204-7025) + 32 CFR §§ 170.15–170.18 |
| "When does CMMC show up in my contract?" | Acquisition Rule | DFARS 204.7503–204.7504; clause 252.204-7021 |
| "Can I win an award with a POA&M?" | Both — status defined by the Program Rule; award mechanics by the Acquisition Rule | 32 CFR § 170.21; DFARS 204.7502 |
| "How does flow-down to my subs work?" | Both — Program Rule scope + DFARS clause flow-down | 32 CFR § 170.23; DFARS 252.204-7021 |
| "What changed with the Feb 2026 clause renumbering?" | Neither CMMC rule — that's a separate FAR overhaul touching the older assessment clauses | RFO class deviations; DFARS Part 240 / clause 252.240-7997 |
Here’s the honest limitation, and it’s the whole reason this page exists. Neither this article nor any general explainer can tell you the exact CMMC level yourspecific contract requires. That number is set by the contracting officer and the sensitivity of the information involved, and it’s stated in the solicitation — not on a website. Anyone who tells you your level without reading your solicitation is guessing.
That’s not a dead end; it’s the reason we built a decision tool instead of a generic checklist. The CMMC Path Framework — our logic for mapping your required level, FCI vs CUI handling, assessment type, IT/cloud environment, and contract timeline to the provider category you need — starts by asking about your clause and your data before it points you anywhere.
Not sure which rule or clause is driving your situation?
Use Find My CMMC Pathto map the artifact you’re holding — 32 CFR, a DFARS clause, or a prime’s flow-down email — to your level, assessment type, and next step.
Find My CMMC Path →When did each rule take effect, and what phase are we in now?
The 32 CFR Program Rule became effective December 16, 2024, which opened the door to voluntary C3PAO assessments. The 48 CFR/DFARS Acquisition Rule became effective November 10, 2025, which started Phase 1 of the four-phase rollout. As of July 2026, Phase 1 is still running; it ends November 9, 2026, and Phase 2 begins November 10, 2026.
Two dates cause most of the timeline confusion, so keep them separate: December 16, 2024 (Program Rule effective — the standard exists, voluntary assessments allowed) and November 10, 2025 (Acquisition Rule effective — CMMC can now appear in contracts). No new CMMC contract-clause requirement was triggered by the December 2024 date by itself. (Existing cyber clauses like DFARS 252.204-7012 and FAR 52.204-21 already imposed safeguarding and incident-reporting duties long before CMMC — CMMC adds the assessment, certification, and affirmation layer on top.) The November 2025 date is when the key turned.
The CMMC phase-trigger matrix
| Phase | Calendar window | What the rule does | What to expect |
|---|---|---|---|
| Phase 1 | Nov 10, 2025 – Nov 9, 2026 | Begins on the acquisition rule's effective date; DoD introduces Level 1 (Self) and Level 2 (Self) requirements, and may require Level 2 (C3PAO) in applicable procurements | Mostly self-assessments — but do not assume “no C3PAO.” Read every solicitation. |
| Phase 2 | Nov 10, 2026 – Nov 9, 2027 | Adds Level 2 (C3PAO) for applicable solicitations/contracts; DoD may begin introducing Level 3 (DIBCAC) | More CUI contracts start requiring third-party certification. |
| Phase 3 | Nov 10, 2027 – Nov 9, 2028 | DoD intends Level 2 (C3PAO) for all applicable solicitations/contracts and Level 3 (DIBCAC) for applicable Level 3 requirements | C3PAO and DIBCAC requirements become common. |
| Phase 4 | Begins Nov 10, 2028 | Full implementation — CMMC in all applicable DoD solicitations and contracts, including option periods | Steady state for FCI/CUI contracts, minus narrow exceptions like COTS-only. |
The scale here is why the phase-in exists. In its regulatory analysis, DoD estimated the CMMC expansion would affect 337,968 contractors and subcontractors, including roughly 229,818 small businesses, with the ramp starting small — on the order of 1,100 small entities in year one — and widening each year. That’s the real reason not to treat a distant phase date as a comfortable runway: certification depends on a finite pool of authorized C3PAOs, and demand climbs as the phases advance. Before you assume a Phase 2 date gives you plenty of time, verify current authorized C3PAO availability in the Cyber AB Marketplace and back into your timeline from there. Source: 90 FR 43560.
For a deep dive on the November 2026 Phase 2 milestone and exactly which contracts it affects, see our CMMC Phase 2 deadline guide.
If your contract or recompete window crosses Phase 2…
Don’t wait for the phase label to make the decision for you. Map your required status, assessment type, and a realistic readiness timeline now.
Find My CMMC Path →How DFARS 252.204-7012, 7019, 7020, 7021, and 7025 fit together after the February 2026 FAR overhaul
Did the February 2026 FAR overhaul change CMMC? No — not the CMMC rules. Effective February 1, 2026, the Revolutionary FAR Overhaul (RFO) reorganized and renumbered several information-security clauses through class deviations. It eliminated DFARS 252.204-7019, renumbered DFARS 252.204-7020 to DFARS 252.240-7997, and renumbered FAR 52.204-21 to FAR 52.240-93. Those are the older, pre-CMMC self-assessment clauses. The CMMC clauses — 252.204-7021 and 252.204-7025 — DFARS 252.204-7012, and the CMMC Program Rule at 32 CFR Part 170 were not changed.
This is the single biggest source of fresh confusion in the market right now, so let’s be precise. A wave of “DFARS 7019 and 7020 are gone” and “no more basic self-assessments” headlines hit in early 2026. Read fast, they sound like CMMC changed. It didn’t. What changed is the plumbing around the oldNIST SP 800-171 self-assessment path — the one that predates CMMC going live. Here’s the clause-by-clause reality, built from the DoD class-deviation index and the current DFARS text.
What the 2026 FAR overhaul changed — and what it didn’t
| Clause | Before Feb 1, 2026 | After Feb 1, 2026 (RFO class deviation) | Does this change CMMC? |
|---|---|---|---|
| DFARS 252.204-7021 (CMMC compliance clause) | The CMMC clause | Unchanged | No — this is the CMMC acquisition clause; fully in force |
| DFARS 252.204-7025 (CMMC level notice) | Solicitation notice provision | Unchanged | No |
| DFARS 252.204-7012 (safeguarding + 72-hour incident reporting) | In force | Unchanged | No |
| DFARS 252.204-7019 (Basic NIST 800-171 self-assessment notice) | Required a Basic self-assessment score in SPRS | Eliminated as a standalone provision | Indirectly — the pre-CMMC self-attestation path is being absorbed into CMMC |
| DFARS 252.204-7020 (Medium/High DoD assessment) | Medium/High NIST 800-171 assessments | Renumbered to DFARS 252.240-7997; "Basic" references removed | No new CMMC change; Medium/High mechanics carried forward |
| FAR 52.204-21 (basic safeguarding of FCI) | FAR 52.204-21 | Renumbered to FAR 52.240-93 (content unchanged) | No |
The bottom line: the RFO reorganized the older DFARS self-assessment clauses. It did not amend the CMMC Program Rule, and it did not change the CMMC acquisition clauses. Your CMMC obligations under 252.204-7021 are exactly what they were.
Two practical cautions. First, because this was done by class deviation rather than formal rulemaking, the Code of Federal Regulations still shows the old clause numbers, so during the transition you may see both old and new numbers referring to the same requirement in different documents. Expect to juggle both for a while. Second — and this is the one that actually costs money — the elimination of the Basic self-assessment path under 7019 does not mean self-assessment obligations disappeared. If your contract requires Level 2 (Self), you still complete a NIST SP 800-171 self-assessment and post it, now under the CMMC framework via 252.204-7021. Verify the current text yourself on the DoD class-deviation index rather than trusting a headline.
The two-rule clause checklist
If you’re staring at a solicitation or contract right now, run this quick check before you spend a dollar on compliance:
- →DFARS 252.204-7025 present in the solicitation? What CMMC level/assessment type does it name?
- →DFARS 252.204-7021 included in the contract (or being added by modification)?
- →What CMMC level is required, and do you have the matching current status in SPRS?
- →CMMC UID for each system that will process, store, or transmit FCI or CUI?
- →Annual affirmation of continuous compliance — is it current in SPRS?
- →For any sub handling FCI or CUI — confirmed required level before subcontract award?
- →COTS-only claim — confirmed the acquisition is solely for COTS items?
Does CMMC use NIST SP 800-171 Rev. 2 or Rev. 3?
Under the current 32 CFR Part 170 text, CMMC Level 2 uses NIST SP 800-171 Revision 2. Revision 3 exists — NIST published it in May 2024, and it superseded Revision 2 in the NIST library — but the CMMC rule did not automatically move to Rev. 3, and CMMC Level 2 still maps to Rev. 2 unless DoD amends the governing rule.
This is a trap with a real price tag. If you build your assessment plan against Rev. 3 because it’s the “newest” version in the NIST catalog, you can end up scoped and documented against a control set your assessment doesn’t use — wasted effort, and confusion when the assessor works from Rev. 2. To keep the DFARS 252.204-7012 reference from automatically pulling contractors to Rev. 3, DoD issued Class Deviation 2024-O0013, which directs contractors subject to 252.204-7012 to comply with NIST SP 800-171 Revision 2. Separately, 32 CFR Part 170 maps CMMC Level 2 to Revision 2. Two different authorities, same practical answer: plan against Rev. 2 today.
The same version-control point applies to Level 3. NIST finalized NIST SP 800-172 Revision 3 on May 13, 2026 — but 32 CFR Part 170 currently incorporates 24 selected enhanced requirements from the February 2021 version of SP 800-172, not Revision 3. DoD has said adopting a newer version into CMMC would require further rulemaking, so a Level 3 candidate today still builds to the February 2021 requirements. Follow the version referenced in your solicitation, and watch dodcio.defense.gov/CMMC for any future transition. Sources: NIST SP 800-171 Rev. 2, NIST SP 800-172 Rev. 3 (May 13, 2026), and 32 CFR § 170.14.
Who decides whether I need Level 1, Level 2 (Self), Level 2 (C3PAO), or Level 3?
DoD Program Managers and requiring activities select the CMMC level and assessment type based on the type of information — FCI or CUI — that will be processed, stored, or transmitted on your systems. The solicitation then states the required level and assessment type. A generic checklist doesn’t set your level; the contract does.
Here’s how to read the answer once it’s in front of you:
- →If the solicitation says Level 1 (Self):You’re on the FCI-only path unless something else in the contract says otherwise. You need an annual self-assessment and affirmation against the 15 basic safeguarding requirements in FAR 52.204-21.
- →If it says Level 2 (Self):You’re in a CUI-related Level 2 path, but the contract allows a self-assessment instead of a C3PAO certification. You still assess against all 110 NIST SP 800-171 Rev. 2 requirements, maintain the documentation, and affirm in SPRS.
- →If it says Level 2 (C3PAO): You need a Level 2 certification assessment by an authorized C3PAO, with the required status and affirmation in SPRS. A Level 2 (Self) status does not satisfy a Level 2 (C3PAO) requirement.
- →If it says Level 3 (DIBCAC):This is the highest current tier. It requires Final Level 2 (C3PAO) status for the same scope as a prerequisite, plus the 24 enhanced NIST SP 800-172 (Feb 2021) requirements, and it’s assessed by the government’s DIBCAC.
And yes — DoD can require Level 2 (C3PAO) during Phase 1.Phase 1 leans toward self-assessments, but the phase schedule expressly lets DoD include Level 2 (C3PAO) in place of Level 2 (Self) in applicable Phase 1 procurements. Don’t plan from headlines about “self-assessments only.” Plan from the solicitation in front of you. Sources: 32 CFR § 170.3 and DoD CIO, About CMMC.
How do the two rules affect subcontractors and flow-down?
CMMC flows through the supply chain at every tier when a subcontractor stores, processes, or transmits FCI or CUI on its own systems. A subcontractor that only handles FCI generally needs Level 1 (Self); one that handles CUI needs at least Level 2. The required assessment type is driven by the prime contract’s flow-down requirement and the information actually being flowed down. This is governed by both rules together — the scope logic in 32 CFR § 170.23 and the flow-down requirement in DFARS 252.204-7021.
Two things routinely surprise people here, and both matter for planning. First, “we’re just a subcontractor” is not an exemption. If CUI is flowing to you, you carry the requirement, and your prime is on the hook to confirm you hold a current CMMC status at the level appropriate for the information being flowed down before subcontract award. Second — and this is a genuine operational headache baked into the rule — a prime cannot see your SPRS record. Subcontractors post their own assessments and affirmations, but DoD doesn’t share that data up the chain, so primes have to verify compliance directly, usually by asking for it in writing. If you’re a prime, build a subcontractor verification process now. If you’re a sub, expect to be asked to prove your status, and never send CUI, drawings, or sensitive contract details through an ordinary intake form or email to do it. Sources: 32 CFR § 170.23 and DFARS 252.204-7021.
What if my contract is only for COTS items?
If the solicitation or contract is solely for commercially available off-the-shelf (COTS) items, DFARS 204.7504 excludes it from the CMMC clause prescription. That’s the exception — and it’s narrow.
The word doing the heavy lifting is “solely.” Don’t decide it from system use alone, and don’t confuse “commercial” with “COTS-only” — plenty of commercial product and service work falls outside the narrow COTS exception. Confirm the actual acquisition type and whether the clause is present, and if there’s any ambiguity in the solicitation, ask the contracting officer before you assume you’re excluded or spend anything on compliance. This is a spot where a quick check with a federal-contracts attorney is cheaper than guessing wrong. Source: DFARS 204.7504 on Acquisition.gov.
Now that you understand the two rules, which provider category do you need?
It depends on the question you’re actually trying to answer. If you’re still decoding a clause, start with contract review and a CMMC Registered Practitioner (RP/RPO) or a qualified federal-contracts attorney. If you need readiness or remediation, look at an RPO/RP, MSP, MSSP, vCISO, GRC platform, or CUI enclave. If your solicitation requires Level 2 (C3PAO) and you’re genuinely assessment-ready, then evaluate authorized C3PAOs. And keep readiness and formal assessment separate: Cyber AB’s authorization requirements for C3PAOs include conflict-of-interest and impartiality rules for Level 2 certification assessments, so you generally shouldn’t hire your readiness/remediation provider as your C3PAO for the same engagement.
Here’s the honest mapping from situation to next step. Note the middle column is the categoryto consider — we don’t rank named providers on this page, and we never imply anyone is endorsed, verified, or guaranteed to get you certified.
Situation → provider category
| Your situation | Likely next provider category | Not the right first step |
|---|---|---|
| You just need to understand whether the clause applies | RP/RPO or federal-contracts attorney | Buying a tool before scope is clear |
| You know you need Level 2 but you're not ready | RPO/RP, MSP, MSSP, vCISO, GRC platform, CUI enclave | Booking a C3PAO assessment prematurely |
| Your CUI is scattered across too much of your IT | CUI enclave / GCC High / secure collaboration + scoping help | Assessing the whole environment by default |
| You need evidence and control-mapping workflow | GRC / SSP / POA&M / evidence-management platform (a supporting layer, not the whole solution) | Spreadsheet-only evidence chaos |
| You're assessment-ready and the contract requires Level 2 (C3PAO) | Authorized C3PAO | A readiness consultant acting as the assessor |
| You're a Level 3 candidate | Level 2 (C3PAO) prerequisite + DIBCAC planning | Treating Level 3 like a bigger Level 2 |
One caution worth stating plainly, because it’s a real limitation of the software-heavy pitch you’ll hear: no GRC platform, by itself, makes you CMMC compliant. Tools manage evidence, map controls, and keep you organized — genuinely useful, and often worth it — but the assessment evaluates whether the controls are actually implemented in your environment, not whether you own good software. If a vendor implies the tool isthe solution, that’s your cue to slow down and separate “helps me get there” from “gets me there.”
For more on the full provider landscape, see our CMMC provider categories guide.
Not sure whether you need a readiness partner, a CUI enclave, a GRC platform, or a C3PAO?
Tell us your level, scope, environment, and timeline, and we’ll match you with source-checked provider categories before you spend money in the wrong lane.
Find My CMMC Path →What we actually verified for this page
We don’t ask you to take “trust us” at face value. Here’s exactly what we checked, against which primary source, what we used it for, and its status as of July 2026 — so you can verify the rule path yourself before making an expensive decision.
| Source we read | What we used it for | Status / operational takeaway (July 2026) |
|---|---|---|
| Federal Register 89 FR 83092 / 32 CFR Part 170 | Program Rule publication and effective dates, program purpose | Effective Dec 16, 2024; establishes the CMMC program (levels, statuses, assessments) |
| eCFR 32 CFR Part 170 (§§ 170.3, 170.14, 170.17, 170.21, 170.23) | Levels, phases, scoring, POA&M, affirmation, flow-down | Current text; Level 2 still maps to NIST SP 800-171 Rev. 2; Level 3 to SP 800-172 (Feb 2021) |
| Federal Register 90 FR 43560 (DFARS Case 2019-D041) | Acquisition Rule text, effective date, impact estimates | Effective Nov 10, 2025; ~337,968 impacted, ~229,818 small entities |
| Acquisition.gov DFARS 204.7504 | Clause/provision prescription and COTS-only exception | Prescribes -7021 and -7025; COTS-only excluded |
| Acquisition.gov DFARS 252.204-7025 | Solicitation provision: required level, pre-award SPRS status/affirmation, UIDs | New provision added by the 2025 rule |
| Acquisition.gov DFARS 252.204-7021 | Contract clause: current status, annual affirmation, UID reporting, flow-down | Existing clause revised by the 2025 rule (not newly created) |
| DoD DFARS/FAR Overhaul class-deviation index | The February 2026 renumbering | 7019 eliminated; 7020 → 252.240-7997; FAR 52.204-21 → 52.240-93; CMMC clauses unchanged |
| NIST CSRC SP 800-171 Rev. 2 & SP 800-172 Rev. 3 | Confirming CMMC versions and avoiding version confusion | CMMC L2 = 800-171 Rev. 2; L3 = 800-172 (Feb 2021); 800-172 Rev. 3 finalized May 13, 2026 but not yet in CMMC |
| DoD Class Deviation 2024-O0013 | 7012 alignment to NIST SP 800-171 Rev. 2 | Keeps 7012 pinned to Rev. 2 pending future rulemaking |
| DoD CIO, About CMMC | Level definitions and assessment-type overview | Consistent with 32 CFR Part 170 |
Frequently asked questions
Is the CMMC Program Rule the same as the CMMC Final Rule?
Usually, “CMMC Program Rule” means the 32 CFR Part 170 final rule published at 89 FR 83092 and effective December 16, 2024. But “CMMC Final Rule” is ambiguous, because people also use it for the later DFARS/48 CFR acquisition final rule effective November 10, 2025. Both are final rules — always ask which one someone means. (Sources: 89 FR 83092; 90 FR 43560.)
Is 32 CFR or 48 CFR more important for CMMC?
Neither is “more important” — they do different jobs. 32 CFR Part 170 defines the CMMC Program and its status mechanics; the 48 CFR/DFARS rule tells contracting officers how to put CMMC requirements into solicitations and contracts. Only the DFARS clause creates a contractual obligation on a specific award. (Source: 32 CFR Part 170.)
What is DFARS 252.204-7025?
DFARS 252.204-7025 is the solicitation provision titled “Notice of Cybersecurity Maturity Model Certification Level Requirements.” It states the required CMMC level and assessment type and makes an offeror ineligible for award without a current CMMC status and affirmation in SPRS. It was newly added by the 2025 acquisition rule. (Source: DFARS 252.204-7025, Acquisition.gov.)
What is DFARS 252.204-7021?
DFARS 252.204-7021 is the contract clause titled “Contractor Compliance With the Cybersecurity Maturity Model Certification Level Requirements.” It governs ongoing obligations: maintaining current CMMC status, filing annual affirmations in SPRS, reporting CMMC UIDs, processing FCI/CUI only on systems with the required status, and flowing requirements down to subcontractors. The clause pre-dates the 2025 rule (it traces to a 2020 interim rule) and was revised for CMMC 2.0. (Source: DFARS 252.204-7021, Acquisition.gov.)
When did CMMC become enforceable in contracts?
The DFARS acquisition final rule became effective November 10, 2025, starting Phase 1 of the phased rollout. The Program Rule’s earlier effective date (December 16, 2024) established the standard but did not by itself make CMMC a contract requirement. (Source: 90 FR 43560.)
Does CMMC Phase 1 mean only self-assessments?
No. Phase 1 leans toward Level 1 (Self) and Level 2 (Self), but 32 CFR § 170.3 lets DoD include Level 2 (C3PAO) in place of Level 2 (Self) in applicable Phase 1 procurements. Read every solicitation rather than assuming a self-assessment is enough. (Source: 32 CFR § 170.3.)
Does CMMC Level 2 use NIST SP 800-171 Rev. 2 or Rev. 3?
Under the current 32 CFR Part 170 text, CMMC Level 2 uses NIST SP 800-171 Revision 2. Revision 3 exists and superseded Rev. 2 in the NIST library in 2024, but the CMMC rule has not automatically changed to Rev. 3. Plan against Rev. 2 unless your solicitation or an updated rule says otherwise. (Sources: NIST SP 800-171 Rev. 2; 32 CFR § 170.14.)
Does the new NIST SP 800-172 Revision 3 change CMMC Level 3?
Not yet. NIST finalized SP 800-172 Revision 3 on May 13, 2026, but 32 CFR Part 170 still incorporates 24 selected enhanced requirements from the February 2021 version for CMMC Level 3. DoD has indicated that adopting a newer version would require further rulemaking, so Level 3 candidates should build to the February 2021 requirements today. (Sources: NIST SP 800-172 Rev. 3; 32 CFR § 170.14.)
Did the February 2026 FAR overhaul change CMMC?
No. Effective February 1, 2026, the Revolutionary FAR Overhaul eliminated DFARS 252.204-7019, renumbered 252.204-7020 to 252.240-7997, and renumbered FAR 52.204-21 to FAR 52.240-93 — the older, pre-CMMC self-assessment clauses. The CMMC clauses (252.204-7021 and 252.204-7025), DFARS 252.204-7012, and 32 CFR Part 170 were not changed. During the transition you may see both old and new clause numbers. (Source: DoD class-deviation index.)
Did the elimination of DFARS 7019 remove my self-assessment duty?
No, not if your solicitation or contract requires Level 1 (Self) or Level 2 (Self) under CMMC. The overhaul reorganized the older 7019/7020 assessment structure, but CMMC self-assessment statuses still exist under 32 CFR Part 170 and are required through DFARS 252.204-7021/-7025 when those CMMC requirements are inserted. (Sources: DFARS 252.204-7021; DFARS 252.204-7025.)
Do subcontractors need CMMC?
Yes, when they store, process, or transmit FCI or CUI on their own systems in performance of the subcontract. FCI-only subcontractors generally need Level 1 (Self); subcontractors handling CUI need at least Level 2, with the assessment type driven by the prime contract’s flow-down requirement and the information being flowed down. Primes must verify subcontractor compliance and cannot see subcontractor data in SPRS. (Source: 32 CFR § 170.23.)
Can I get a CMMC assessment before a clause appears in my contract?
Yes. The Program Rule’s phase-in does not prevent voluntarily seeking a CMMC assessment before the clause is added to a new or existing contract. Whether it’s worthwhile depends on your contract pipeline, your scope, and the status you will ultimately need. (Source: 32 CFR Part 170.)
The bottom line
Two rules. Two jobs. 32 CFR Part 170 defines CMMC. The 48 CFR/DFARS acquisition rule puts it in your contract through 252.204-7021 and 252.204-7025. The Program Rule became effective December 16, 2024; the Acquisition Rule became effective November 10, 2025 and started the phased rollout. The February 2026 FAR overhaul renumbered the olderassessment clauses but left the CMMC rules alone. What triggers your obligation isn’t a date on a calendar — it’s the clause in your solicitation, which sets your level and assessment type.
Once you know which rule is driving your situation and what your contract actually requires, the only question left is who to bring in — and that answer depends on your level, your FCI/CUI scope, your environment, and your timeline.
Need help deciding what type of CMMC provider you need?
Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.
Find My CMMC Path →The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. It is not affiliated with the Cyber AB, the Department of Defense, DCMA DIBCAC, NIST, or any U.S. government agency. This article is educational research, not legal, contractual, or compliance advice; confirm scope and applicability with a CMMC Registered Practitioner (RP/RPO) or a qualified federal-contracts attorney. Provider-matching may generate referral or lead-routing compensation, disclosed at the point of recommendation. See our editorial and advertising policy.