CMMC Final Rule: What 32 CFR Part 170 Means for Defense Contractors

When the CMMC final rule published in October 2024, it ended years of speculation about what the program would ultimately look like. Having tracked every iteration from CMMC 1.0 through the 2.0 proposal to the final codification, we can say that the rule strikes a pragmatic balance — but it also introduces enforcement mechanisms that defense contractors must take seriously.

The publication of 32 CFR Part 170 — the CMMC final rule — marked the formal codification of the Cybersecurity Maturity Model Certification program into federal regulation. This rule transforms CMMC from a policy framework into an enforceable regulatory requirement for the defense industrial base. For every organization that handles Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) on DoD contracts, understanding this rule is essential to planning your compliance journey.

This analysis covers the key provisions of the final rule, the significant changes from the proposed rule, the phased implementation plan, and the critical relationship between 32 CFR Part 170 and the companion 48 CFR DFARS rulemaking that will put CMMC into contracts.

Background: The Road to the Final Rule

The journey to 32 CFR Part 170 was long and iterative. Understanding the history provides context for why the final rule looks the way it does.

CMMC 1.0 (January 2020)

The original CMMC framework featured five maturity levels, each with progressively more sophisticated cybersecurity practices. It introduced the concept of third-party certification — a departure from the self-attestation model under DFARS 252.204-7012. However, industry feedback highlighted significant concerns: the five-level structure was unnecessarily complex, the cost burden on small businesses was disproportionate, and the lack of POA&M allowances meant that a single unmet control could prevent certification entirely.

CMMC 2.0 Announcement (November 2021)

The Department of Defense responded with CMMC 2.0, which streamlined the framework to three levels, aligned directly with existing NIST standards (eliminating the "CMMC-unique" practices from 1.0), introduced the self-assessment path for certain Level 2 contracts, and allowed POA&Ms for conditional certification. This was announced as policy, but it needed formal rulemaking to become enforceable.

Proposed Rule (December 2023)

The proposed rule for 32 CFR Part 170 was published in the Federal Register on December 26, 2023, opening a 60-day public comment period. The Department received over 2,000 comments from industry, trade associations, and other stakeholders. The proposed rule laid out the three-level structure, assessment requirements, and implementation approach, but many details were refined based on public comment before finalization.

Final Rule (October 2024)

The final rule was published on October 15, 2024, with an effective date of December 16, 2024. It represents the definitive regulatory codification of CMMC 2.0.

Key Provisions of 32 CFR Part 170

Three-Level Structure

The final rule retains the three-level structure from CMMC 2.0:

Level	Based On	Information Protected	Assessment Type
Level 1 (Foundational)	17 practices from FAR 52.204-21	FCI	Annual self-assessment
Level 2 (Advanced)	110 controls from NIST SP 800-171 Rev 2	CUI	Self-assessment or C3PAO assessment
Level 3 (Expert)	NIST 800-171 + select NIST 800-172 controls	Critical CUI	Government-led assessment (DIBCAC)

This structure remained unchanged from the proposed rule, reflecting the DoD's commitment to the streamlined three-level approach that replaced the original five levels.

Assessment Ecosystem

The final rule defines the roles and responsibilities of the assessment ecosystem:

Certified CMMC Third-Party Assessment Organizations (C3PAOs) — Accredited by the Cyber AB to conduct Level 2 assessments. Must maintain accreditation, employ certified assessors, and operate under quality management procedures.

Certified CMMC Assessors (CCAs) — Individuals certified by the Cyber AB to conduct assessments as part of a C3PAO team. Must meet training, examination, and experience requirements.

Certified CMMC Professionals (CCPs) — Individuals certified in the CMMC framework who can support but not lead assessments. CCPs can provide consulting and advisory services.

Defense Contract Management Agency (DCMA) DIBCAC — The government entity that conducts Level 3 assessments and retains authority to verify contractor self-assessments at any level.

Scoping Guidance

The final rule provides detailed scoping guidance for each level, defining which assets fall within the assessment boundary:

• CUI Assets — Systems that process, store, or transmit CUI
• Security Protection Assets — Systems that provide security functions for the CUI environment (firewalls, SIEM, domain controllers) even if they do not directly process CUI
• Contractor Risk Managed Assets — Systems that can access the CUI environment but are managed through the organization's risk management process rather than implementing all 110 controls directly
• Specialized Assets — Government-furnished equipment, IoT devices, test equipment, and other specialized systems with tailored security requirements
• Out-of-Scope Assets — Systems that have no connection to the CUI environment and do not process, store, or transmit CUI

Scoping was a significant area of refinement from the proposed rule. The final rule provides clearer guidance on how to categorize assets, which reduces the ambiguity that organizations and assessors faced under the proposed framework.

Changes from the Proposed Rule to the Final Rule

The final rule incorporated numerous changes based on public comment. The most significant are detailed below.

POA&M Allowances

Proposed rule: Allowed POA&Ms but provided limited guidance on which controls could be placed on POA&M and under what conditions.

Final rule: Significantly refined the POA&M framework:

• Identified specific controls that are not POA&M-eligible — these represent the minimum security baseline that must be in place before any certification (including conditional) can be granted
• Established maximum point thresholds for POA&M items — if your unmet controls exceed the threshold, conditional certification is not available
• Set a firm 180-day remediation window — all POA&M items must be closed within 180 days, verified by the C3PAO
• Required that POA&M items include specific remediation plans, milestones, resource identification, and completion dates

This was one of the most consequential changes. The proposed rule's relatively open-ended POA&M approach raised concerns that organizations could achieve conditional certification with major security gaps. The final rule's specific exclusions and point limits ensure that conditional certification represents a genuinely near-compliant state, not a placeholder.

Affirmation Requirements

Proposed rule: Required senior official affirmation of assessment results.

Final rule: Strengthened and detailed the affirmation requirement:

• The senior official must be at the executive level — someone with authority and accountability within the organization, not a mid-level manager or compliance officer
• The affirmation is a legal statement that the assessment results are accurate and that the organization is implementing the security controls as described
• Affirmation must be renewed annually, not just at the time of initial assessment
• The affirmation is submitted through the Supplier Performance Risk System (SPRS) and is accessible to contracting officers
• False or misleading affirmations can trigger False Claims Act liability, with potential treble damages

The strengthened affirmation requirement is the DoD's primary enforcement mechanism for self-assessments. By making the senior official personally accountable and linking the affirmation to False Claims Act penalties, the rule creates strong incentives for accurate self-reporting.

Role of Senior Officials

The final rule places specific responsibilities on senior officials that go beyond simply signing an affirmation:

• The senior official must have sufficient authority to ensure that cybersecurity resources are allocated and controls are maintained
• The senior official must have knowledge of the organization's cybersecurity posture — they cannot plausibly claim ignorance
• The senior official's identity is recorded and tracked in SPRS, creating a clear chain of accountability
• In cases of material changes to the organization's cybersecurity posture (a major incident, system migration, etc.), the senior official has an obligation to update the affirmation

What we tell clients: the senior official role is not ceremonial. The individual who signs the affirmation should understand what they are affirming, have reviewed the assessment results, and be confident in their accuracy. Organizations should brief their senior official thoroughly and ensure they are comfortable with the legal implications.

Assessment Process Refinements

The final rule clarified several aspects of the assessment process:

• Assessment scope validation — C3PAOs must validate that the organization's defined scope is accurate and complete before proceeding with assessment
• Evidence requirements — The rule provides clearer guidance on what constitutes acceptable evidence for each control
• Sampling methodology — For organizations with large or distributed environments, the rule allows assessors to use sampling methodologies while maintaining rigor
• Assessment reporting — Standardized reporting requirements ensure consistency across C3PAOs
• Appeals process — Organizations that disagree with assessment findings have a defined process for appeal

Cloud Service Provider Requirements

The final rule addressed the use of cloud services in CUI environments:

• Cloud services used to process, store, or transmit CUI must meet FedRAMP Moderate baseline (or equivalent) at minimum
• The organization is responsible for configuring cloud services in accordance with NIST 800-171 controls — FedRAMP authorization of the cloud provider does not automatically satisfy the organization's obligations
• Shared responsibility — The organization must understand and document which controls are the cloud provider's responsibility, which are the organization's responsibility, and which are shared

The 48 CFR DFARS Rulemaking

This is a point of confusion that we encounter frequently: the 32 CFR final rule does not, by itself, put CMMC requirements into DoD contracts. That is the job of the companion 48 CFR DFARS rulemaking.

Two Rules, One Program

Rule	Purpose	Status
32 CFR Part 170	Establishes the CMMC program (levels, requirements, assessments)	Final rule effective December 16, 2024
48 CFR DFARS	Creates contract clause 252.204-7021 requiring CMMC certification	Proposed rule published; final rule pending

The 32 CFR rule defines what CMMC is. The 48 CFR rule defines when and how CMMC requirements appear in contracts. Both rules must be in effect before CMMC can be required in any contract.

What the DFARS Clause Contains

DFARS clause 252.204-7021, as proposed, requires:

• The contractor must achieve the specified CMMC level before contract award
• The CMMC level and assessment type (self-assessment or C3PAO) are specified in the solicitation
• The requirement flows down to subcontractors based on the information they handle
• The contractor must maintain certification throughout the performance period
• Annual affirmations are required

Timeline Dependency

The phased implementation timeline described in the 32 CFR final rule is contingent on the 48 CFR DFARS rule becoming final:

• Phase 1 begins when both rules are in effect — not before
• If the 48 CFR rule is delayed, the entire CMMC contract requirement timeline shifts accordingly
• Organizations should monitor the 48 CFR rulemaking progress as their primary timeline indicator

As of the publication of this analysis, the 48 CFR DFARS proposed rule has been published, but the final rule has not yet been issued. The DoD has indicated its intent to finalize the DFARS rule in alignment with the CMMC implementation timeline, but regulatory processes are inherently subject to delay.

Phased Implementation Under the Final Rule

The final rule establishes a four-phase implementation plan, designed to gradually expand CMMC requirements across DoD contracts.

Phase 1: Foundation

• Level 1 self-assessments may be required in new contracts
• Level 2 self-assessments may be required in new contracts
• Applies to new solicitations at DoD's discretion
• Establishes the baseline for the SPRS reporting infrastructure

Phase 2: C3PAO Assessments

• Begins approximately 12 months after Phase 1
• Level 2 C3PAO assessments may be required in new contracts
• Existing contracts requiring Level 2 self-assessment may transition to C3PAO requirements upon option exercise or recompetition

Phase 3: Expansion

• Begins approximately 24 months after Phase 1
• Level 3 assessments may be required in new contracts
• Broader application of C3PAO assessment requirements
• CMMC requirements begin appearing in option periods of existing contracts

Phase 4: Full Implementation

• Begins approximately 36 months after Phase 1
• All applicable DoD contracts include CMMC requirements
• No new solicitations involving FCI or CUI are issued without CMMC clauses
• Full integration with the acquisition lifecycle

What This Means Practically

The phased approach gives the defense industrial base time to prepare, but the window is finite. Organizations that wait for Phase 2 or Phase 3 to begin preparation will face compressed timelines and limited C3PAO availability. The organizations best positioned are those that treat Phase 1 — or even the current pre-Phase 1 period — as their starting gun.

Impact on Small and Mid-Size Contractors

The CMMC final rule includes several provisions intended to address the disproportionate burden on small businesses:

• Level 1 remains self-assessment only — Small contractors handling only FCI face the lowest compliance barrier
• Level 2 self-assessment path — Not all CUI-handling contracts require costly C3PAO assessments
• POA&M allowances — Organizations can achieve conditional certification while completing remediation, avoiding an all-or-nothing gate
• Phased implementation — The gradual rollout provides time for small businesses to prepare

However, the reality is that Level 2 compliance remains a significant investment regardless of organization size. Small businesses that handle CUI will need to implement all 110 NIST 800-171 controls, maintain documentation, and either self-assess or engage a C3PAO. The DoD's Mentor-Protege program and various SBA resources may help offset costs, but the compliance burden is real.

Enforcement Mechanisms

The final rule establishes multiple enforcement mechanisms:

False Claims Act

Inaccurate SPRS scores, false affirmations, or misrepresented compliance status can trigger False Claims Act liability. This is not theoretical — the Department of Justice has pursued False Claims Act cases against contractors for cybersecurity non-compliance, and the CMMC affirmation requirement creates a clear paper trail.

Contract Consequences

Failure to maintain the required CMMC level can result in:

• Non-award of contracts requiring certification
• Termination of existing contracts for failure to maintain a condition of performance
• Negative past performance evaluations affecting future contract awards

DIBCAC Verification

The Defense Industrial Base Cybersecurity Assessment Center retains authority to conduct assessments of any contractor at any level, regardless of whether the contract requires self-assessment or C3PAO assessment. This means that even organizations using self-assessment are subject to government verification.

What Defense Contractors Should Do Now

Based on our analysis of the final rule, here are the priority actions for defense contractors:

1. Review the final rule text — The full 32 CFR Part 170 is available in the Federal Register. Read at least the preamble (which explains the DoD's rationale) and the sections relevant to your anticipated level.

2. Monitor the 48 CFR DFARS rulemaking — This is the trigger for when CMMC appears in contracts. Track the proposed rule, comment period, and final rule publication.

3. Determine your level — Identify whether you handle FCI only (Level 1) or CUI (Level 2 or 3) based on your current and anticipated contracts.

4. Conduct a gap assessment — Evaluate your current compliance posture against the CMMC requirements for your level.

5. Begin remediation — Do not wait for contracts to require CMMC. The organizations that start now will have the advantage of time and C3PAO availability.

6. Identify your senior official — Determine who in your organization will sign the affirmation and ensure they understand the legal implications.

7. Engage with the Cyber AB marketplace — If you anticipate needing a C3PAO assessment, begin evaluating and engaging C3PAOs early.

The CMMC final rule is not a proposal or a discussion paper — it is codified federal regulation. The compliance clock is running, and the organizations that treat it with appropriate urgency will be best positioned to compete for DoD contracts as requirements take effect.