On October 15, 2024, the Department of Defense published the Cybersecurity Maturity Model Certification (CMMC) Program rule at 32 CFR Part 170. The rule became effective December 16, 2024, and is the long-promised replacement for the DFARS Interim Rule (DFARS Case 2019-D041) that has governed CUI protections since November 2020. The companion DFARS rule (48 CFR amendments to DFARS Parts 204, 212, 217, and 252) was published September 10, 2025, and is effective November 10, 2025. With both halves in place, DoD now has a binding mechanism to require third-party assessment of contractor cybersecurity, the practical question is no longer whether CMMC happens but how the four-phase rollout sequences contract clauses.
What does 32 CFR Part 170 actually establish?
The program rule codifies three certification levels mapping to information sensitivity. Level 1 covers Federal Contract Information (FCI) and aligns to the 15 basic safeguarding requirements in FAR 52.204-21. Level 2 covers Controlled Unclassified Information (CUI) and aligns to the 110 security requirements of NIST SP 800-171 Rev. 2. Level 3 covers a subset of CUI requiring enhanced protections against advanced persistent threats and aligns to the 110 Level 2 requirements plus 24 selected from NIST SP 800-172. The rule formalizes the CMMC Accreditation Body (now the Cyber AB) and the role of Certified Third-Party Assessor Organizations (C3PAOs), and creates a CMMC Assessment and Certification (CMMC) database housed in the DoD's Enterprise Mission Assurance Support Service (eMASS).
What changed in the final program rule from the proposed version?
Five notable changes. First, conditional certification was added: contractors can hold a "Conditional CMMC Status" at Levels 2 and 3 for up to 180 days while remediating outstanding Plans of Action and Milestones (POA&Ms), provided not more than 20 percent of requirements are deferred and none of the deferred items are POA&M-prohibited (such as MFA or FIPS-validated cryptography). Second, Cloud Service Providers handling CUI must be FedRAMP Moderate authorized or equivalent. Third, External Service Providers that handle Security Protection Data (such as MSSPs) themselves require CMMC Level 2 certification. Fourth, a contractor's Level 1 self-assessment must be affirmed annually by a senior official, with False Claims Act exposure for misrepresentations. Fifth, the rule clarifies that Commercial Off-The-Shelf (COTS) items are exempt from CMMC clauses for three years after the DFARS rule effective date.
What does the DFARS final rule add?
The September 10, 2025 DFARS rule adds DFARS 252.204-7021 (Contractor Compliance with the CMMC Level Requirements) as a new clause that contracting officers will include in solicitations. The clause requires the contractor to maintain the required CMMC level for the duration of the contract, to submit any change in CMMC Unique Identifier (UID) generated in the Supplier Performance Risk System (SPRS) to the contracting officer, and to flow down the CMMC requirements to subcontractors at the level commensurate with the information the subcontractor will handle. The final rule dropped the proposed obligation to notify the contracting officer of "lapses in information security," which industry comments argued was duplicative of DFARS 252.204-7012 incident reporting.
CMMC Four-Phase Rollout (32 CFR 170.3 + DFARS effective Nov 10, 2025)
Phase 1: 11/10/2025 - 11/10/2026
- Level 1 self-assessment OR Level 2 self-assessment at award
- Discretionary inclusion of Level 2 C3PAO at award
Phase 2: 11/10/2026 - 11/10/2027
- Level 2 C3PAO certification at award (mandatory)
- Discretionary inclusion of Level 2 C3PAO on option exercises
Phase 3: 11/10/2027 - 11/10/2028
- Level 2 C3PAO certification on option exercises (mandatory)
- Level 3 DIBCAC assessment at award (mandatory)
Phase 4: 11/10/2028 onward
- Full implementation across all applicable solicitations and contracts
How does Level 2 self-assessment differ from C3PAO certification?
Level 2 has two flavors. Approximately 4,000 prioritized contracts handling the most sensitive CUI will require C3PAO assessment by an accredited third party. The remaining roughly 76,000 Level 2 contracts will permit self-assessment by the contractor against the same 110 controls. Both flavors require annual senior official affirmation in SPRS and produce a CMMC UID that the contracting officer can verify. The DoD anticipates that the prioritized-contract self-assessment population will shrink over time as more C3PAOs are accredited; as of October 2025, the Cyber AB has authorized approximately 80 C3PAOs against an estimated demand of 4,000-7,000 contractors needing Level 2 third-party assessments in Phase 2.
What about NIST SP 800-171 Revision 3?
NIST published SP 800-171 Rev. 3 on May 14, 2024. Two weeks earlier, on May 2, 2024, DoD issued Class Deviation 2024-O0013 directing contracting officers to require continued compliance with Rev. 2 in DFARS 252.204-7012, 7019, 7020, and 7021. The deviation remains in force as of late 2025. DoD published Organization-Defined Parameters for Rev. 3 in April 2025, but the transition to Rev. 3 will be sequenced through a future DFARS amendment, not the current CMMC rule. Contractors building toward CMMC Phase 2 should keep their System Security Plans aligned to Rev. 2 controls while monitoring the Rev. 3 ODP table for parameter drift.
What is the False Claims Act exposure?
The final rule explicitly characterizes annual affirmations as material to government payment decisions, which creates a 31 U.S.C. § 3729 hook. The Department of Justice's Civil Cyber-Fraud Initiative, launched October 2021, has already produced settlements against contractors for misrepresented cybersecurity compliance — Aerojet Rocketdyne for $9 million in July 2022, Verizon for $4.09 million in September 2023, Penn State for $1.25 million in October 2024, and Georgia Tech Research Corporation for $875,000 in August 2025. Under CMMC, every senior official affirmation in SPRS is a candidate False Claims Act predicate if the underlying SSP misrepresents control implementation. Contractors should expect that whistleblower qui tam suits will increase as Phase 1 affirmations accumulate.
How Safeguard Helps
Safeguard maintains a continuous evidence map between NIST SP 800-171 controls, the implementing system configurations, and CMMC assessment objectives, generating the SSP and POA&M artifacts a C3PAO will request rather than producing them once a year. Griffin AI flags configuration drift against the affirmed posture so the senior official's annual SPRS affirmation reflects the current state, mitigating False Claims Act exposure. SBOM-driven scanning surfaces components touching CUI environments, and policy gates block deployments that would introduce uncertified Cloud Service Providers into the boundary. For flow-down management, Safeguard's TPRM scoring tracks subcontractor CMMC UIDs in SPRS and alerts the prime when an upstream certification lapses, well before a contracting officer's option-exercise review.