Skip to content

The Regulatory Background for CMMC

 

Learn about DFARS 252.204-7021, 32 CFR Part 170, reporting requirements once you transition to CMMC, & the phased implementation timeline through the Frequently Asked Questions (FAQs) below. If you are looking for certified CMMC Professionals and a customised solution for your organization, please schedule a free consultation.

Table of Contents

What is 32 CFR Part 170 and what does it establish? 

 

32 CFR Part 170 is the CMMC Program Rule, published by the Department of Defense in the Federal Register on October 15, 2024, with an effective date of December 16, 2024, that establishes the structure, definitions, levels, assessment types, and certification processes for the CMMC program. 

The rule defines the three CMMC levels, the assessment types available at each level (self-assessment, C3PAO third-party assessment, DIBCAC government assessment), the roles within the CMMC ecosystem, the scoping requirements for assessments, the POA&M conditions and timelines, the annual affirmation obligations, and the phased implementation schedule under 32 CFR 170.3(e). 

Critically, 32 CFR Part 170 establishes the CMMC program framework but does not itself insert CMMC requirements into contracts, that function is performed by the separate 48 CFR DFARS acquisition rule. Together, the two rules form the complete regulatory foundation for CMMC enforcement.

 

What is DFARS 252.204-7021 and what does it require of defense contractors? 

 

Summary: DFARS clause 252.204-7021, titled “Cybersecurity Maturity Model Certification Requirements,” is the Defense Federal Acquisition Regulation Supplement clause that makes CMMC compliance a legally enforceable condition of DoD contract award, effective November 10, 2025. 

The clause, published in the final DFARS rule in the Federal Register on September 10, 2025, requires that every DoD solicitation and contract involving FCI or CUI specify the CMMC level required for award. Contractors must achieve and maintain the specified CMMC level as a condition of contract award and continued performance, and must flow down the CMMC requirement to applicable subcontractors. 

The clause requires contractors to maintain a current valid CMMC status in SPRS at the required level. When CMMC Level 2 C3PAO certification is required, the contractor must present a valid certification issued through the Cyber AB’s CMMC eMASS system. DFARS 252.204-7021 replaced the parallel DFARS 252.204-7019 and 7020 self-reporting clauses, which were deleted effective February 2026. 

 

What is the difference between 32 CFR Part 170 and the 48 CFR DFARS acquisition rule? 

 

Summary: The two CMMC rules serve distinct functions: 32 CFR Part 170 establishes the CMMC program itself, its structure, definitions, and processes, while the 48 CFR DFARS acquisition rule makes CMMC requirements legally enforceable in defense contracts by inserting CMMC clauses into DoD solicitations and contracts. 

Think of 32 CFR Part 170 as the blueprint for the program and the 48 CFR rule as the enforcement mechanism. 32 CFR Part 170 was finalized on October 15, 2024 (effective December 16, 2024) and defined what CMMC is, how the levels work, who conducts assessments, and how the phased rollout proceeds. 

Without the 48 CFR rule, contracting officers had no authority to include CMMC requirements in solicitations. The 48 CFR DFARS rule, which added and modified DFARS clauses including 252.204-7021, was published September 10, 2025 and became effective November 10, 2025, starting Phase 1 of CMMC enforcement. Both rules must be read together to understand the full scope of a contractor’s CMMC obligations. 

 

Does CMMC replace my existing DoD contract obligations to comply with NIST SP 800-171? 

 

Summary: CMMC does not replace the obligation to comply with NIST SP 800-171 Rev 2, it adds mandatory third-party verification on top of it. Contractors retain their existing obligation to implement all 110 controls; CMMC adds the requirement to prove that implementation through structured assessment rather than self-attestation alone. 

DFARS clause 252.204-7012, the clause that originally imposed the NIST SP 800-171 obligation, remains in force alongside DFARS 252.204-7021 (the CMMC clause). This means contractors operating under DoD contracts will have both clauses active simultaneously. The security obligations do not change: 110 controls, 14 domains, full documentation. 

What changes is the verification method. Under DFARS 252.204-7012 alone, self-attestation was sufficient. Under CMMC via DFARS 252.204-7021, most contractors handling CUI must demonstrate compliance to an independent C3PAO. CMMC Level 2 compliance is built on NIST SP 800-171 Rev 2, the two are the same security standard, with CMMC adding the assessment layer.

 

Do I still have cyber incident reporting obligations under my DoD contract even after CMMC is added, and what clause governs that? 

 

Summary: Cyber incident reporting obligations exist independently of CMMC and remain fully in force under DFARS clause 252.204-7012 subsections (c) through (g), which CMMC does not replace or supersede. 

Under 252.204-7012(c)–(g), contractors must rapidly report cyber incidents affecting covered defense information (which includes CUI) or the contractor’s ability to perform the contract. The reporting obligation requires submission of a cyber incident report to the DoD within 72 hours of discovery using the DoD’s DIBNet portal. Contractors must also preserve images of compromised systems and relevant data for at least 90 days to support potential DoD forensic analysis, and must provide the DoD access to those images upon request. 

CMMC certification does not eliminate or reduce these reporting requirements, a contractor can be fully CMMC Level 2 certified and still be required to report a qualifying cyber incident within 72 hours. These are parallel obligations: CMMC governs the security controls in place before an incident; DFARS 252.204-7012(c)–(g) governs what happens when one occurs. 

 

What happened to DFARS 252.204-7019 and 252.204-7020, and what replaced them? 

 

DFARS 252.204-7019 (Notice of NIST SP 800-171 DoD Assessment Requirements) and DFARS 252.204-7020 (NIST SP 800-171 DoD Assessment Requirements) were deleted effective February 2026 as part of a broader Federal Acquisition Regulation overhaul to eliminate regulatory redundancy following the finalization of the CMMC acquisition rule. 

Under the prior framework, 7019 required contractors to notify the DoD of their NIST SP 800-171 self-assessment obligation and 7020 governed the actual submission of self-assessment scores to SPRS. These clauses were made redundant by the finalization of DFARS 252.204-7021, which incorporates the assessment and SPRS reporting obligations into the CMMC framework. 

Contractors now fulfill all assessment and reporting obligations through the CMMC clause (252.204-7021) rather than through the parallel 7019/7020 framework. DFARS 252.204-7012 remains in effect and governs the underlying security implementation requirement and incident reporting. 

 

What is the CMMC phased implementation timeline and where are we in 2026? 

 

Summary: CMMC is being implemented across the Defense Industrial Base in four phases over three years, beginning November 10, 2025, with mandatory C3PAO certification for most CUI-handling contractors becoming the standard from November 10, 2026 onward. 

Phase 1 (November 10, 2025 – November 9, 2026): CMMC Level 1 and Level 2 self-assessments appear in applicable DoD solicitations and contracts as conditions of award. C3PAO-assessed Level 2 certification may also be required in selected contracts involving DOIG-category CUI at DoD program manager discretion. 

Phase 2 (November 10, 2026 – November 9, 2027): Mandatory CMMC Level 2 C3PAO certification requirements begin appearing in applicable solicitations as a standard condition of award. This is the enforcement inflection point for the Defense Industrial Base. 

Phase 3 (November 10, 2027 – November 9, 2028): CMMC Level 2 C3PAO certification is required for contract option exercises in addition to new awards. CMMC Level 3 DIBCAC assessment requirements begin appearing in applicable contracts. 

Phase 4 (November 10, 2028 and beyond): Full implementation of CMMC requirements at the appropriate level apply to all new and option-period DoD contracts involving FCI or CUI, with no further phase-in exceptions. As of March 2026, the program is in Phase 1.

 

Explore Blogs, Webinars and other Resources

Trusted by Reputed Companies

pVerify, Inc.
Electronic Data Solutions
Bernard Robinson & Company
Avance Care
iCliniq
Botsplash
Logically
Mr.Internet Systems
Vision Radiology
Tangible Solutions
Tangible Solutions
WorkSmart
Triyam
Med First Primary and Urgent Care
Arizona State Radiology
DataCaliper
Dose Spot Company Logo
DoseSpot
Forsyte I.T. Solutions
Tego Data

Accreditations and Associations

* Disclaimer: This list of accreditations is held by our team of employees and consultants.

What Our Clients Say

We used databrackets (formerly EHR 2.0) in our small medical practice for our risk analysis assessment to be in compliance with meaningful use. Their response was fast, the final report is detailed but simple and easy to follow. They were always available to answer our questions.
E. Compres
Pulmonary and Sleep Center of the Valley
I never miss the opportunity to learn something new …that’s why I am always registering to all free seminars offered on the web. databrackets (formerly EHR 2.0) happened to be the friendliest, comprehensive and up-to- date source of HIPAA Privacy and Security updates.
Alexandra V.
Community Healthcare Network
Today’s presentation was great! Thank you for sending the slides. My only feedback is that it would be fabulous to have the slides ahead of time so I could print them and take notes on the slides.Thanks for your time and knowledge today!
T.B., PM
Community Health Network
Particularly interesting was the flow chart on Administrative Simplification. I utilize all of the Security subcategories you list under the Security tile and appreciate knowing that I am hitting all of the relevant topics during my employee training.
Jessica B.
JD, CHC
I have re-worked our original risk assessment….We are using databrackets' (formerly EHR 2.0) Meaningful Use Security Risk Analysis Toolkit and it meets our needs. It was easy to use and I believe that it very beneficial to our meeting meaningful use.
Bill Curtis
Neurosurgical Associates Of Texarkana, TX
Information (webinars) presented by databrackets (formerly EHR 2.0) highlights some of today’s most demanding healthcare topics. The webinars help to direct those operating in today’s rapidly changing environment in the right direction.
Candace M.
Privacy and Security Officer, Springhill Medical Center

Our Growing List of Credentials

0 +
Assessments
0 +
Clients
0 +
Assessment Libraries
0 +
Years of Experience
0 +
No. of Staff Trained
0 +
HIPAA
0 +
SOC 2 Readiness
0 +
Pen Testing
0 +
ISO 27001 Certifications
0 +
Dollars Saved in Compliance Penalties