CMMCDocs.comAfter years of anticipation, the Department of Defense published the CMMC 2.0 proposed rule (32 CFR Part 170) in the Federal Register on December 26, 2023, with the comment period extending into early 2024. This rule establishes the CMMC program's regulatory framework and defines how cybersecurity requirements will be verified for defense contractors.
Key Provisions
Three-Level Model Codified: The proposed rule formally establishes the three-level CMMC model. Level 1 covers 15 requirements from FAR 52.204-21 (basic safeguarding), Level 2 maps to the 110 requirements in NIST SP 800-171 Rev 2, and Level 3 adds selected enhanced requirements from NIST SP 800-172.
Assessment Types: Level 1 requires annual self-assessment. Level 2 has two pathways: self-assessment for contracts involving non-prioritized CUI, and C3PAO third-party assessment for contracts involving prioritized CUI. Level 3 requires a government-led DIBCAC assessment.
POA&M Allowances: The rule allows limited use of Plans of Action and Milestones at Level 2 and Level 3. Not all requirements are eligible — certain high-value requirements must be met at the time of assessment. The POA&M closeout window is 180 days from conditional certification.
Affirmation Requirements: A senior official from the contracting organization must affirm compliance annually in SPRS. This affirmation carries legal weight — false affirmation exposes the company and the individual to False Claims Act liability.
Phased Implementation
The proposed rule outlined a phased approach to implementation. Phase 1 would require CMMC Level 1 or Level 2 self-assessment for applicable contracts. Subsequent phases would introduce third-party assessment requirements. The full implementation timeline spans several years, giving the industry time to prepare and the C3PAO ecosystem time to scale.
Public Comments
The comment period generated thousands of submissions from contractors, industry associations, C3PAOs, and cybersecurity professionals. Key themes included concerns about cost burden on small businesses, the adequacy of the C3PAO supply to handle assessment volume, the treatment of cloud service providers and managed service providers, and the timeline for transitioning from NIST 800-171 Rev 2 to Rev 3.
What Contractors Should Do Now
The proposed rule confirms everything the DoD has been signaling for years. If you handle CUI, you need to be implementing NIST 800-171 Rev 2 now. Do not wait for the final rule to start building your SSP, collecting evidence, and closing control gaps. The contractors who are preparing now will be first in line for assessments and will have the smoothest experience. Those who wait will face scheduling bottlenecks, higher consulting costs, and the stress of trying to build a compliance program under deadline pressure.