CMMCDocs.comOn October 15, 2024, the Department of Defense published the final rule for the Cybersecurity Maturity Model Certification (CMMC) 2.0 program as 32 CFR Part 170. The rule takes effect on December 16, 2024, and establishes the regulatory framework for verifying cybersecurity compliance across the defense industrial base. After years of development, CMMC is now law.
What the Final Rule Establishes
The final rule codifies the three-level CMMC model, defines assessment requirements for each level, establishes the role of C3PAOs and assessors, details POA&M allowances and limitations, and sets the annual affirmation requirements. It also establishes the CMMC instantiation of the NIST SP 800-171 Rev 2 security requirements as the Level 2 assessment standard.
Key provisions include a formal definition of the assessment scope (the CUI boundary and all assets within it), a requirement for senior official affirmation in SPRS, a 180-day POA&M closeout window for conditional certifications, and a three-year assessment validity period.
Phased Implementation
The DoD is implementing CMMC in four phases, each building on the previous:
Phase 1 (December 16, 2024 - approximately one year): The DoD may include CMMC Level 1 self-assessment or CMMC Level 2 self-assessment requirements in new contracts. This phase allows the DoD to begin exercising the CMMC clause while the C3PAO ecosystem scales. Contractors must have their self-assessment on file in SPRS with an annual affirmation by a senior official.
Phase 2 (approximately one year after Phase 1): The DoD may begin requiring CMMC Level 2 C3PAO assessments for contracts involving prioritized CUI. This is when third-party assessments become a contract requirement.
Phase 3 (approximately one year after Phase 2): CMMC Level 2 C3PAO assessments may be required for all applicable contracts involving CUI. Level 3 DIBCAC assessments may also begin.
Phase 4 (full implementation): CMMC requirements are included in all applicable contracts and exercised as conditions for contract award.
What This Means for You
Phase 1 starts in December 2024. If you have not completed your NIST 800-171 self-assessment and submitted your SPRS score, you are already behind. Self-assessments are not new — DFARS 252.204-7012 has required them since 2017 — but the CMMC final rule adds the affirmation requirement and creates a pathway to third-party verification.
Even if your current contracts do not yet include the CMMC clause, new solicitations will begin including it. Plan for CMMC Level 2 C3PAO assessment readiness by the time Phase 2 begins. That gives you roughly two years from the final rule's effective date to prepare for third-party assessment — tight for organizations starting from scratch, but achievable with focused effort.