32 CFR, 48 CFR, and CMMC Compliance Requirements and Timeline

Regulatory Overview

Two primary regulations: 32 CFR and 48 CFR.

- 32 CFR: New rule establishing program requirements and marketplace became effective in December 2024.
- 48 CFR: Final rule is pending publication and will serve as the enforcement mechanism for CMMC compliance. The 48 CFR rule applies maturity levels, mandating CMMC compliance to accept the award of any new contract. It is anticipated that the final 48 CFR rule, once released, may contain some surprises.
- 48 CF Rwill integrate CMMC requirements directly into the Federal Acquisition Regulation (FAR) framework.
- This framework lays the foundation for how contractors prove they've implemented and are maintaining their cybersecurity controls (e.g., NIST 800-171).
- After full implementation of 48 CFR, subcontractors at all supply chain levels will have to demonstrate and retain compliance with their specific CMMC levels for defense-related contracts.
- DFARS and CMMC Flowdown •
- DFARS clauses(e.g., 252.204-7012) have been unenforced requirements since 2015.
- New clauses (7021, 72, 22) for CMMC flowdowns are no longer suggestions but mandatory terms agreed upon when signing contracts.
- DFARS relates to compliance, detection, and control of unclassified information (CUI).
- Flowdown requirements mean anyone in your supply chain handling FCI or CUI must meet the same CMMC level, including small contracts. DOD Draft Rule (August 2024)


Three main requirements:

1. Award Certification: A current CMMC certificate or self-assessment in SBRI is required upfront at the time of award, with no exceptions.
2. Supply Chain Flowdown: It is a requirement that anyone in your supply chain, mainly those handling FCI or CUI, must meet the same CMMC level, even small contractors.
3. Continuous Compliance: Requires annual attestations and SBRIs by an authorized company official.  If your system changes, even a minor change involving one person in accounting, it might change the scope; if it touches CUI, it is included. CMMC Implementation Timeline (Three-Year Phasing)

There will be a three-year phasing period, a slow rollout by the DOD.

- Year 1: Level 1 and Level 2 self-assessments for selected contracts.
- Year 2: Level 2 changes to mandatory third-party certifications for new organizations.
- Year 3: All live contracts, including options, extensions, and renewals, must have their CMMC level locked in.

This rollout is compared to a streaming service dropping new episodes: a teaser, then a full season, then spinoffs. Compliance Checklist & Recommendations

1. Review SBR Submission: Review your SBR submission and confirm your CMMC level, potentially adjusting your assessment to Level 2.
2. Assessment Strategy: Decide if you will self-assess early in phase one or bring in a C3PO to do your certification assessment as quickly as possible, which is recommended.
3. Sharpen SSP & Resolve O.M. Items: Sharpen your System Security Plan (SSP) and resolve any outstanding Plan of Action and Milestones (O.M.) items. These are now deliverables, so treat them as if your project is starting.
4. Contracting Officer Communication: Talk to your contracting officer before the solicitation drops to nail down which CMMC level they require for the contract.
5. Set Up Alerts: Use a contract management or PRS tracking tool to set up alerts, ensuring nothing slips through the cracks to prevent you from winning contracts.

For questions about cybersecurity compliance or other IT-related issues, a short, free consultation is available at www.techsagesolutions.com