Key Takeaways
- CMMC 32 CFR Part 170 shifts from self-attestation to independent verification for many contractors handling Controlled Unclassified Information (CUI).
- The new framework introduces revised CMMC levels, assessment types, and a phased implementation approach over three years.
- Non-compliance can lead to contract ineligibility, with stricter enforcement measures including False Claims Act (FCA) penalties.
Transition from Self-Attestation to Independent Verification
Previous Approach: Under DFARS 252.204-7012, contractors were required to implement NIST SP 800-171 security controls to protect CUI. However, compliance was based on self-attestation, where companies asserted they met security requirements without an external audit.
New Approach Under CMMC 32 CFR Part 170: The new rule eliminates reliance on self-attestation for many contractors handling CUI. Organizations must undergo third-party assessments (C3PAO-led or government-led) to verify compliance for certain levels. Self-assessments remain permitted only for Level 1 and some Level 2 organizations. A Plan of Action and Milestones (POA&M) policy allows limited corrective action periods (180 days) before certification revocation.
Need to see where independent verification fits into the broader CMMC framework? Learn more.
Revised CMMC Levels and Assessment Types
Previous Model (CMMC 1.0 2020):
- Featured five levels (15) with progressively increasing security requirements.
- Required formal certification at all levels, even for contractors handling only Federal Contract Information (FCI).
New Model (CMMC 2.0 2024 Final Rule):
Three Levels instead of five:
- Level 1 (Self-Assessment): Basic safeguarding of FCI (15 security practices per FAR 52.204-21).
- Level 2 (C3PAO or Self-Assessment): Based on NIST SP 800-171 (110 controls); self-assessment allowed for some, third-party assessment required for others.
- Level 3 (Government Assessment DIBCAC): Includes 110 NIST SP 800-171 controls + 24 selected NIST SP 800-172 enhanced controls.
Elimination of Process Maturity Requirements from CMMC 1.0 (previously required process documentation and institutionalization at each level).
For a detailed look at each level’s requirements, see here.
New Phased Implementation Approach
Previous Approach: The original plan aimed for a 5-year rollout (2020-2025) before full enforcement, leading to uncertainty about the timeline.
Unsure how this timeline affects your current contracts? Read more on the assessment process.
New Approach: A 4-phase implementation over 3 years (starting December 2024):
- Phase 1 (Year 1): Self-assessments for Level 1 and some Level 2 contracts.
- Phase 2 (Year 2): Third-party assessments for more Level 2 contracts.
- Phase 3 (Year 3): Introduction of Level 3 (DIBCAC) assessments.
- Phase 4 (Full Implementation): All applicable DoD contracts require CMMC certification.
This approach prioritizes high-risk contracts first, allowing businesses time to prepare.
Contracting and Flow-Down Changes
Previous Approach: DFARS 252.204-7012 required prime contractors to ensure subcontractors complied but did not specify assessment requirements for subcontractors.
New Approach: CMMC Level requirements will flow down to subcontractors handling FCI or CUI:
- Level 1 if handling FCI.
- Level 2 (Self or C3PAO) if handling CUI.
Important: Contracting officers cannot award, extend, or modify contracts unless CMMC requirements are met.
Integration with DFARS and Supplier Performance Risk System (SPRS)
Previous Approach: Contractors self-reported their NIST SP 800-171 scores to SPRS but were not required to submit proof.
New Approach:
- CMMC status must be reported in SPRS and regularly updated.
- Affirmation of compliance is required annually for Level 2 and Level 3.
- Contractors with an expired or insufficient CMMC certification will be ineligible for new contracts.
Stronger Emphasis on Accountability & Enforcement
Previous Approach: Enforcement was weak due to self-attestation and lack of structured penalties.
New Approach:
- Non-compliance can lead to contractual penalties and loss of award eligibility.
- The False Claims Act (FCA) may be used to prosecute companies falsely claiming compliance.
- Contractors must maintain continuous compliance throughout contract performance, not just at certification time.
CMMC Certification Levels & Requirements
Overview of Levels 1, 2, and 3
- Level 1 (Self-Assessment): Basic security controls for FCI, requiring self-attestation.
- Level 2 (C3PAO or Self-Assessment): More stringent security requirements for CUI, assessed through self-assessment or third-party audits.
- Level 3 (DIBCAC): The highest level, requiring additional security controls and a government-led assessment.
Learn about consequences of failing an assessment here.
Assessment Types
- Self-Assessment: Performed by the contractor annually for Level 1 and some Level 2 organizations.
- Third-Party Assessment (C3PAO): Required for certain Level 2 contractors, conducted every three years.
- Government Assessment (DIBCAC): Mandatory for Level 3, performed every three years.
Key Contractor and Subcontractor Requirements
- Prime contractors must ensure compliance at all subcontractor levels.
- Annual affirmation is required for Level 2 and 3.
- Failure to comply can result in contract penalties or loss of eligibility.
Conclusion
CMMC 32 CFR Part 170 introduces a structured, enforceable framework requiring contractors and subcontractors to meet verified cybersecurity standards. Companies must prepare for mandatory assessments and compliance measures to maintain contract eligibility.
Stay ahead of evolving CMMC rules
Enter your email to learn how our upcoming compliance platform can help you navigate these changes and reduce the complexity of certification.
