CMMC Dashboard Logo
Back to BlogCMMC Basics

Updated: Key Changes from Previous Regulations in CMMC 32 CFR Part 170

JCJim Carlson (Co-Founder & CEO)
10 min read
CMMC final ruleCMMC changesDFARS
laptop with a lock and key on top.

Key Takeaways

  • CMMC 32 CFR Part 170 shifts from self-attestation to independent verification for many contractors handling Controlled Unclassified Information (CUI).

  • The new framework introduces revised CMMC levels, assessment types, and a phased implementation approach over three years.

  • Non-compliance can lead to contract ineligibility, with stricter enforcement measures including False Claims Act (FCA) penalties.

Transition from Self-Attestation to Independent Verification

Previous Approach: Under DFARS 252.204-7012, contractors were required to implement NIST SP 800-171 security controls to protect CUI. However, compliance was based on self-attestation, where companies asserted they met security requirements without an external audit.

New Approach Under CMMC 2.1, codified at 32 CFR Part 170 (2025): The new rule eliminates reliance on self-attestation for many contractors handling CUI. Organizations must undergo third-party assessments (C3PAO-led or government-led) to verify compliance for certain levels. Self-assessments remain permitted only for Level 1 and some Level 2 organizations. A Plan of Action and Milestones (POA&M) policy allows limited corrective action periods (180 days) before certification revocation.

Need to see where independent verification fits into the broader CMMC framework? Learn more.

Revised CMMC Levels and Assessment Types

Previous Model (CMMC 1.0 2020):

  • Featured five levels (15) with progressively increasing security requirements.

  • Required formal certification at all levels, even for contractors handling only Federal Contract Information (FCI).

New Model (CMMC 2.1 Final Rule (32 CFR Part 170, 2025):

Three Levels instead of five:

  • Level 1 (Self-Assessment): Basic safeguarding of FCI (15 security practices per FAR 52.204-21).

  • Level 2 (C3PAO or Self-Assessment): Based on NIST SP 800-171 (110 controls); self-assessment allowed for some, third-party assessment required for others.

  • Level 3 (Government Assessment DIBCAC): Incorporates selected NIST SP 800-172 requirements as determined by DoD for programs with heightened CUI protection needs.

All certifications are valid for three years unless revoked for cause, with annual affirmation required to maintain eligibility.

Elimination of Process Maturity Requirements from CMMC 1.0 (previously required process documentation and institutionalization at each level).

For a detailed look at each level’s requirements, see here.

New Phased Implementation Approach

Previous Approach: The original plan aimed for a 5-year rollout (2020-2025) before full enforcement, leading to uncertainty about the timeline.

Unsure how this timeline affects your current contracts? Read more on the assessment process.

New Approach: A phased implementation plan under CMMC 2.1 (32 CFR Part 170) is rolling out over approximately three years following the final rule’s effective date (expected FY2025).

  • Phase 1: Begins within the first year—Level 1 and select Level 2 contractors may continue with self-assessments entered in SPRS.

  • Phase 2: Expands third-party (C3PAO) assessments for designated Level 2 contractors handling prioritized CUI programs.

  • Phase 3: Introduces Level 3 (DIBCAC) government assessments for high-impact or national security contracts.

  • Phase 4: Full enforcement—All applicable DoD contracts must meet the required CMMC certification level before award or renewal.

This phased approach gives smaller contractors time to adapt while ensuring that critical defense programs achieve verified cybersecurity protection first.

Contracting and Flow-Down Changes

Previous Approach: DFARS 252.204-7012 required prime contractors to ensure subcontractors complied with NIST SP 800-171, but did not define assessment or certification expectations for subcontractors.

New Approach: Under CMMC 2.1, Level requirements now flow down to any subcontractor that stores, processes, or transmits DoD data. Compliance obligations depend on the type of information handled, not contract size.

  • Level 1: Applies to subcontractors that only handle Federal Contract Information (FCI).

  • Level 2: Applies to subcontractors that handle Controlled Unclassified Information (CUI) and may require either self-assessment or C3PAO assessment depending on DoD designation.

Important: Contracting officers may not award, extend, or modify contracts unless CMMC requirements are met. Primes must verify that all lower-tier partners maintain the appropriate certification level for the data they handle.

Integration with DFARS and Supplier Performance Risk System (SPRS)

Previous Approach: Contractors self-reported their NIST SP 800-171 scores to SPRS but were not required to submit proof.

New Approach:

  • CMMC status must be reported in SPRS and entered annually or upon significant environement change.

  • Affirmation of compliance is required annually for Level 2 and Level 3.

  • Contractors with an expired or insufficient CMMC certification will be ineligible for new contracts.

Stronger Emphasis on Accountability & Enforcement

Previous Approach: Enforcement was weak due to self-attestation and lack of structured penalties.

New Approach:

  • Non-compliance can lead to contractual penalties and loss of award eligibility.

  • The False Claims Act (FCA) may be used to prosecute companies falsely claiming compliance.

  • Contractors must maintain continuous compliance throughout contract performance, not just at certification time.

  • Contractors may face suspension or termination if their certification expires or is invalidated during contract performance.

CMMC Certification Levels & Requirements

Overview of Levels 1, 2, and 3

  • Level 1 (Self-Assessment): Basic security controls for FCI, requiring self-attestation.

  • Level 2 (C3PAO or Self-Assessment): More stringent security requirements for CUI, assessed through self-assessment or third-party audits.

  • Level 3 (DIBCAC): The highest level, requiring additional security controls and a government-led assessment.

Learn about consequences of failing an assessment here.

Assessment Types

  • Self-Assessment: Performed by the contractor annually for Level 1 and some Level 2 organizations.

  • Third-Party Assessment (C3PAO): Required for certain Level 2 contractors, conducted every three years.

  • Government Assessment (DIBCAC): Mandatory for Level 3, performed every three years.

Key Contractor and Subcontractor Requirements

  • Prime contractors must ensure compliance at all subcontractor levels.

  • Annual affirmation is required for Level 2 and 3.

  • Failure to comply can result in contract penalties or loss of eligibility.

Conclusion

CMMC 32 CFR Part 170 introduces a structured, enforceable framework requiring contractors and subcontractors to meet verified cybersecurity standards. Companies must prepare for mandatory assessments and compliance measures to maintain contract eligibility.

Stay ahead of evolving CMMC rules

Enter your email to learn how our upcoming compliance platform can help you navigate these changes and reduce the complexity of certification.

Sign Up Now

Frequently Asked Questions

Do small businesses still need to comply with all CMMC levels?

No. Most small contractors that only handle Federal Contract Information (FCI) need Level 1, which requires 15 basic safeguards. Only companies handling Controlled Unclassified Information (CUI) need Level 2 or higher.

What is the main difference between CMMC 1.0 and CMMC 2.1?

CMMC 2.1 simplified the model from five levels to three, removed process maturity requirements, and aligned fully with NIST SP 800-171 for Level 2. It also reintroduced self-assessments for some contractors handling less sensitive CUI.

How long do we have to comply after the rule takes effect?

The DoD is phasing in enforcement over approximately three years following the final rule’s effective date. Contract clauses will specify when CMMC applies to your specific program.

Are Level 3 contractors still required to meet 24 enhanced controls?

No. The current rule no longer specifies a fixed number. Level 3 contractors must meet all 110 NIST SP 800-171 practices plus selected NIST SP 800-172 requirements identified by the DoD for critical programs.

Do subcontractors have to meet the same level as primes?

Only if they handle the same data type. If a subcontractor handles CUI, it must meet Level 2; if it only processes FCI, Level 1 is sufficient. Primes are responsible for verifying subcontractor compliance.

How often do I have to update my SPRS score?

At least annually or when major changes occur in your IT environment or security posture. Level 2 contractors must also affirm compliance annually in SPRS.

What happens if I fail my CMMC assessment?

You’ll receive a Plan of Action & Milestones (POA&M) window, up to 180 days—to correct deficiencies. If unresolved, your certification can be revoked, making you ineligible for future DoD contracts.

Can I use a commercial cloud for storing CUI?

Yes, but only if the cloud provider is FedRAMP Moderate authorized or equivalent. For export-controlled or ITAR data, GCC High or another government-isolated environment is usually required.

How long is CMMC certification valid?

Three years, assuming your environment doesn’t change significantly. You must submit an annual affirmation of continued compliance to keep your certification active.

Will I face penalties if I claim compliance but fail verification?

Yes. False attestation may trigger enforcement under the False Claims Act (FCA), leading to financial penalties or disqualification from future defense contracts.

← All Blog Posts