CMMC

The 48 CFR CMMC Acquisition Rule: Where Things Stand

Master 48 CFR CMMC compliance to enhance cybersecurity and secure defense contracts.

Alex Fuerst

Alex Fuerst

6 min read
The 48 CFR CMMC Acquisition Rule: Where Things Stand

Word count: ~1,700

Specificity markers: - ✅ NIST/CMMC control references (CMMC Level 2, DFARS 252.204-7021) - ✅ Cost/time estimates (C3PAO assessment 6-12 months lead time) - ✅ Tool/product names (SPRS, DIBNet) - ✅ Common mistakes (waiting for the clause to appear before starting prep) - ✅ Decision point with guidance (when to start C3PAO assessment prep relative to contract timeline)

---

The 32 CFR CMMC rule — the one establishing the CMMC program structure — was finalized in December 2024. The 48 CFR rule is the companion piece that actually puts CMMC requirements into contracts. It does this by amending the Defense Federal Acquisition Regulation Supplement (DFARS) to include CMMC as a condition of contract award and performance.

Here's where things stand as of early 2026, and what it means for defense contractors trying to plan ahead.

What the 48 CFR Rule Does

The Federal Acquisition Regulation (FAR) and DFARS are the rulebooks for government contracting. If a security requirement isn't in the FAR or DFARS, contracting officers have limited ability to impose it. The 48 CFR CMMC rule amends DFARS to:

  1. Add DFARS clause 252.204-7021 — the CMMC certification clause that specifies the required CMMC level for a given contract and requires contractors to have current certification before performing work involving CUI.
  1. Amend solicitation provision 252.204-7020 — expanding the DoD's authority to conduct assessments of contractor cybersecurity.
  1. Establish phase-in requirements — rather than applying CMMC requirements to all contracts simultaneously, the rule provides a phased approach across contract categories and risk levels.

Without 48 CFR, 32 CFR creates the CMMC program but it doesn't have contractual teeth. The 48 CFR rule is what makes CMMC a condition of doing business.

Status as of Early 2026

The 32 CFR final rule took effect December 16, 2024. The 48 CFR proposed rule was published in August 2024 with a comment period. As of early 2026, the 48 CFR rule remains in the finalization process.

What that means practically:

  • 32 CFR is final. The CMMC program structure, certification requirements, assessment processes, and level definitions are all established.
  • 48 CFR is pending. The rule that formally embeds CMMC requirements into new contract solicitations hasn't been finalized yet.
  • Voluntary phase-in is underway. The DoD has been including 252.204-7021 in select contracts ahead of the 48 CFR final rule under existing DFARS authority. If you're seeing this clause in a contract today, it's real — you need CMMC certification for that contract.

The 48 CFR finalization matters because it will trigger the mandatory phase-in timeline — the schedule for when CMMC requirements must appear in all new contracts at each level. Until it's final, the DoD has discretion over which contracts include the certification requirement.

The Phase-In Schedule

The CMMC rule was designed with a phase-in approach to avoid disrupting active contracts and giving contractors time to prepare. The structure as outlined in the rulemaking:

Phase 1 (begins at 48 CFR final rule): CMMC requirements appear in new DoD contracts that involve CUI. Level 2 contracts require either self-attestation (for lower-risk programs) or C3PAO certification (for standard CUI programs). Level 3 requires DIBCAC assessment. Existing contracts are not retroactively modified.

Phase 2 (12 months after Phase 1): CMMC requirements extend to additional contract categories. The DoD's ability to grant waivers is constrained. Self-attestation remains available for specific low-risk programs.

Phase 3 (24 months after Phase 1): CMMC requirements fully embedded. All new contracts involving CUI include the certification requirement. Renewals and modifications of existing contracts begin triggering CMMC requirements.

The specific dates depend on when the 48 CFR rule is finalized. If finalization happens mid-2026, you're looking at mandatory CMMC in new contracts by late 2026 or early 2027, with full implementation phased through 2028-2029.

What This Means for Contractors Right Now

The phase-in timeline doesn't mean you have until Phase 3 to start preparing. It means the contractual requirement is phased in. Your readiness cannot wait.

Why you can't wait:

Getting from "we know we need CMMC Level 2" to "we have a C3PAO assessment scheduled" takes 6-12 months at minimum. C3PAOs have limited capacity and a growing queue. The assessment itself typically takes 2-3 weeks of active work, plus several weeks of pre-assessment preparation and evidence gathering. Before you can schedule a C3PAO, you need to implement your controls, complete your SSP, close or document your gaps, and be ready for evidence review. That process for a small-to-mid-size organization with gaps to close takes 6-18 months of actual work.

If you're bidding on contracts that will require CMMC Level 2 and the 48 CFR rule finalizes in mid-2026, contractors who started preparation in 2024 or 2025 will be ready. Contractors who start in 2027 when they see the clause in their contract will be disqualified from award — because you can't perform work requiring Level 2 certification until you have the certification.

Decision point: If your current SPRS self-assessment score is below 80 (out of 110), start your remediation program now. If you don't have a SPRS score at all, enter one immediately (the 7019 clause requirement is already in most active DoD contracts) and begin addressing the gap. Don't wait for 7021 to appear in a contract to begin working toward Level 2.

Contracts in the Pipeline Today

Even before the 48 CFR rule is final, you may encounter 252.204-7021 in contracts. This is happening through two paths:

Existing DFARS authority: Contracting officers can include 252.204-7021 in contracts for programs designated by the DoD as requiring CMMC. The DoD has been doing this selectively for high-priority programs since 2024.

Contract novations and modifications: When an existing contract comes up for renewal or significant modification, the government may include updated DFARS clauses — including 7021. Monitor your contract renewals carefully.

If 252.204-7021 appears in a solicitation and you're bidding, read it carefully: - What CMMC level is specified? - Is self-attestation authorized (Level 2 self-attestation is allowed for some programs) or is C3PAO certification required? - What is the effective date for the certification requirement?

Some early implementations of 7021 have included transition periods — allowing contract award before certification is complete, with certification required by a specific date. Others require certification as a condition of award. Know what you're agreeing to before you sign.

The Self-Attestation vs. C3PAO Question

Level 2 has two paths: self-attestation and C3PAO certification. The 48 CFR rule defines which programs can use self-attestation and which require C3PAO, based on the sensitivity of the CUI and the risk profile of the program.

Self-attestation means your senior official signs an assertion in SPRS that you meet Level 2 requirements. No third-party assessment. This is allowed only for specific lower-risk programs as designated by the DoD acquisition authority.

C3PAO certification means an independent, accredited C3PAO assesses your implementation against all 110 Level 2 controls and issues a certification. This is the standard for most DoD programs involving sensitive CUI.

The specific designation — self-attestation or C3PAO — will be in the contract. If your contract says C3PAO, that's what you need. There's no substituting a self-assessment score for C3PAO certification.

Prime and Subcontractor Flow-Down Responsibilities

If you're a prime contractor, the 48 CFR rule creates obligations beyond your own certification. When 252.204-7021 is in your prime contract, you must flow down appropriate CMMC requirements to subcontractors who handle CUI on your behalf.

The flow-down is not a blanket pass-through of your own certification level. You determine what CMMC level is appropriate for each subcontractor based on the CUI they'll handle:

  • A sub who receives and processes the same sensitive CUI you handle likely needs Level 2
  • A sub providing general services (janitorial, shipping, marketing) who never touches CUI needs no CMMC requirement
  • A sub providing IT support who has access to CUI systems but doesn't directly handle CUI — that's a judgment call requiring documented rationale

Common flow-down mistake: Prime contractors either (a) flow Level 2 to every subcontractor regardless of CUI exposure, creating unnecessary burden and cost for subs who don't need it, or (b) fail to flow any requirements to subs who actually do handle CUI, creating a security gap and a contract compliance problem.

Document your sub flow-down decisions. For each subcontractor, record why the CMMC level was assigned and what CUI, if any, they're authorized to receive. If DoD audits your supply chain, you'll need to show this reasoning.

Subcontractors must independently achieve their own CMMC certification. You can't "extend" your certification to cover your subs. If a sub who handles CUI doesn't have their own current certification when required, that's your problem as the prime — it puts your contract performance at risk.

What Your Assessor Expects

If you're being assessed under 252.204-7021 for a C3PAO certification, your assessor evaluates you against the full CMMC Level 2 practice set — all 110 controls from NIST SP 800-171. The assessment methodology comes from NIST SP 800-171A.

From a regulatory standpoint, your assessor will want to confirm: - Your SSP accurately reflects the systems and CUI in scope for this specific contract - Your implementation descriptions align with the DoD Assessment Methodology - Your SPRS score is consistent with what they're actually finding during the assessment

One more thing worth knowing: CMMC assessments are conducted by C3PAOs — not by the DoD directly (except Level 3, which involves DIBCAC). The C3PAO you hire is accredited by the Cyber AB (formerly CMMC-AB). Check your C3PAO's accreditation status at cyberab.org before you sign an assessment contract.

---

CTA: Use the CMMC phase-in timeline to work backward from your next contract bid date. If you don't know your current gap-to-certification timeline, a readiness assessment will tell you in 2-4 weeks. Most organizations are 12-18 months from certification when they start that process.


Got specific questions about CMMC? Our expert is available around the clock — no waiting, no sales pitch.

Got Questions? Ask our CMMC Expert →

Prefer email? Reach us at ix@isegrim-x.com

Read more