Deretti Cyber Labs CMMC Desk · The System

The system.

Who runs CMMC, which rule governs what, and how the rollout is phased.

This page is the desk’s fact spine. Before the requirements make sense, the machinery has to: who wrote the rule, who checks your work, which document answers which question, and when any of it actually reaches your contract. Everything else on this desk points back here.

01What CMMC is trying to do

Since 2017, defense contractors handling federal contract information or controlled unclassified information have been required to implement a specific set of security requirements — first under FAR 52.204-21, then more fully under DFARS 252.204-7012 and NIST SP 800-171. For years, the government largely took a contractor’s word for it: a self-attestation, filed once, rarely checked. At Levels 1 and 2, CMMC does not add a new layer of security requirements on top of that. What it adds is verification — a structured way to confirm that the requirements already supposed to be in place actually are. Level 3 is the one place that sentence needs qualifying: it layers 24 enhanced requirements, selected from NIST SP 800-172, on top of the 110 — The Levels covers what that adds.

The Cybersecurity Maturity Model Certification (CMMC) Program is codified at 32 CFR Part 170. It defines three levels tied to the sensitivity of what a contractor handles — Federal Contract Information (FCI) at Level 1, Controlled Unclassified Information (CUI) at Levels 2 and 3 — and it defines how each level gets checked: self-assessment, third-party certification, or government assessment, depending on the level and the contract. The Data page covers FCI and CUI themselves; the Levels page covers what each level requires.

What this page covers is the machinery around all of that: the organizations involved, the documents that govern them, the timeline for when any of it shows up in a given contract, and — since this desk’s whole approach starts here — which primary source to open when a specific question comes up.

The rule says

“The requirements of this part apply to all DoD contract and subcontract awardees that will process, store, or transmit information, in performance of the DoD contract, that meets the standards for FCI or CUI on contractor information systems.”

32 CFR 170.3(a)(1)

In practice

If nothing in your environment touches FCI or CUI in performance of a DoD contract, the CMMC Program rule has nothing to check. If something does, the level required — and the way it gets checked — depends on which category, which contract, and which phase-in period applies (Section 04, below).

02The cast list

Seven kinds of organizations show up in CMMC’s machinery, plus the one that matters most: yours.

The organizations in the CMMC ecosystem and their roles
ActorRole
OSA / OSC Organization Seeking Assessment / Organization Seeking Certification — the contractor whose systems are being evaluated. Every OSC is also an OSA; not every OSA is an OSC (Glossary has the full distinction). 32 CFR 170.4
DoD CIO Administers the CMMC Program. The program rule itself, 32 CFR Part 170, is DoD’s — issued through federal rulemaking under the Office of the Secretary of Defense; the DFARS clauses that carry it into contracts are maintained separately, through the Defense Acquisition Regulations System (DARS).
Cyber AB The Accreditation Body — the one organization DoD contracts with to accredit C3PAOs and oversee CAICO. 32 CFR 170.8
C3PAO CMMC Third-Party Assessment Organization. Accredited to conduct Level 2 certification assessments. 32 CFR 170.9, 170.4
CAICO CMMC Assessor and Instructor Certification Organization. Trains, tests, and certifies the individual assessors who staff C3PAOs. 32 CFR 170.10
DCMA DIBCAC Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center. Government assessors — conduct Level 3 certification assessments and higher-confidence Level 2 government assessments. 32 CFR 170.4
eMASS (CMMC instance) Enterprise Mission Assurance Support Service. Government-owned system where C3PAO and DIBCAC assessment results are formally filed. 32 CFR 170.4
SPRS Supplier Performance Risk System. Where scores, statuses, and affirmations officially live — the record a contracting officer actually checks. 32 CFR 170.4; DFARS 252.204-7019, -7020

How to read this: each box is an organization; arrows show who directs or accredits whom, and where results get filed. The two highlighted boxes are the two things that matter most to you — your own path in, and where your status ends up.

Scroll to see the full diagram →

Who reports what, and where it lands A flow diagram of CMMC program relationships. The DoD CIO administers the CMMC Program defined by 32 CFR Part 170, contracts with the Cyber AB, and directs DCMA DIBCAC. The DFARS clauses that put the program into contracts are maintained separately through the Defense Acquisition Regulations System. The Cyber AB accredits C3PAOs. The assessed organization, the OSA, either runs its own Level 1 or Level 2 self-assessment, seeks a Level 2 certification assessment through a C3PAO, or seeks a Level 3 assessment through DCMA DIBCAC. C3PAO and DIBCAC results are filed to the CMMC instance of eMASS, which feeds status to the Supplier Performance Risk System, SPRS. The OSA also submits self-assessment scores and annual affirmations directly to SPRS, which is the system of record for scores, statuses, and affirmations at every level. DoD CIO Administers 32 CFR 170 Cyber AB Accredits C3PAOs & CAICO C3PAO Runs L2 certifications DCMA DIBCAC Level 3 + high-confidence L2 OSA — that’s you Organization Seeking Assessment self-assessment or certification eMASS Files certification results SPRS scores · statuses · affirmations contracts with directs accredits files results files results status recorded self-assessment scores + affirmations, every path
Figure: who reports what, and where it lands — who accredits whom, which paths lead to which assessor, and where results end up. OSA and SPRS are highlighted because most readers care about exactly two things: their own path, and where the record of it lives.

03The rule stack

Nine instruments do the actual work. Here is what each one answers.

The instruments that make up the CMMC rule stack and what each one answers
InstrumentWhat it answers
32 CFR Part 170
Program rule
What are the levels, how do assessments work, how are scoring and POA&M handled, when does any of this apply.
DFARS 252.204-7021
Acquisition rule · eff. 2025-11-10
How CMMC gets into a specific contract — the contract clause requiring a current CMMC Status, maintained through performance and flowed down to subcontracts. “Contractor Compliance With the Cybersecurity Maturity Model Certification Level Requirements” (Nov 2025)
DFARS 252.204-7025
Solicitation provision · eff. 2025-11-10
The notice in a solicitation naming the required CMMC level — and the award gate: without a current CMMC Status and affirmation in SPRS at that level, an offeror is ineligible for award.
DFARS 252.204-7012
Companion clause
Safeguarding covered defense information, plus the 72-hour DIBNet incident-reporting obligation.
DFARS 252.204-7019
Companion provision · removed Feb 2026
Notice that a current NIST SP 800-171 DoD Assessment score must be posted to SPRS. Removed from new solicitations by an interim class deviation (February 2026); contracts that already carry it still mean what they say.
DFARS 252.204-7020
Companion clause · renumbered Feb 2026
Government access to assessment information, plus flow-down mechanics to subcontractors. Appears as 252.240-7997 in new solicitations from February 2026 (interim class deviation); the mechanics carry over.
FAR 52.204-21
Basic safeguarding rule
The 15 requirements behind Level 1 — Basic Safeguarding of Covered Contractor Information Systems. Renumbered FAR 52.240-93 in new solicitations from February 2026; the 15 are unchanged.
NIST SP 800-171 Rev. 2
The 110
What the 110 Level 2 security requirements actually say.
NIST SP 800-171A
Assessment objectives
How an assessor determines whether a Rev. 2 requirement is MET.
NIST SP 800-172
L3 enhancements
The pool of enhanced requirements Level 3 selects 24 of 39 from.
Which NIST revision

Numbering note (2026): interim class deviations issued under the broader FAR Overhaul restructured where several of these instruments live — DFARS subparts 204.73 and 204.75 moved to 240.370 and 240.371, 252.204-7019 was removed, 252.204-7020 became 252.240-7997, and FAR 52.204-21 became 52.240-93 in solicitations issued from February 2026. The substance did not change, and 7012, 7021, and 7025 kept their numbers. The deviations are interim — the codified DFARS text still shows the legacy numbers — so a contract file will show a mix for a while. The contract clauses carries the full map. DPCAP class deviations

CMMC assesses against NIST SP 800-171 Revision 2, pinned by DoD class deviation. Revision 3 was published in 2024 and does not apply to CMMC until rulemaking formally incorporates it. This is the highest-impact item on the desk’s review-trigger list — see the Source Library for the full list.

04The four phases

CMMC did not arrive as a single switch. 32 CFR 170.3(e) phases the Program requirement into DoD solicitations and contracts over four stages, anchored to the effective date of the acquisition rule (48 CFR / DFARS 252.204-7021, effective 2025-11-10).

The rule says

“DoD is utilizing a phased approach for the inclusion of CMMC Program requirements in solicitations and contracts… Phase 1. Begins on the effective date of the complementary 48 CFR part 204 CMMC Acquisition final rule. DoD intends to include the requirement for CMMC Statuses of Level 1 (Self) or Level 2 (Self) for all applicable DoD solicitations and contracts as a condition of contract award. DoD may, at its discretion, include the requirement for CMMC Status of Level 1 (Self) or Level 2 (Self)… as a condition to exercise an option period on a contract awarded prior to the effective date. DoD may also, at its discretion, include the requirement for CMMC Status of Level 2 (C3PAO) in place of the Level 2 (Self) CMMC Status.”

32 CFR 170.3(e), (e)(1)

In practice

Each later phase begins exactly one calendar year after the one before it — the rule sets the spacing, not a fixed calendar date. The acquisition rule took effect 2025-11-10, so that date anchors Phase 1, and the three phase-start dates after it are derived, one year apart. Notice how often the rule text says “DoD may, at its discretion” — the phase-in schedule is a floor a contracting officer can move past sooner, not a fixed ceiling you can count on until the next one.

The four CMMC implementation phases, their start dates, and what changes in each
PhaseStartsWhat’s new
Phase 1 2025-11-10
48 CFR effective date
L1 and L2 self-assessments in new solicitations; affirmations begin. A CO may require L2 (C3PAO) instead, or apply the requirement to an option period early, at DoD’s discretion.
Phase 2 2026-11-10
derived, +1 year
L2 (C3PAO) certification becomes a condition of award where applicable. DoD may also add L3 (DIBCAC) at its discretion.
Phase 3 2027-11-10
derived, +1 year
L2 (C3PAO) required broadly, including option periods. L3 (DIBCAC) becomes a condition of award (DoD may delay it to an option period at its discretion).
Phase 4 2028-11-10
derived, +1 year
Full implementation — CMMC Program requirements apply to all applicable DoD solicitations and contracts, including option periods on contracts awarded earlier.

Dates are derived, not independently fixed by rule text: each equals the prior phase’s start plus one calendar year, anchored to the acquisition rule’s 2025-11-10 effective date. 32 CFR 170.3(e)

Where this desk sits

As of this page’s last review (2026-07-07), the program is in Phase 1 — about four months from the Phase 2 start on 2026-11-10.

05Which document answers which question

This page explains how the machinery fits together. When a specific question comes up, here is the primary source to open. The full list, with when-to-reach-for-it detail on every item, lives on the Source Library.

Common questions mapped to the primary source that answers them
QuestionOpen
Does CMMC apply to my contract, and when? 32 CFR 170.3; your contract’s own clauses (7012 / 7019 / 7020 / 7021 / 7025)
What exactly do the 110 Level 2 requirements say? NIST SP 800-171 Rev. 2
How will an assessor decide if a requirement is MET? NIST SP 800-171A (assessment objectives)
What’s actually in scope — which systems, which assets? CMMC Level 1 / 2 / 3 Scoping Guidance (Boundary page)
What happens during a Level 2 certification assessment? CMMC Level 2 Assessment Guide
What counts as FCI or CUI in the first place? 48 CFR 4.1901 (FCI); 32 CFR 2002.4(h) and the DoD CUI Program (CUI) (Data page)
What does a specific term mean? Glossary

Full descriptions, and when to reach for each one →