The system.
Who runs CMMC, which rule governs what, and how the rollout is phased.
This page is the desk’s fact spine. Before the requirements make sense, the machinery has to: who wrote the rule, who checks your work, which document answers which question, and when any of it actually reaches your contract. Everything else on this desk points back here.
01What CMMC is trying to do
Since 2017, defense contractors handling federal contract information or controlled unclassified information have been required to implement a specific set of security requirements — first under FAR 52.204-21, then more fully under DFARS 252.204-7012 and NIST SP 800-171. For years, the government largely took a contractor’s word for it: a self-attestation, filed once, rarely checked. At Levels 1 and 2, CMMC does not add a new layer of security requirements on top of that. What it adds is verification — a structured way to confirm that the requirements already supposed to be in place actually are. Level 3 is the one place that sentence needs qualifying: it layers 24 enhanced requirements, selected from NIST SP 800-172, on top of the 110 — The Levels covers what that adds.
The Cybersecurity Maturity Model Certification (CMMC) Program is codified at 32 CFR Part 170. It defines three levels tied to the sensitivity of what a contractor handles — Federal Contract Information (FCI) at Level 1, Controlled Unclassified Information (CUI) at Levels 2 and 3 — and it defines how each level gets checked: self-assessment, third-party certification, or government assessment, depending on the level and the contract. The Data page covers FCI and CUI themselves; the Levels page covers what each level requires.
What this page covers is the machinery around all of that: the organizations involved, the documents that govern them, the timeline for when any of it shows up in a given contract, and — since this desk’s whole approach starts here — which primary source to open when a specific question comes up.
The rule says
“The requirements of this part apply to all DoD contract and subcontract awardees that will process, store, or transmit information, in performance of the DoD contract, that meets the standards for FCI or CUI on contractor information systems.”
32 CFR 170.3(a)(1)In practice
If nothing in your environment touches FCI or CUI in performance of a DoD contract, the CMMC Program rule has nothing to check. If something does, the level required — and the way it gets checked — depends on which category, which contract, and which phase-in period applies (Section 04, below).
02The cast list
Seven kinds of organizations show up in CMMC’s machinery, plus the one that matters most: yours.
| Actor | Role |
|---|---|
| OSA / OSC | Organization Seeking Assessment / Organization Seeking Certification — the contractor whose systems are being evaluated. Every OSC is also an OSA; not every OSA is an OSC (Glossary has the full distinction). 32 CFR 170.4 |
| DoD CIO | Administers the CMMC Program. The program rule itself, 32 CFR Part 170, is DoD’s — issued through federal rulemaking under the Office of the Secretary of Defense; the DFARS clauses that carry it into contracts are maintained separately, through the Defense Acquisition Regulations System (DARS). |
| Cyber AB | The Accreditation Body — the one organization DoD contracts with to accredit C3PAOs and oversee CAICO. 32 CFR 170.8 |
| C3PAO | CMMC Third-Party Assessment Organization. Accredited to conduct Level 2 certification assessments. 32 CFR 170.9, 170.4 |
| CAICO | CMMC Assessor and Instructor Certification Organization. Trains, tests, and certifies the individual assessors who staff C3PAOs. 32 CFR 170.10 |
| DCMA DIBCAC | Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center. Government assessors — conduct Level 3 certification assessments and higher-confidence Level 2 government assessments. 32 CFR 170.4 |
| eMASS (CMMC instance) | Enterprise Mission Assurance Support Service. Government-owned system where C3PAO and DIBCAC assessment results are formally filed. 32 CFR 170.4 |
| SPRS | Supplier Performance Risk System. Where scores, statuses, and affirmations officially live — the record a contracting officer actually checks. 32 CFR 170.4; DFARS 252.204-7019, -7020 |
How to read this: each box is an organization; arrows show who directs or accredits whom, and where results get filed. The two highlighted boxes are the two things that matter most to you — your own path in, and where your status ends up.
Scroll to see the full diagram →
03The rule stack
Nine instruments do the actual work. Here is what each one answers.
| Instrument | What it answers |
|---|---|
| 32 CFR Part 170 Program rule |
What are the levels, how do assessments work, how are scoring and POA&M handled, when does any of this apply. |
| DFARS 252.204-7021 Acquisition rule · eff. 2025-11-10 |
How CMMC gets into a specific contract — the contract clause requiring a current CMMC Status, maintained through performance and flowed down to subcontracts. “Contractor Compliance With the Cybersecurity Maturity Model Certification Level Requirements” (Nov 2025) |
| DFARS 252.204-7025 Solicitation provision · eff. 2025-11-10 |
The notice in a solicitation naming the required CMMC level — and the award gate: without a current CMMC Status and affirmation in SPRS at that level, an offeror is ineligible for award. |
| DFARS 252.204-7012 Companion clause |
Safeguarding covered defense information, plus the 72-hour DIBNet incident-reporting obligation. |
| DFARS 252.204-7019 Companion provision · removed Feb 2026 |
Notice that a current NIST SP 800-171 DoD Assessment score must be posted to SPRS. Removed from new solicitations by an interim class deviation (February 2026); contracts that already carry it still mean what they say. |
| DFARS 252.204-7020 Companion clause · renumbered Feb 2026 |
Government access to assessment information, plus flow-down mechanics to subcontractors. Appears as 252.240-7997 in new solicitations from February 2026 (interim class deviation); the mechanics carry over. |
| FAR 52.204-21 Basic safeguarding rule |
The 15 requirements behind Level 1 — Basic Safeguarding of Covered Contractor Information Systems. Renumbered FAR 52.240-93 in new solicitations from February 2026; the 15 are unchanged. |
| NIST SP 800-171 Rev. 2 The 110 |
What the 110 Level 2 security requirements actually say. |
| NIST SP 800-171A Assessment objectives |
How an assessor determines whether a Rev. 2 requirement is MET. |
| NIST SP 800-172 L3 enhancements |
The pool of enhanced requirements Level 3 selects 24 of 39 from. |
Numbering note (2026): interim class deviations issued under the broader FAR Overhaul restructured where several of these instruments live — DFARS subparts 204.73 and 204.75 moved to 240.370 and 240.371, 252.204-7019 was removed, 252.204-7020 became 252.240-7997, and FAR 52.204-21 became 52.240-93 in solicitations issued from February 2026. The substance did not change, and 7012, 7021, and 7025 kept their numbers. The deviations are interim — the codified DFARS text still shows the legacy numbers — so a contract file will show a mix for a while. The contract clauses carries the full map. DPCAP class deviations
CMMC assesses against NIST SP 800-171 Revision 2, pinned by DoD class deviation. Revision 3 was published in 2024 and does not apply to CMMC until rulemaking formally incorporates it. This is the highest-impact item on the desk’s review-trigger list — see the Source Library for the full list.
04The four phases
CMMC did not arrive as a single switch. 32 CFR 170.3(e) phases the Program requirement into DoD solicitations and contracts over four stages, anchored to the effective date of the acquisition rule (48 CFR / DFARS 252.204-7021, effective 2025-11-10).
The rule says
“DoD is utilizing a phased approach for the inclusion of CMMC Program requirements in solicitations and contracts… Phase 1. Begins on the effective date of the complementary 48 CFR part 204 CMMC Acquisition final rule. DoD intends to include the requirement for CMMC Statuses of Level 1 (Self) or Level 2 (Self) for all applicable DoD solicitations and contracts as a condition of contract award. DoD may, at its discretion, include the requirement for CMMC Status of Level 1 (Self) or Level 2 (Self)… as a condition to exercise an option period on a contract awarded prior to the effective date. DoD may also, at its discretion, include the requirement for CMMC Status of Level 2 (C3PAO) in place of the Level 2 (Self) CMMC Status.”
32 CFR 170.3(e), (e)(1)In practice
Each later phase begins exactly one calendar year after the one before it — the rule sets the spacing, not a fixed calendar date. The acquisition rule took effect 2025-11-10, so that date anchors Phase 1, and the three phase-start dates after it are derived, one year apart. Notice how often the rule text says “DoD may, at its discretion” — the phase-in schedule is a floor a contracting officer can move past sooner, not a fixed ceiling you can count on until the next one.
| Phase | Starts | What’s new |
|---|---|---|
| Phase 1 | 2025-11-10 48 CFR effective date |
L1 and L2 self-assessments in new solicitations; affirmations begin. A CO may require L2 (C3PAO) instead, or apply the requirement to an option period early, at DoD’s discretion. |
| Phase 2 | 2026-11-10 derived, +1 year |
L2 (C3PAO) certification becomes a condition of award where applicable. DoD may also add L3 (DIBCAC) at its discretion. |
| Phase 3 | 2027-11-10 derived, +1 year |
L2 (C3PAO) required broadly, including option periods. L3 (DIBCAC) becomes a condition of award (DoD may delay it to an option period at its discretion). |
| Phase 4 | 2028-11-10 derived, +1 year |
Full implementation — CMMC Program requirements apply to all applicable DoD solicitations and contracts, including option periods on contracts awarded earlier. |
Dates are derived, not independently fixed by rule text: each equals the prior phase’s start plus one calendar year, anchored to the acquisition rule’s 2025-11-10 effective date. 32 CFR 170.3(e)
As of this page’s last review (2026-07-07), the program is in Phase 1 — about four months from the Phase 2 start on 2026-11-10.
05Which document answers which question
This page explains how the machinery fits together. When a specific question comes up, here is the primary source to open. The full list, with when-to-reach-for-it detail on every item, lives on the Source Library.
| Question | Open |
|---|---|
| Does CMMC apply to my contract, and when? | 32 CFR 170.3; your contract’s own clauses (7012 / 7019 / 7020 / 7021 / 7025) |
| What exactly do the 110 Level 2 requirements say? | NIST SP 800-171 Rev. 2 |
| How will an assessor decide if a requirement is MET? | NIST SP 800-171A (assessment objectives) |
| What’s actually in scope — which systems, which assets? | CMMC Level 1 / 2 / 3 Scoping Guidance (Boundary page) |
| What happens during a Level 2 certification assessment? | CMMC Level 2 Assessment Guide |
| What counts as FCI or CUI in the first place? | 48 CFR 4.1901 (FCI); 32 CFR 2002.4(h) and the DoD CUI Program (CUI) (Data page) |
| What does a specific term mean? | Glossary |