CMMC 32 and 48 CFR Rules: What Every Contractor Must Know Before November 10, 2026

The Department of Defense's Cybersecurity Maturity Model Certification (CMMC) program is a key cybersecurity framework that impacts the Defense Industrial Base (DIB). As contractors work toward CMMC implementation, references to the "32 CFR Rule" and the "48 CFR Rule" are common. Understanding these two regulations is critical for companies pursuing CMMC compliance and preparing for future contract opportunities.

What is the CMMC 32 CFR Rule?

The 32 Code of Federal Regulations Rule, formally known as 32 CFR Part 170, establishes the CMMC program itself. This rule is published by the Department of Defense. It defines the framework, requirements, assessment methods, and certification levels for the CMMC.

The rule applies to defense contractors and subcontractors that process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). It outlines the three CMMC levels, attestation and assessment requirements, scoping guidance, and the role of auditors, Certified Third-Party Assessment Organizations (C3PAOs).

The 32 CFR Rule became effective in December 2024.  It established CMMC as a federal cybersecurity program, although, it did not directly place CMMC requirements into Department of Defense contracts.

What is the CMMC 48 CFR Rule?

The 48 Code of Federal Regulations Rule adds CMMC requirements into the Defense Federal Acquisition Regulation Supplement (DFARS). The 32 CFR Rule defines the CMMC and how it operates, and the 48 CFR Rule determines how defense contractors must comply with the CMMC in order to receive DoD contract awards.

The 48 CFR Rule adds DFARS contract clauses that require contractors to implement  and maintain the relevant CMMC level before the contract is awarded.

It also sets flow-down requirements for subcontractors and requires continuous compliance throughout contract performance.

The 48 CFR Rule gives contracting officers a regulatory mechanism to require CMMC certification as a condition of the award.

Why Defense Contractors Need to Understand Both Rules

A misconception is to think that implementing technical compliance with the CMMC controls alone is enough to meet compliance. However, the CMMC framework requires both technical implementation and formal auditing through the assessment process established by the 32 CFR Rule. The 48 CFR Rule then makes those requirements enforceable within DoD contracting.

Phased Rollout of 32 and 48 CFR

The 48 CFR will be rolled out in 4 phases between 2025 and 2028.

·       We’re currently in Phase 1, where CMMC requirements are being added to certain new contracts. These requirements focus on self assessments and Level 1 and 2 requirements.

·       Phase 2 will start on November 10, 2026.  This phase will add mandatory C3PAO Level 2 Assessments to a wider range of contracts.  Defense contractors need to start preparing now for Level 2 compliance if they work with CUI, in order to pass their C3PAO-led Level 2 Assessments.

·       Phases 3 and 4 are the final stages before 100% CMMC compliance is required within the Defense Industrial Base. 

Once 100% compliance is required, all defense contractors who work with FCI and CUI, will need to show proof of CMMC Level 1 and Level 2 compliance in order to receive Dept. of Defense (War) contracts.  Contractors who cannot show proof of their Level 1 Self Attestations or C3PAO-led Level 2 Certifications, will not be eligible to receive DoD/DoW contracts.

Steps Defense Contracts Should Take Now

As CMMC requirements continue to be phased into contracts, contractors should do the following:

• Identify which CMMC level applies to their organization.

• Conduct a gap assessment against relevant requirements.

• Develop a Plan of Action and Milestones (POA&M) and begin remedying the gaps.

• Prepare for Level 1 self-assessments or Level 2 C3PAO assessments.

• Establish ongoing processes to maintain compliance.

• Build their “Flow Down” supply chain.  Primes and subcontractors need to ensure that their own subcontractors meet Level 1 or Level 2 compliance in order to work on projects originating from the Department of Defense (War). 

To summarize, the 32 CFR Rule establishes the CMMC program, while the 48 CFR Rule brings CMMC into DoD contracting. 

Defense Contractors who start their CMMC compliance now, are preparing themselves for a bright future of maintaining and growing their DoD (War) contracts. They’re demonstrating that they can protect sensitive information.

The Defense Contractors who delay CMMC compliance will see lost opportunities, as they may not qualify to win DoD contracts.

The learning curve for CMMC compliance is steep. It’s often wise to work with a trained and experienced CMMC implementation firm.

If you’d like concrete steps toward compliance, please reach out to Advance CMMC Inc. today.  We’re CMMC implementation leaders and we support your successful journey.