CMMC Final Rule Is Live: The Clock Is Running for 80,000 Contractors

The Cybersecurity Maturity Model Certification final rule — 32 CFR Part 170 — published in the Federal Register on October 15, 2024, and took effect December 16, 2024. After years of CMMC 1.0, CMMC 2.0, interim rules, and delays, this is the rule that counts. It is codified. It is effective. And for approximately 80,000 defense contractors handling Controlled Unclassified Information, it establishes a new baseline for what compliance actually means.

Most contractors I talk to have a general awareness that CMMC is coming. Far fewer have a clear picture of the timeline, what the rule actually requires of their specific situation, and what they need to be doing right now. This article covers the essentials: what changed, when it matters, and what the first 90 days of serious preparation should look like.

What Changed From CMMC 2.0

The final rule codifies the CMMC 2.0 structure that DoD announced in 2021. The most important structural change from CMMC 1.0 is the reduction from five levels to three:

• Level 1 — 17 practices from FAR 52.204-21 (basic safeguarding of covered contractor information systems). Annual self-assessment and affirmation required.
• Level 2 — 110 practices aligned to NIST SP 800-171 Rev 2 (now Rev 3 as of the final rule). Self-assessment applies for some contracts; third-party C3PAO assessment required for others, based on DoD's determination of information sensitivity.
• Level 3 — 24 additional practices above Level 2, based on NIST SP 800-172. Requires a DIBCAC (Defense Industrial Base Cybersecurity Assessment Center) government-led assessment.

The elimination of the five-level model removes the confusion of CMMC 1.0's Levels 3–5 and creates a cleaner demarcation: if you handle CUI, you need CMMC Level 2. If you handle information on the DoD's highest-sensitivity programs, Level 3 may apply.

One significant clarification in the final rule: NIST SP 800-171 Rev 3 is explicitly referenced as the applicable standard. If your existing SSP was written to Rev 2, it needs to be updated. See the Rev 3 analysis in the related articles below.

The Phased Rollout Timeline

The final rule establishes a phased implementation approach. Understanding the phases is essential because they determine when CMMC requirements can actually appear in your contracts.

Phase 1 — Effective December 16, 2024. DoD can begin including CMMC Level 1 and Level 2 self-assessment requirements in new contracts and solicitations. Contractors should expect to see these requirements appear in 2025 solicitations. If your contract has DFARS 252.204-7019, you already have an obligation to self-assess and submit your SPRS score — Phase 1 formalizes and extends this.

Phase 2 — One year after the final rule (approximately December 2025). DoD can begin requiring Level 2 conditional certifications — C3PAO assessments — in new contracts. Not all Level 2 contracts will require C3PAO certification; DoD will specify in the solicitation. But high-sensitivity programs will begin requiring third-party certification from this point forward.

Phase 3 — Two years after the final rule (approximately December 2026). Level 2 C3PAO certification requirements can appear broadly across the contract base. Level 3 DIBCAC assessment requirements can begin appearing.

Phase 4 — Three years after the final rule (approximately December 2027). Full implementation. All applicable contracts may include CMMC requirements at the appropriate level. By this phase, contractors without certification at the required level cannot be awarded applicable contracts.

The phased approach gives contractors time to prepare — but it does not give contractors permission to wait. C3PAO assessments have lead times. Remediation takes time. The contractors who start now will be in position for Phase 2 and Phase 3 requirements. The contractors who start when Phase 3 arrives will be scrambling.

Self-Assessment vs. C3PAO Assessment — How DoD Decides

The question contractors most often ask is: do I need a C3PAO, or can I self-assess? The answer is determined by DoD in the solicitation — not by the contractor's preference.

The general framework: Level 2 self-assessment is intended for contracts where CUI is present but the program sensitivity is moderate. Level 2 C3PAO certification is required for contracts where program sensitivity warrants independent verification of the contractor's security posture. In practice, if you are working on named programs, sensitive technology, or anything that falls under an acquisition category with specific DCSA or program office oversight, assume C3PAO certification will be required.

The distinction has practical implications beyond just the assessment itself. A C3PAO assessment requires that your security posture actually hold up under external scrutiny — not just that you've documented it adequately for your own internal review. Self-assessment scores submitted to SPRS have historically shown significant optimism relative to what external assessors find. If your self-assessed SPRS score doesn't reflect your actual posture and you later go through C3PAO certification, the gap becomes a compliance event.

Level 3 works differently: the assessment is conducted by DIBCAC, a DoD government entity, not a commercial C3PAO. DIBCAC assessments are more intensive and require demonstrating implementation of the additional NIST SP 800-172 practices on top of the Level 2 baseline. Very few contractors will initially face Level 3 requirements, but if you're on advanced programs, start understanding the 800-172 control set now.

The SPRS Score — Your Existing Obligation

If you have DFARS clause 252.204-7019 in your contracts — which the vast majority of DoD prime contractors do — you already had a pre-existing obligation under the interim DFARS rule that has been in place since November 2020. That clause requires you to complete a self-assessment of your implementation of NIST SP 800-171, calculate your score against the 110-practice scoring methodology, and submit that score to the Supplier Performance Risk System (SPRS).

CMMC does not replace this obligation. It builds on it. Your SPRS score is the documented self-assessment that backs up your contractual compliance representation. If your SPRS score is a 110 (perfect) but your actual posture has significant gaps, that is a false claims exposure. If your SPRS score is negative (you have unimplemented practices, each worth a deduction from the 110-point base), that is an honest representation but it is also an open invitation for DoD to ask when and how you plan to remediate.

Update your SPRS score to reflect your current actual posture. Document your Plan of Action and Milestones (POA&M) for open items. Do not submit a score that doesn't reflect reality.

Your First 90 Days

Contractors who haven't yet done structured CMMC preparation need to use the Phase 1 window. Here is what the first 90 days should look like for a Level 2 contractor:

1. Determine your contract obligations. Pull your active contracts and identify which ones contain DFARS 252.204-7012, 252.204-7019, and 252.204-7020. These clauses establish your existing CUI safeguarding and assessment obligations. Understand which contracts flow CUI and which do not — not all DoD contracts involve CUI.
2. Conduct a CUI scoping exercise. Map where CUI lives in your environment. Which systems receive, process, store, or transmit CUI? This is the basis for your CMMC assessment scope. Scope that is too broad makes remediation and assessment unmanageable. Scope that is too narrow will be challenged by an assessor. Document the CUI flows with a data flow diagram.
3. Perform a gap assessment against NIST SP 800-171 Rev 3. With your scoped environment identified, assess your implementation of each of the 110 practices. Be honest. Every gap is a POA&M item. Every POA&M item needs a remediation timeline and responsible owner. This is not a documentation exercise — it's a security posture assessment.
4. Update your SPRS score submission. Based on the gap assessment, calculate your current score. Update your SPRS submission to reflect your actual posture. If you have a POA&M in place, that is the appropriate mechanism for demonstrating progress on open items.
5. Begin SSP development or triage your existing SSP. If you have an SSP, review it against Rev 3 requirements. If you don't have one, start building it. The SSP is the foundational document that a C3PAO assessor will read first. It needs to accurately describe your system boundary, your control implementations, and your POA&M items.

The contractors who will be ready for Phase 2 C3PAO requirements are the ones who started their gap assessment in 2025. The contractors who wait for a contract requirement to trigger action will be looking at 12–18 month remediation timelines that don't fit within a 90-day Phase 2 window.