Get Ready: Title 48 of the Code of Federal Regulations (CFR) Cybersecurity Maturity Model Certification (CMMC) Acquisition Rule Is Coming Soon!
The long-anticipated Cybersecurity Maturity Model Certification (CMMC) Acquisition Final Rule is nearly here— and it’s going to reshape how contractors and subcontractors do business with the Department of Defense (DoD). If your company does business with the DoD, it’s critical to your business operations to understand how this rule will impact your contract eligibility, compliance obligations, and competitive posture. This rule is issued under the Defense Federal Acquisition Regulation Supplement (DFARS) within the 48 CFR.
Here’s what you need to know.
What Is the 48 CFR CMMC Acquisition Rule?
The DoD is amending acquisition regulations in the DFARS, under the 48 CFR, to formally integrate the CMMC into the DoD contracting process. This rule is expected to be finalized in summer 2025. Once the DFARS changes are finalized, CMMC will become a mandatory condition of contract award and performance for many contractors and subcontractors.
At this time, the structure and governance of the CMMC program, established under 32 CFR Part 170, outlines the levels of certification, assessment types, oversight responsibilities, and phased implementation plan.
The goal: to ensure that Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) are adequately protected throughout the DoD supply chain.
What Will the Rule Do?
The CMMC Acquisition Rule will:
Why Does It Matter?
CMMC is no longer optional—it’s becoming a contractual requirement. Contractors will be expected to meet all requirements outlined in the CMMC regulation 32 CFR Part 170 in order to maintain compliance across their systems, suppliers, and environments.
For defense contractors, this means:
CFR CMMC Phased Implementation Plan
The 48 CFR CMMC rule will enforce a phased rollout plan as outlined in the CMMC regulation:
What if I have already completed a Level 1 or Level 2 Self-Assessment and submitted an SPRS score to meet FAR 52.204-21 or DFARS clauses 252.204-7012, 7019, 7020 prior to the effective date of the 48 CFR CMMC Acquisition Rule? Does my previous assessment and score count?
If you completed a Level 1 (FCI) or Level 2 (CUI) Self-Assessment and submitted a corresponding Supplier Performance Risk System (SPRS) score (required for Level 2) within a year prior to the effective date of the 48 CFR CMMC rule, you may already satisfy Phase 1 requirements outlined in the above CMMC phases, and be ready to move to Phase 2 – Level 2 certification assessment by a C3PAO. However, be sure to consult your Contracting Officer (CO) or Contracting Officer Representative (COR) to confirm whether your current assessment and score fulfill Phase 1.
Now, if you completed a Level 2 Self-Assessment and reported your SPRS score but have not yet met all 110 NIST SP 800-171 security controls, you may have up to one year to validate full compliance and remediate any remaining deficiencies before advancing to Phase 2 certification assessment. Again, please confirm these details with your CO or COR.
What are the current core contractual requirements for FCI and CUI?
The core cybersecurity requirements for protecting FCI and CUI are established by FAR 52.204-21 and DFARS clauses 252.204-7012, 7019, 7020, and 7021.
FAR 52.204-21 applies to contractors handling FCI and requires them to implement 15 basic safeguarding requirements, which align to 17 security controls found in NIST SP 800-171. A self-assessment is sufficient, but all 15 requirements must be implemented to be considered compliant if you only store, process, and transmit FCI.
For CUI, DFARS 252.204-7012 requires full implementation of the 110 controls in NIST SP 800-171, allows for self-attestation, mandates reporting of cybersecurity incidents to the DIBNet within 72 hours, and requires that any cloud service providers (CSPs) used must be FedRAMP Moderate-equivalent. In addition, DFARS 252.204-7019 mandates a self-assessment scored using the DoD Assessment Methodology, with the result submitted to SPRS, while DFARS 252.204-7020 grants the DoD the right to review, validate, and audit that self-assessment and supporting documentation.
Although compliance with these clauses currently satisfies contractual obligations to protect FCI and CUI, DFARS 252.204-7021 and the forthcoming 48 CFR CMMC acquisition rule will formally introduce and enforce CMMC certification as a contract requirement to maintain award eligibility. This includes meeting the applicable NIST standards, commensurate with CMMC Levels 1, 2, and 3.
I understand I must meet all 110 controls for Level 2. What if I scored an 80? Do I still maintain my contract eligibility?
In accordance with CMMC regulation 32 CFR Part 170, organizations seeking Level 2 certification are required to meet all 110 NIST SP 800-171 controls. However, if you have not met all 110, you may still qualify for a Conditional Level 2 status, provided certain conditions are met.
To be eligible for Conditional Level 2, your assessment must result in a score of at least 80 points, and any unmet requirements must be documented in a Plan of Action and Milestones (POA&M). However, you are only allowed to include unmet controls that are each worth 1 point. You cannot include any controls worth 3 or 5 points in the POA&M. Additionally, your POA&M may list no more than 22 one-point controls.
Once Conditional Level 2 status is granted, you have 180 days to fully implement the remaining controls and close out your POA&M. After that, a POA&M closeout assessment is required to validate that all previously unmet requirements have been remediated. If these conditions are not satisfied, Conditional Level 2 status will expire, and your organization may lose eligibility to win or maintain contracts involving CUI.
Are there any exceptions to policy or waivers that can be submitted if I don’t meet all CMMC regulations?
Yes, the CMMC program does allow for Enduring Exceptions or Waivers if your organization cannot meet any of the NIST SP 800-171 security controls or waive the CMMC assessment requirement. Please consult with your CO or COR on these matters or contact the DoD CMMC Program Manager office. Here are a couple links on this matter:
Bottom line: 2025 is the year to be ready!
The 48 CFR CMMC Acquisition Rule isn’t just another compliance checkbox—it’s a game changer for defense contractors and suppliers. Proactive companies that invest in cybersecurity now will be best positioned to secure contracts, build trust, and stand out in a tightening competitive landscape.
If you need help with CMMC gap assessments, remediation, or readiness, now’s the time to act.
How Should You Prepare Now?
Contact Peerless Tech Solutions. We specialize in cybersecurity gap assessments aligned with FAR 52.204-21, DFARS 252.204-7012, the CMMC Program (32 CFR Part 170), and both NIST SP 800-171 and NIST SP 800-171A. Our team conducts SPRS scoring using the official DoD Assessment Methodology and develops complete System Security Plans (SSPs), POA&Ms, and security policies to support governance and your compliance efforts.
As a full-service Managed Service Provider (MSP), Peerless delivers tiered IT support ranging from help desk services to advanced cybersecurity operations and incident response. Our Tier 3 Engineers possess advanced knowledge and expertise in secure system architecture, FedRAMP-authorized government cloud solutions, and SIEM technologies, enabling organizations to meet complex CMMC compliance requirements.
We also provide a detailed Shared Responsibility Matrix (SRM) that maps directly to the controls in NIST SP 800-171 and 800-171A, helping clarify roles between your team and our services.
Don’t wait until it’s too late and allow the new 48 CFR Final rule to affect your ability to win or keep government contracts.
