← Custodia

32 CFR Part 170 Explained: The CMMC Program Rule in Plain English (2026)

32 CFR Part 170 is the DoD rule that turned CMMC from a memo into law. Here's what it actually says, what changed on December 16, 2024, and what a small Level 1 contractor needs to do about it.

By Custodia Compliance Team· Information security engineers, CustodiaMay 24, 20269 min read

32 CFR Part 170 is the rule that made CMMC real.Until it took effect on December 16, 2024, the Cybersecurity Maturity Model Certification was a Department of Defense policy framework — an idea in PowerPoint decks and OUSD(A&S) memos. After December 16, 2024, it's federal law: 41 sections of binding regulation that define every part of the program, from the three levels down to the exact affirmation a small contractor has to file in SPRS each year.

Most of the writing online about Part 170 is aimed at Level 2 prime contractors paying $50K+ for a C3PAO assessment. This post is the opposite: what the rule says, what changed, and what a Level 1 contractor — a 12-person electrical sub, a software shop on an SBIR, a machine shop with one DoD line — has to actually do about it.

What 32 CFR Part 170 actually is

32 CFR Part 170 is the CMMC Program Rule — the body of regulation that establishes the Cybersecurity Maturity Model Certification Program inside the Department of Defense. It was proposed in December 2023, finalized in October 2024, and became effective December 16, 2024. The official text runs from §170.1 through §170.24 and is available at the eCFR.

The rule does five things:

  1. Establishes the three CMMC levels and the cybersecurity practices each requires.
  2. Specifies the assessment mechanism for each level (self vs. third-party vs. government-led).
  3. Creates the CMMC ecosystem (C3PAOs, CAICOs, CAPs, the CMMC Accreditation Body).
  4. Defines the annual senior-official affirmation and where it gets posted.
  5. Sets the multi-year phase-in schedule for when CMMC requirements appear in DoD solicitations.

The dates that matter

  • December 26, 2023 — Proposed rule published; 60-day public comment period.
  • October 15, 2024 — Final rule published in the Federal Register.
  • December 16, 2024 — 32 CFR Part 170 takes effect. CMMC is now law.
  • August 15, 2025 — 48 CFR (DFARS) final rule published.
  • November 10, 2025 — DFARS rule effective. Contracting officers can now write CMMC into new solicitations.
  • November 9, 2026 — End of Phase 1. Level 2 certification (not self-assessment) becomes required in applicable contracts.
  • November 9, 2028 — End of Phase 3. Full rollout: every applicable DoD contract carries its CMMC requirement.

Who's in scope (and who isn't)

Per §170.3(b), the rule applies to any contractor or subcontractor in the DoD supply chain that processes, stores, or transmits Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) — except a narrow carve-out for contracts solely for commercially available off-the-shelf (COTS) items.

In practical terms:

  • You handle FCI only (most small subs): Level 1. Self-assessed. 15 safeguarding requirements from FAR 52.204-21. Affirmed annually by a senior official in SPRS.
  • You handle CUI: Level 2. Either self-assessed or C3PAO-certified depending on the contract. 110 controls from NIST SP 800-171.
  • You handle CUI for the highest-priority programs: Level 3. DIBCAC-led government assessment against NIST SP 800-172.
  • COTS-only: outside the rule.

Don't know which bucket you're in? Walk our 4-question decision tree. If your prime is asking for a SPRS score and you only handle unclassified contract information (delivery schedules, non-public emails, supplier portal access), you're almost certainly Level 1.

Levels 1, 2, 3 — set by the rule

§170.14 defines the three levels. Custodia's entire product is the Level 1 row of this table; we publish it for context.

LevelCoversRequirementsAssessed by
Level 1FCI15 (FAR 52.204-21(b)(1))Self, annually
Level 2CUI110 (NIST SP 800-171 r2)Self or C3PAO, triennial
Level 3CUI (highest priority programs)110 + 24 from NIST SP 800-172DIBCAC (DoD), triennial

The senior-official affirmation (§170.22)

Every CMMC level — including Level 1 self-assessment — requires an annual affirmation under §170.22. The rule is unusually specific:

  • A senior official of the OSC (Organization Seeking Certification) must affirm in writing that the company continues to meet all applicable CMMC requirements.
  • The affirmation is filed in SPRS (the Supplier Performance Risk System) inside PIEE.
  • It is filed annually from the date of the most recent assessment or affirmation.
  • It is a federal record. Knowingly false affirmations expose both the company (False Claims Act, 31 U.S.C. § 3729) and the individual signer (18 U.S.C. § 1001 false statements).

The four phases at §170.3(e)

Section 170.3(e) of the rule lays out a three-year phase-in for when CMMC requirements actually appear in DoD solicitations. The clock started when the acquisition rule (48 CFR) took effect on November 10, 2025 — not when 32 CFR 170 itself took effect.

  1. Phase 1 (now → Nov 9, 2026): Contracting officers may include Level 1 self-assessment and Level 2 self-assessment requirements in applicable solicitations.
  2. Phase 2 (Nov 10, 2026 → Nov 9, 2027): Level 2 third-party (C3PAO) certification may be required.
  3. Phase 3 (Nov 10, 2027 → Nov 9, 2028): Level 3 (DIBCAC-assessed) requirements may be added.
  4. Phase 4 (Nov 10, 2028 →): Full implementation — every applicable contract carries its CMMC requirement.

Level 1 self-assessment is required throughout all four phases.The phase-in only affects when Level 2 and Level 3 ratchet up. If you're Level 1, the work in front of you is unchanged from Phase 1 onward.

C3PAOs, CAICOs, ESPs — the supporting cast

Most Part 170 jargon is about the ecosystem that supports Level 2 and Level 3 assessments. At Level 1, you can mostly ignore it. Quick definitions so the acronyms stop being scary:

  • C3PAO — CMMC Third-Party Assessment Organization. Performs Level 2 certifications. Not used at Level 1.
  • CAICO — CMMC Assessor and Instructor Certification Organization. Trains and certifies the humans who do the assessments.
  • Cyber AB — The CMMC Accreditation Body. The non-profit DoD authorized to accredit the ecosystem.
  • ESP — External Service Provider. A managed-service or cloud provider that operates part of your in-scope environment. §170.19(c)(2) requires that ESPs handling CUI also meet the applicable CMMC requirements; the same logic applies in spirit at Level 1.
  • OSC — Organization Seeking Certification. That's you.

What a Level 1 contractor does about it

The full text of 32 CFR Part 170 is 470+ pages with the preamble. For a small Level 1 contractor, the operational summary is six lines:

  1. Confirm you're Level 1 (you handle FCI but no CUI). Use the decision tree.
  2. Implement the 15 FAR 52.204-21 safeguarding requirements. Most are already enabled in a default M365 or Google Workspace tenant.
  3. Document evidence for each requirement in a System Security Plan (SSP).
  4. Run the self-assessment. The result is MET or NOT MET per requirement. There's no numerical score at Level 1.
  5. Have a senior official affirm in SPRS (§170.22). Walkthrough here.
  6. Repeat annually from the affirmation date.

FAQ

When did 32 CFR Part 170 take effect?

December 16, 2024. That's the date the final rule was published in the Federal Register and the CMMC Program officially became law. The companion acquisition rule that puts CMMC clauses into actual DoD contracts (48 CFR / DFARS 252.204-7021) became effective separately on November 10, 2025.

Does 32 CFR 170 apply to me if I'm just a small subcontractor?

Yes. The rule applies to any contractor or subcontractor in the DoD supply chain that processes, stores, or transmits Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). Small business size does not exempt you. The rule does scale the requirement: handling only FCI puts you at Level 1 (self-assessed, 15 safeguarding requirements); handling CUI puts you at Level 2 or 3.

What's the difference between 32 CFR Part 170 and DFARS 252.204-7012?

32 CFR Part 170 is the CMMC Program Rule — it defines the levels, assessment process, affirmations, and ecosystem (C3PAOs, CAICOs, the Cyber AB). DFARS 252.204-7012 is a different, older contract clause (in effect since 2017) that requires safeguarding CUI per NIST SP 800-171 and reporting cyber incidents to DoD within 72 hours. They overlap but they're not the same instrument. CMMC is how DoD verifies the 7012 requirements are actually met.

What is the CMMC affirmation under 32 CFR 170.22?

32 CFR 170.22 requires a senior official of the contractor to affirm — annually, in SPRS — that the company continues to meet all applicable CMMC requirements. The affirmation is a federal record. Filing a false one creates False Claims Act exposure (31 U.S.C. § 3729) and potential individual liability under 18 U.S.C. § 1001.

What are the four CMMC phases in the rule?

32 CFR 170.3(e) phases CMMC in over three years from the acquisition-rule effective date. Phase 1 (now): self-assessments accepted in lieu of certification on most solicitations. Phase 2: Level 2 certification required in applicable contracts. Phase 3: Level 2 and Level 3 certification required where applicable. Phase 4 (full rollout): all applicable contracts require the appropriate CMMC level. Level 1 self-assessment is required throughout all phases.

Keep reading
  1. CMMC Level 1
    CMMC Level 1: The Complete 2026 Guide for Small DoD Contractors

    The single page to read first. What CMMC Level 1 is, who it applies to, what's actually required, what it costs, and the fastest honest path through it in 2026.

    Read →
  2. CMMC Level 1
    DoD Cybersecurity Requirements: A Plain-English Guide for Non-Technical Business Owners

    You're not an IT person. You won a contract. The prime is asking weird questions. Here's exactly what they need, in English, without the acronym soup.

    Read →
  3. CMMC Level 1
    CMMC vs NIST 800-171: The Difference Most Small Contractors Get Wrong (2026)

    CMMC and NIST 800-171 are not the same thing. The difference decides whether your weekend is 5 days of paperwork or a $50K assessment.

    Read →
Stop reading. Start filing.

Find your SPRS score in 4 minutes. Then file it in 7 days.

Take the free SPRS quiz to see exactly where you stand on the 15 FAR 52.204-21 safeguarding requirements — no signup, no card. If you like what you see, the 7-day Custodia trial picks up where the quiz leaves off and walks you to a signed, bid-ready package.

Take the free SPRS quizStart 7-day free trial

7-day free trial · No credit card required · $249/mo Self Service ($2,496/yr on annual — two months free)