← Custodia

The 48 CFR CMMC Acquisition Rule: What Changes in Your DoD Contracts (2026)

The 48 CFR DFARS amendment took effect November 10, 2025. This is the rule that puts CMMC clauses into actual DoD contracts. Here's what changes for a Level 1 contractor — clause by clause.

By Custodia Compliance Team· Information security engineers, CustodiaMay 24, 20268 min read

32 CFR Part 170 created the CMMC Program. 48 CFR is the rule that put it inside your contract. The two work as a pair: the program rule defines what CMMC is; the acquisition rule changes the DFARS (Defense Federal Acquisition Regulation Supplement) so contracting officers can write CMMC requirements into solicitations. The 48 CFR amendment took effect November 10, 2025, and Phase 1 of the rollout began the same day.

For a small Level 1 subcontractor, this is the rule that turns "we should do CMMC" into "we can't accept this purchase order unless we've done it." This post walks through what the rule adds to DFARS, what the new clauses say, and exactly what a Level 1 contractor does the moment one of those clauses lands in a solicitation.

What 48 CFR actually is

48 CFR is the section of the Code of Federal Regulations that contains the Federal Acquisition Regulation (FAR) and its supplements, including the DFARS for DoD. When DoD wants a new contract clause to be enforceable on contractors, it has to amend 48 CFR through formal rulemaking. The 48 CFR CMMC rule did exactly that: it added the CMMC clause and updated three existing DFARS clauses to point at the CMMC Program at 32 CFR Part 170.

The final rule was published in the Federal Register on August 15, 2025 and took effect November 10, 2025. It's the second of two rules that together stand up CMMC. The first — see our companion post on 32 CFR Part 170 — defines the program. This one connects the program to your purchase order.

Why this rule mattered for contractors

Between December 16, 2024 (when 32 CFR 170 took effect) and November 10, 2025, CMMC existed as a program but was effectively unenforceable on individual contracts. Contracting officers couldn't require it — there was no DFARS clause yet to insert. That gap is why a lot of contractors heard "CMMC is law now" in late 2024 and then noticed nothing changed in their day-to-day. The 48 CFR rule closed the gap.

The four DFARS clauses to know

Read the next DoD solicitation that hits your inbox with this list next to you. If you see any of these clause numbers in Section I, you're in CMMC territory.

  • DFARS 252.204-7012 — Safeguarding Covered Defense Information and Cyber Incident Reporting. The 2017 CUI clause. Still in effect; updated to align with CMMC.
  • DFARS 252.204-7019 — Notice of NIST SP 800-171 DoD Assessment Requirements. Requires a current self-assessment score in SPRS. Updated by the 48 CFR rule.
  • DFARS 252.204-7020 — NIST SP 800-171 DoD Assessment Requirements. Grants DoD assessment access. Updated.
  • DFARS 252.204-7021Cybersecurity Maturity Model Certification Requirements. The new CMMC clause itself. This is the one that requires the applicable CMMC level at award and throughout performance.

What's in Phase 1 (now)

32 CFR 170.3(e) sets the phase-in. As of Phase 1 (November 10, 2025 – November 9, 2026):

  • Contracting officers may include Level 1 self-assessment requirements in applicable solicitations.
  • Contracting officers may include Level 2 self-assessment requirements (the lower of the two Level 2 options).
  • Level 2 C3PAO certification is not yet required across the board (it ratchets up in Phase 2).
  • Level 3 (DIBCAC) is not yet required (Phase 3).

Translation for a Level 1 sub: your obligation is already live.If a Level 1 clause lands in a Phase 1 solicitation, you have to be self-assessed and affirmed in SPRS to be eligible for award. You don't get a Phase 2/3 grace period — that grace period only applies to the higher-level certifications, not to Level 1 self-assessment.

What changes for a Level 1 contractor

At Level 1, the 48 CFR rule does not create a single new technical requirement. The 15 safeguarding controls from FAR 52.204-21(b)(1) are unchanged. What changes is the enforcement mechanism:

  1. Eligibility at award.Before the rule, "I'm working on it" was a tolerable answer to a prime. After the rule, the contracting officer can require a current affirmation in SPRS before issuing the award.
  2. Continuous compliance.§170.22 requires annual affirmation. -7021 makes that an active contractual obligation. Let it lapse mid-contract and you're in default.
  3. Flow-down to subcontractors.Primes must flow -7021 down to subs handling the same FCI. If you're a sub of a sub, expect to see this clause come at you in writing.
  4. False Claims Act exposure. Filing an affirmation to win a contract under -7021 makes that affirmation a material condition of the award. Knowingly false affirmations are FCA actions, not just program-rule violations. See our False Claims Act primer.

What to do if a solicitation cites -7021

The single playbook for a Level 1 contractor:

  1. Scan the solicitation for DFARS 252.204-7012, -7019, -7020, -7021. Note which appear.
  2. Identify the required level. Look for "CMMC Level 1" or "Level 2" language in the clause; on Phase 1 solicitations, Level 1 is most common for FCI-only work.
  3. Check your SPRS status. Sign in to PIEE → SPRS → Cyber Reports. You should see a Level 1 affirmation with an affirmation date within the past 12 months. If not, you have work to do before you can bid.
  4. If you're affirmed: include the SPRS affirmation date and your CAGE in your proposal. Some primes want a screenshot; the Custodia bid-ready package includes one.
  5. If you're not affirmed: the 15 safeguarding requirements are 3–5 focused days of work for a small modern-cloud team. Our checklist and SPRS posting walkthrough are the fastest free path.

FAQ

When did the 48 CFR CMMC rule take effect?

November 10, 2025. From that date forward, DoD contracting officers can include the CMMC clauses (DFARS 252.204-7021 and the updated -7012 / -7019 / -7020) in new solicitations and contracts according to the Phase 1 schedule defined in 32 CFR 170.3(e).

What is DFARS 252.204-7021?

DFARS 252.204-7021 is the new CMMC contract clause introduced by the 48 CFR rule. It requires the contractor to have the applicable CMMC level (Level 1, 2, or 3) at the time of award and to maintain it throughout performance. For Level 1, that means a current self-assessment and an active senior-official affirmation posted in SPRS.

Do all DoD contracts now require CMMC?

No, not yet. The 48 CFR rule lets contracting officers include CMMC clauses, but the phase-in at 32 CFR 170.3(e) controls when they must. In Phase 1 (Nov 10, 2025 – Nov 9, 2026) only a subset of applicable solicitations carry CMMC. By Phase 4 (Nov 10, 2028 onward) every applicable contract will. COTS-only contracts remain exempt.

What's the difference between DFARS -7012, -7019, -7020, and -7021?

DFARS 252.204-7012 (in effect since 2017) requires NIST SP 800-171 safeguarding for CUI and 72-hour incident reporting. -7019 requires a current NIST SP 800-171 self-assessment score in SPRS. -7020 gives DoD assessment access. -7021 is the new CMMC clause that ties the level requirement to contract eligibility. They stack: a typical CUI contract carries -7012 + -7019 + -7020 + -7021.

Does the 48 CFR rule create new technical requirements for Level 1?

No. The technical requirements at Level 1 are still the 15 safeguarding requirements from FAR 52.204-21(b)(1). The 48 CFR rule just makes them contractually enforceable through a CMMC clause and ties contract award and continued performance to having the affirmation posted in SPRS.

Keep reading
  1. CMMC Level 1
    CMMC Level 1: The Complete 2026 Guide for Small DoD Contractors

    The single page to read first. What CMMC Level 1 is, who it applies to, what's actually required, what it costs, and the fastest honest path through it in 2026.

    Read →
  2. CMMC Level 1
    DoD Cybersecurity Requirements: A Plain-English Guide for Non-Technical Business Owners

    You're not an IT person. You won a contract. The prime is asking weird questions. Here's exactly what they need, in English, without the acronym soup.

    Read →
  3. CMMC Level 1
    CMMC vs NIST 800-171: The Difference Most Small Contractors Get Wrong (2026)

    CMMC and NIST 800-171 are not the same thing. The difference decides whether your weekend is 5 days of paperwork or a $50K assessment.

    Read →
Stop reading. Start filing.

Find your SPRS score in 4 minutes. Then file it in 7 days.

Take the free SPRS quiz to see exactly where you stand on the 15 FAR 52.204-21 safeguarding requirements — no signup, no card. If you like what you see, the 7-day Custodia trial picks up where the quiz leaves off and walks you to a signed, bid-ready package.

Take the free SPRS quizStart 7-day free trial

7-day free trial · No credit card required · $249/mo Self Service ($2,496/yr on annual — two months free)