48 CFR CMMC Acquisition Rule
Also known as: DFARS CMMC Rule, CMMC contract clause rule
The 48 CFR CMMC Acquisition Rule is the September 2025 DFARS amendment that added the CMMC clause (DFARS 252.204-7021) to the FAR/DFARS contract framework. It took effect November 10, 2025 and is what makes CMMC contractually enforceable rather than merely a DoD policy.
Related terms
- 32 CFR Part 170
32 CFR Part 170 is the Department of Defense final rule that established the CMMC program — defining the three certification levels, the assessment regime, the senior-official affirmation requirement, and the role of C3PAOs and the CMMC Accreditation Body. It became effective December 16, 2024.
- DFARS 252.204-7021
DFARS 252.204-7021 is the contract clause that makes a CMMC certification or self-assessment a material condition of award and continued performance on covered DoD contracts. It took effect November 10, 2025 as part of the 48 CFR final rule, and triggers the annual senior-official affirmation requirement under 32 CFR 170.22.
- Cybersecurity Maturity Model Certification
The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense program that verifies whether contractors meet the cybersecurity controls already required by FAR 52.204-21 and NIST SP 800-171. It defines three certification levels and the assessment mechanism for each, established by 32 CFR Part 170 and made contractually binding by DFARS 252.204-7021.