CMMC Basics (Kieri Solutions)
CMMC Basics Part 2

CMMC Basics Part 2

Complete & Continue Next Lesson Learn More

IN THIS LESSON

In this installment of the CMMC Basics series, Mark Hapeman and Amira Armand from Keiri Solutions break down how CMMC requirements are introduced and enforced through federal contract clauses, with a focus on 32 CFR and 48 CFR—two key regulatory components shaping the CMMC landscape.

🔹 Key Takeaways:

1. 32 CFR – Establishes the CMMC Program

32 CFR (Code of Federal Regulations) is now finalized and active (as of Dec 2024).

• It officially establishes the CMMC program within DoD regulation, including:

• The authority of CMMC assessments (self and third-party)

• Roles and responsibilities for C3PAOs, Cyber AB, and DoD officials

• Requirements for accreditation and scoping guidance

This rule allows CMMC certifications to be recognized but does not yet require them in contracts.

2. 48 CFR – Adds CMMC Clauses to Contracts

48 CFR governs DoD acquisition clauses (e.g., DFARS).

• The proposed rule (not yet final) is expected to be finalized by mid-2025.

• It will add CMMC clauses to new and renewing contracts, specifying:

• The required CMMC level (1, 2, or 3)

• Whether self-attestation or third-party certification is needed

• The need for flow-down to subcontractors

3. Rollout Timeline

Initial contracts will require self-assessments.

Level 2 third-party certifications will begin showing up in contracts 6–12 months later.

• By 2026–2027, most contractors will need to be CMMC certified to compete.

Subcontractors may be affected sooner if they serve primes that are subject to CMMC early.

4. Self-Attestation is Serious

• A self-assessment involves a formal affirmation by a senior company official.

• Organizations must implement all 110 NIST SP 800-171 controls or document a six-month plan of action.

• Misrepresentation may carry serious consequences under DoD scrutiny.

5. Federal-Wide Rule is Coming

• A Federal Acquisition Regulation (FAR) rule for CUI protection is under review, proposed by NASA and DoD.

• It may extend CMMC-like requirements to all federal agencies—not just DoD.

• This could dramatically broaden the scope of CMMC across the U.S. government contracting base.

🎯 Bottom Line

The 32 CFR rule activates the CMMC program, while the upcoming 48 CFR rule will make it enforceable in DoD contracts. Self-attestation is now a legal affirmation, and third-party certifications are on the horizon. Subcontractors and primes alike should prepare now—especially those handling CUI.