32 CFR Part 170
32 CFR Part 170 is a section of the Code of Federal Regulations that establishes the rules governing the CMMC (Cybersecurity Maturity Model Certification) program under the authority of the Department of Defense (DoD).
This regulation was formally published in December 2023 and serves as the legal framework for CMMC 2.0, detailing how the program will be implemented, managed, and enforced. Specifically, it:
• Defines the scope and applicability of the CMMC program for DoD contractors and subcontractors.
• Establishes requirements for cybersecurity assessments at different levels (Level 1, 2, and 3).
• Outlines the roles and responsibilities of the DoD, contractors, and assessment organizations.
• Specifies the conditions under which certification is required for handling Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).
• Provides rules around assessment frequency, assessment types (self-assessment, third-party, government-led), and affirmation statements.
In essence, 32 CFR Part 170 is the regulatory backbone of the CMMC program, giving it enforceable legal status within the federal acquisition process.