CMMC Final Rule: Understanding Title 32 CFR Compliance

Title 32 CFR: Final Rule

October 15, 2024 marked the end of 4+ years of ‘hurry up and wait’. The wait is over, and we are here to provide you with a quick summary of the key updates on the Final Rule of Title 32 CFR: Cybersecurity Maturity Model Certification Program.

The most important update starts with the effective date of the published rule. CMMC becomes effective 60 days after official publication on the Federal Register, essentially becoming effective starting December 16, 2024. This is a major update for contractors within the Defense Industrial Base (DIB), and it’s crucial to understand how it applies to your business.

Three Levels of CMMC Compliance:

The final CMMC rule outlines three distinct levels of compliance based on the type of information contractors handle instead of the originally proposed 5 levels:

• Level 1: For contractors handling Federal Contract Information (FCI), requiring 17 basic security controls. This level allows for self-assessment. 
• Level 2: For contractors handling Controlled Unclassified Information (CUI), requiring compliance with 110 security controls from NIST SP 800-171. Some contractors may self-assess, while others will need a third-party assessment. 
• Level 3: For contractors managing sensitive CUI, incorporating 24 additional controls from NIST SP 800-172 to mitigate advanced persistent threats. These assessments will be conducted by the DoD’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). 

Phased Implementation Timeline:

The CMMC program will roll out in four phases, with full implementation planned by 2028. Here’s an overview of the timeline:

• Phase One (Estimated June 2025) Focuses on CMMC Level 1 self-assessment. has been extended to a full year instead of the initial 6 months to allow for the capacity issues of C3PAOs. With the limited number of C3PAOs currently, the DIBCAC understands that not all OSAs will be able to schedule their assessments in a timely manner.  Additional extensions may be considered but there are no plans to do so yet. 

  ➤ This phase one extension further pushes out phases 2-4, as each of the phases is dependent upon the prior phase.

• Phase Two (Estimated June 2026) Applies to CMMC Level 2, targeting contractors handling Controlled Unclassified Information (CUI). Some contractors will perform self-assessments, while others will need to undergo third-party assessments by a Certified Third-Party Assessment Organization (C3PAO). 

• Phase Three (Estimated June 2027) Focuses on CMMC Level 2 certification assessment. This phase also provides for an optional period for the DoD to add CMMC requirements to contracts awarded prior to CMMC implementation.  

• Phase Four (Estimated June 2028) Represents the full implementation of the CMMC program across all DoD contracts, ensuring that all defense contractors meet the appropriate cybersecurity levels for the information they handle. 

Self-Assessment Options:

Allows contractors handling Level 1 and some Level 2 contracts to conduct their own cybersecurity assessments annually, which helps ease the compliance burden for smaller businesses. Only certain Level 2 contracts and all Level 3 contracts will require third-party assessments by an accredited organization (C3PAO). 

Plans of Action and Milestones (POA&M):

Contractors can now get temporary certification if they submit a plan (POA&M) explaining how they will meet cybersecurity requirements they haven’t yet completed. They’ll have 180 days to fix these issues, though some critical security measures must be addressed immediately. 

Alignment with Federal Regulations:

The CMMC framework now closely follows existing cybersecurity requirements, specifically Federal Acquisition Regulation (FAR) 52.204-21 and NIST SP 800-171 Rev 2 To Alleviate confusion between NIST SP 800-171 Rev 2 and Rev 3: NIST SP 800-171 Rev 2 is codified in Title 32 CFR To Alleviate confusion between NIST SP 800-171 Rev 2 and Rev 3: NIST SP 800-171 Rev 2 is codified in Title 32 CFR , ensuring companies are consistently protecting sensitive government information. 

Reassessment Requirements:

Contractors are required to reassess their cybersecurity posture periodically to ensure compliance.  These reassessments are defined below. 

• Annual Self-Assessments: For Level 1 and some Level 2 contracts, contractors are required to conduct self-assessments every year. These self-assessments must be submitted to the DoD’s Supplier Performance Risk System (SPRS), with a senior representative attesting to the organization’s compliance​
• Third-Party Reassessments: For contracts that require CMMC Level 2 and Level 3 certifications, third-party assessments (by Certified Third-Party Assessment Organizations, or C3PAOs) are required every three years. Contractors must reassess to maintain certification for higher security levels​ 
• Reassessment after Conditional Certifications: Contractors who receive a conditional certification via a Plan of Action and Milestones (POA&M) must complete their reassessment within 180 days to demonstrate that they have addressed any unresolved security issues​   

Final Thoughts

There is still quite a bit of unpacking to do as we wait for the final ruling of Title 48 CFR which was opened for public comment on August 15, 2024. Title 48 CFR public comment period ended today!

However, as we approach the December 2024 implementation date, contractors within the Defense Industrial Base should prepare for these changes NOW and ensure they are on track for compliance. Whether your organization handles FCI, CUI, or sensitive CUI, understanding the phases and levels of CMMC certification will be critical to maintaining your eligibility for DoD contracts.

Stay ahead of the curve by reviewing your current cybersecurity practices and identifying any areas that need attention.

Agile IT: An Expert in CMMC Compliance Consulting

Agile IT has been performing cloud migrations for 16 years, with over 2 million accounts migrated. Agile IT’s advanced expertise in Microsoft technologies, such as Microsoft 365, Azure, Entra ID, and Defender along with a broader focus on IT support, cloud computing, and GCC High and Azure migrations, helps clients maximize their investment in technology systems and solutions.  

By leveraging Azure Government and GCC High, Agile IT enables government contractors in the Defense Industrial Base (DIB) to transmit and handle specified CUI such as ITAR in a secure, CMMC Level 2-compliant workspace with confidence. Agile IT offers a full range of services, well beyond that of most IT and Managed Service Providers, including: 

• Strategic and project consultation
• Proactive Cloud Managed Services
• CMMC readiness, implementation guidance, and ongoing support
• Flexible payment options
• Cloud backup for Microsoft 365 and Azure 
• Microsoft licensing
• Microsoft Government licensing

If you need an expert CMMC compliance consultant, we offer a full range of cloud implementation, migration, security, and compliance services.  

To find out how we can help you meet your organization’s compliance requirements, request a free consultation today.