Final Rule means

Understanding the CMMC 2.0 Final Rule: Enforcement through 32 CFR and 48 CFR

Leave a Comment / CMMC / By
The Cybersecurity Maturity Model Certification (CMMC) 2.0 is the Department of Defense’s (DoD) standardized framework designed to ensure that defense contractors safeguard sensitive unclassified information.
With the publication of the final rule in 2024, CMMC 2.0 brings clarity to security requirements and a phased enforcement timeline that integrates two key regulations:
32 CFR Part 170 and 48 CFR (DFARS). This article provides a detailed overview of CMMC 2.0’s structure, legal basis, enforcement roadmap, and implications for contractors.

CMMC 2.0 Overview

CMMC 2.0 simplifies the original framework into three maturity levels and aligns closely with existing NIST guidance:

  • Level 1 (Foundational): Protects Federal Contract Information (FCI) using 15 basic security practices.
  • Level 2 (Advanced): Protects Controlled Unclassified Information (CUI) with 110 controls from NIST SP 800-171.
  • Level 3 (Expert): Protects high-value assets using NIST SP 800-171 plus selected controls from NIST SP 800-172.

32 CFR Part 170: The CMMC Program Rule

Finalized on October 15, 2024, and effective December 16, 2024, 32 CFR Part 170 formalizes the CMMC program.
It outlines certification levels, governance bodies (Cyber AB, C3PAOs), and assessment protocols.
Attestation and annual self-assessments (for Level 1) become routine obligations.
Prime contractors are also responsible for ensuring subcontractor compliance.

How RSI Can Help

RSI offers tailored services through both its assurance and security practices to guide contractors through every stage of CMMC readiness and compliance:

  • RSI Assurance provides expert-led CMMC readiness assessments, helping contractors perform accurate gap analyses, create System Security Plans (SSPs), and develop actionable Plans of Action & Milestones (POA&Ms).
    RSI Assurance equips organizations with a practical roadmap to reach and maintain compliance.
  • RSI Security, as a CMMC Third-Party Assessor Organization (C3PAO), offers independent CMMC assessments at Level 2 and supports contractors subject to DoD audits.
    RSI Security ensures assessments are thorough, objective, and aligned with current DoD and NIST requirements.

With this dual-pronged approach, RSI empowers defense contractors to confidently navigate the CMMC process from initial preparation to successful certification.

Recommendations for Contractors

  1. Conduct a NIST SP 800-171 gap analysis.
  2. Prepare a System Security Plan (SSP) and POA&M.
  3. Complete required SPRS submissions.
  4. Engage a C3PAO or prepare for DoD-led assessments.
  5. Ensure subcontractors meet applicable CMMC requirements.
  6. Track the 48 CFR finalization to anticipate enforcement triggers.

Conclusion

CMMC 2.0 establishes a standardized, scalable model to secure sensitive DoD information across the contractor ecosystem.
The dual regulatory foundation of 32 CFR and 48 CFR ensures both programmatic structure and enforceability.
With full enforcement approaching by 2028, defense contractors must act now to build compliance capability, mitigate risks, and maintain eligibility in the DoD supply chain.

Need help accelerating your compliance timeline?

Fill the form below and we’ll be in touch

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top