DBITDefenseCMMC Level 2 · Readiness
(561) 887-5470Free DashboardSign in ↗
Timeline · Regulation · March 14, 2026

CMMC 2.0 Final Rule: timeline and structure.

The CMMC 2.0 Program rule (32 CFR Part 170) was published in the Federal Register in October 2024 and took effect in December 2024. The dates and document structure below are drawn from the Federal Register publication and DoD CIO program materials.

Published March 14, 2026South Florida · Palm Beach · Broward · Miami-Dade
(561) 887-5470
Tag
Timeline
Citations
4
Type
Plain summary
Original
no control interpretation
No. 01

Summary and dates.

Publication and effective dates

15 Oct 2024
32 CFR Part 170 (CMMC Program) published in the Federal Register.
Federal Register
16 Dec 2024
Rule effective date — 60 days after publication, per the Federal Register notice.
Federal Register
2024 — 2028
Phased rollout schedule announced by DoD, with Phase 1 beginning when the companion DFARS amendment becomes effective.
DoD CIO CMMC program page

What the rule codifies

32 CFR Part 170 establishes the three CMMC levels (Level 1 / 2 / 3), the assessment types associated with each level (self-assessment for Level 1, third-party assessment for Level 2 conducted by an authorized C3PAO for most contracts, and government-led assessment for Level 3), and the program governance structure.

Level 2 alignment is to the 110 security requirements in NIST SP 800-171 Rev. 2, with the associated assessment objectives in NIST SP 800-171A.

What the rule does not do

The Program rule itself does not amend DFARS contract clauses. The companion DFARS amendment (proposed under DFARS Case 2019-D041) handles the contract-level implementation. Until that DFARS amendment becomes effective, CMMC requirements do not automatically appear in new solicitations.

No. 02

Sources and citations.

Primary references

DBIT Defense does not interpret control intent or republish substantive control text. All claims above link to primary sources for verification.

No. 03

Related insights.

01
Program · Rollout · March 20, 2026

CMMC phased rollout: Phase 1 through Phase 4

DoD has published a four-phase rollout schedule for CMMC, beginning when the DFARS implementation rule becomes effective and ramping over three years. The phase…

02
Ecosystem · Assessors · April 2, 2026

The C3PAO ecosystem: who they are, where they are

Authorized CMMC Third Party Assessment Organizations (C3PAOs) conduct Level 2 certification assessments. The Cyber-AB maintains the authoritative marketplace li…

03
Standards · NIST · April 18, 2026

NIST SP 800-171: Rev. 2 vs Rev. 3

NIST published Revision 3 of SP 800-171 in May 2024. The CMMC Program rule (32 CFR Part 170) currently references Revision 2 as the underlying control catalog. …

04
Regulation · DFARS · May 2, 2026

DFARS 252.204-7012: history and current applicability

DFARS 252.204-7012 — "Safeguarding Covered Defense Information and Cyber Incident Reporting" — has been in DoD contracts since 2015 and remains the underlying a…

Know where you stand
before the requirement
reaches the contract.

Start with a focused CMMC readiness assessment. We will send a written scoping summary within two business days, or a candid recommendation if it is not the right fit.

Or call directly (561) 887-5470Mon–Fri · 9am – 6pm ET · South Florida

Request a readiness assessment