CMMC 32 CFR: What’s in the final rule?

by: A-LIGN 5 min

On October 15, 2024, the Department of Defense (DoD) published the final 32 CFR rule for CMMC 2.0 in the federal register. The long-awaited rule outlines the requirements for defense contractors and subcontractors, defines the levels and assessment types, outlines responsibilities for CMMC third-party assessment organizations (C3PAOs), and sets the implementation timeline.

Now that the CMMC program rule is finalized, here are the key takeaways you need to know.

Notable updates on CMMC final rule

Draft versions of the CMMC rule have circulated for months, providing strong indicators of the direction of the program. But, as expected, there are a few notable changes and updates in the final rule.

Program timeline

CMMC began operating on December 16, 2024. In September 2025, 48 CFR was published in the Federal Register with an effective date of November 10, 2025. This marks the official start of Phase 1 of the CMMC roll out, meaning readiness is no longer optional and all new DoD solicitations and contracts include some level of CMMC requirement.

Organizations that get certified ahead of upcoming contractual requirements will be set to meet those requirements without delay. This is one of the many reasons we encourage organizations to get in the queue for certification as soon as possible.

External service provider applicability

The biggest difference between the proposed and final rule has to do with external service provider (ESP) certification. In earlier versions of the proposed rule, ESPs, such as managed service providers (MSPs) were required to obtain CMMC certification. Under the final rule, it is not required for ESPs to obtain their own certification.

However, it is still highly encouraged that ESPs should pursue CMMC certification. If ESPs decide to not pursue CMMC certification, then their assets will be in scope of their client’s assessments by a C3PAO. This means that ESPs could negatively impact their clients’ timelines by adding additional hurdles to review assets. Therefore, it is highly encouraged that ESPs get CMMC certified in order to streamline the process – which many of them were planning to do before the final rule was published.

Assessment staffing

The final rule includes an important update on staffing. The CyberAB, the accreditation body behind CMMC certification, has a program for training and certifying the individuals conducting CMMC assessments. There are two levels, certified CMMC professional (CCP) and certified CMMC assessor (CCA).

The CMMC final rule outlines that three CCAs must be involved in each assessment. Two CCAs will be required on the assessment team and one CCA will be a part of QA review.

This mandate for trained and certified professionals to conduct CMMC assessments will help to set a standard for excellence. However, it may create challenges for smaller C3PAOs with limited staff resources, resulting in longer wait times for assessments.

Requirements for CMMC level 2 compliance

The majority of organizations affected by CMMC will fall into level 2. The final rule defines the requirements for level 2:

If you store, transmit, or process Controlled Unclassified Information (CUI), then you will need to obtain Level 2 Certification via assessment from a C3PAO

Organizations Seeking Certification (OSCs) will need to implement the 110 practices outlined in NIST 800-171 and meet all 320 practice objectives

While the DoD contract requirement rollout will begin likely in 2026, it is possible for primes to begin placing CMMC requirements to their subs before then

Get started with CMMC now

The window to prepare for CMMC compliance is closing, and organizations that proactively align with these standards now will have a competitive advantage.

Don’t wait until it’s too late. Start preparing for CMMC today. Strengthen your cybersecurity posture, secure future business opportunities, and ensure your place in a resilient supply chain that safeguards America’s security.

A-LIGN is a globally recognized cybersecurity and privacy compliance provider that offers a single-provider approach for organizations. With more than 1,000 federal assessments completed, A-LIGN is an accredited C3PAO and FedRAMP 3PAO with extensive experience across NIST frameworks.

Contact us today to secure your spot in line.

What is SOC 2? Complete Guide to SOC 2 Reports and Compliance

Menlo Security reduces evidence collection time by 60% with consolidated audit approach

ISO 42001 Checklist – Prepare for AI Compliance

CMMC Buyer’s Guide: How To Choose a C3PAO