← Custodia

The 48 CFR CMMC Acquisition Rule: What Changes in Your DoD Contracts (2026)

The 48 CFR DFARS amendment took effect November 10, 2025. This is the rule that puts CMMC clauses into actual DoD contracts. Here's what changes for a Level 1 contractor, clause by clause.

By Custodia Compliance Team· Information security engineers, CustodiaMay 24, 20268 min read

32 CFR Part 170 created the CMMC Program. 48 CFR is the rule that put it inside your contract. The two work as a pair: the program rule defines what CMMC is; the acquisition rule changes the DFARS (Defense Federal Acquisition Regulation Supplement) so contracting officers can write CMMC requirements into solicitations. The 48 CFR amendment took effect November 10, 2025, and Phase 1 of the rollout began the same day.

For a small Level 1 subcontractor, this is the rule that turns "we should do CMMC" into "we can't accept this purchase order unless we've done it." This post walks through what the rule adds to DFARS, what the new clauses say, and exactly what a Level 1 contractor does the moment one of those clauses lands in a solicitation.

What 48 CFR actually is

48 CFR is the section of the Code of Federal Regulations that contains the Federal Acquisition Regulation (FAR) and its supplements, including the DFARS for DoD. When DoD wants a new contract clause to be enforceable on contractors, it has to amend 48 CFR through formal rulemaking. The 48 CFR CMMC rule did exactly that: it finalized the CMMC clause (252.204-7021), added a new solicitation provision (252.204-7025), and rewrote DFARS subpart 204.75 to point at the CMMC Program at 32 CFR Part 170.

The final rule was published in the Federal Register on September 10, 2025 (90 FR 43560) and took effect November 10, 2025. It's the second of two rules that together stand up CMMC. The first, see our companion post on 32 CFR Part 170 , defines the program. This one connects the program to your purchase order.

Why this rule mattered for contractors

Between December 16, 2024 (when 32 CFR 170 took effect) and November 10, 2025, CMMC existed as a program but was effectively unenforceable on individual contracts. Contracting officers couldn't require it, there was no DFARS clause yet to insert. That gap is why a lot of contractors heard "CMMC is law now" in late 2024 and then noticed nothing changed in their day-to-day. The 48 CFR rule closed the gap.

The DFARS clauses to know

Read the next DoD solicitation that hits your inbox with this list next to you. If you see any of these clause numbers in Section I, you're in CMMC territory.

  • DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting. The 2017 CUI clause. Still in effect; not changed by the CMMC acquisition rule.
  • DFARS 252.204-7019, Notice of NIST SP 800-171 DoD Assessment Requirements. Requires a current self-assessment score in SPRS. Not changed by the CMMC acquisition rule; still applies.
  • DFARS 252.204-7020, NIST SP 800-171 DoD Assessment Requirements. Grants DoD assessment access. Also unchanged by this rule.
  • DFARS 252.204-7021, Contractor Compliance With the Cybersecurity Maturity Model Certification Level Requirements. The CMMC clause itself, introduced in 2020 and revised to its final form by this rule. This is the one that requires a current CMMC status at the applicable level at award and throughout performance.
  • DFARS 252.204-7025, Notice of Cybersecurity Maturity Model Certification Level Requirements. The new solicitation provision this rule added: it states the CMMC level required and makes an offeror ineligible for award without a current CMMC status and affirmation in SPRS.

What's in Phase 1 (now)

32 CFR 170.3(e) sets the phase-in. As of Phase 1 (November 10, 2025, November 9, 2026):

  • DoD intends to include Level 1 (Self) or Level 2 (Self) requirements in all applicable solicitations as a condition of contract award.
  • Contracting officers may already, at DoD's discretion, require Level 2 C3PAO certification in place of the Level 2 self-assessment.
  • Level 2 C3PAO certification is not yet the default across the board (that comes in Phase 2).
  • Level 3 (DIBCAC) is not yet required (discretionary from Phase 2, expected in Phase 3).

Translation for a Level 1 sub: your obligation is already live.If a Level 1 clause lands in a Phase 1 solicitation, you have to be self-assessed and affirmed in SPRS to be eligible for award. You don't get a Phase 2/3 grace period, that grace period only applies to the higher-level certifications, not to Level 1 self-assessment.

What changes for a Level 1 contractor

At Level 1, the 48 CFR rule does not create a single new technical requirement. The 15 safeguarding controls from FAR 52.204-21(b)(1) are unchanged. What changes is the enforcement mechanism:

  1. Eligibility at award.Before the rule, "I'm working on it" was a tolerable answer to a prime. After the rule, the contracting officer can require a current affirmation in SPRS before issuing the award.
  2. Continuous compliance.§170.22 requires annual affirmation. -7021 makes that an active contractual obligation. Let it lapse mid-contract and you're in default.
  3. Flow-down to subcontractors.Primes must flow -7021 down to subs handling the same FCI. If you're a sub of a sub, expect to see this clause come at you in writing.
  4. False Claims Act exposure. Filing an affirmation to win a contract under -7021 makes that affirmation a material condition of the award. Knowingly false affirmations are FCA actions, not just program-rule violations. See our False Claims Act primer.

What to do if a solicitation cites -7021

The single playbook for a Level 1 contractor:

  1. Scan the solicitation for DFARS 252.204-7012, -7019, -7020, -7021, and the -7025 provision. Note which appear.
  2. Identify the required level. Look for "CMMC Level 1" or "Level 2" language in the clause; on Phase 1 solicitations, Level 1 is most common for FCI-only work.
  3. Check your SPRS status. Sign in to PIEE → SPRS → Cyber Reports. You should see a Level 1 affirmation with an affirmation date within the past 12 months. If not, you have work to do before you can bid.
  4. If you're affirmed: include the SPRS affirmation date and your CAGE in your proposal. Some primes want a screenshot; the Custodia bid-ready package includes one.
  5. If you're not affirmed: the 15 safeguarding requirements are 3 to 5 focused days of work for a small modern-cloud team. Our checklist and SPRS posting walkthrough are the fastest free path.

FAQ

When did the 48 CFR CMMC rule take effect?

November 10, 2025. The final rule published at 90 FR 43560 on September 10, 2025, and from the effective date forward, DoD contracting officers include the CMMC clause (DFARS 252.204-7021) and the new solicitation provision (252.204-7025) in applicable solicitations and contracts according to the phase-in schedule defined in 32 CFR 170.3(e). The existing -7012, -7019, and -7020 clauses were not changed by this rule and continue to apply alongside it.

What is DFARS 252.204-7021?

DFARS 252.204-7021 is the CMMC contract clause. It first appeared in the September 29, 2020 interim rule (85 FR 61505) and was revised to its final form by the 2025 rule. It requires the contractor to have and maintain a current CMMC status at the applicable level (Level 1, 2, or 3) for the duration of the contract. For Level 1, that means a current self-assessment and an active senior-official affirmation posted in SPRS, no certificate involved.

Do all DoD contracts now require CMMC?

No, not yet. The 48 CFR rule lets contracting officers include CMMC clauses, but the phase-in at 32 CFR 170.3(e) controls when they must. In Phase 1 (Nov 10, 2025, Nov 9, 2026) only a subset of applicable solicitations carry CMMC. By Phase 4 (Nov 10, 2028 onward) every applicable contract will. COTS-only contracts remain exempt.

What's the difference between DFARS -7012, -7019, -7020, and -7021?

DFARS 252.204-7012 (in effect since 2017) requires NIST SP 800-171 safeguarding for CUI and 72-hour incident reporting. -7019 requires a current NIST SP 800-171 self-assessment score in SPRS. -7020 gives DoD assessment access. -7021 is the CMMC clause, finalized in 2025, that ties the level requirement to contract eligibility. They stack: a typical CUI contract carries -7012 + -7019 + -7020 + -7021.

Does the 48 CFR rule create new technical requirements for Level 1?

No. The technical requirements at Level 1 are still the 15 safeguarding requirements from FAR 52.204-21(b)(1). The 48 CFR rule just makes them contractually enforceable through a CMMC clause and ties contract award and continued performance to having the affirmation posted in SPRS.

Keep reading
  1. Regulations
    DFARS 252.204-7012 vs CMMC: Which One Applies to Me? (2026 Guide)

    DFARS 7012 says 'protect CUI to NIST 800-171.' CMMC says 'prove it.' One is the rule. The other is the audit. Here's how they fit together.

    Read →
  2. CMMC Level 1
    32 CFR Part 170 Explained: The CMMC Program Rule in Plain English (2026)

    32 CFR Part 170 is the rule that made CMMC real. Here's exactly what it requires of a Level 1 contractor, without the legalese.

    Read →
  3. CMMC Level 1
    What Is FCI? The 90-Second Definition That Decides Your CMMC Level (2026)

    FCI is the routine non-public information you handle under a federal contract. It's what triggers CMMC Level 1, and it's almost certainly already in your inbox.

    Read →
Free · Every Monday

Get the federal bids a small business can win, in your inbox.

The Monday Bid Digest: brand-new SAM.gov solicitations matched to your NAICS, pre-filtered to Level 1 fit, with the CMMC gate called out on every one. Two minutes, no spam.

Get the Monday Bid Digest
Stop reading. Start filing.

Find your SPRS score in 4 minutes. Then file it in 7 days.

Take the free SPRS quiz to see exactly where you stand on the 15 FAR 52.204-21 safeguarding requirements, no signup, no card. If you like what you see, the 7-day Custodia trial picks up where the quiz leaves off and walks you to a signed, bid-ready package.

7-day free trial · No credit card required · $249/mo Self Service ($2,496/yr on annual, two months free)