32 CFR Part 170: What DoD Contractors Need to Know About CMMC 2.0

What Is 32 CFR Part 170?

If you’re a DoD contractor—or aiming to become one—you’ve probably heard a lot of buzz around 32 CFR Part 170, also known as the CMMC Program Rule. This rule is the backbone of the Cybersecurity Maturity Model Certification (CMMC) framework, and it’s designed to raise the cybersecurity bar across the entire Defense Industrial Base (DIB).

At its core, Part 170 puts into law how contractors must protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). It ties directly to well-established standards like NIST SP 800-171 Rev 2 and selected controls from NIST SP 800-172.

Here’s what you need to know about how it works:

• Three levels of certification:
  • Level 1 → Basic self-assessment for contractors handling only FCI (no POA&Ms allowed).
  • Level 2 → Applies to contractors managing CUI; requires either a self-assessment or a third-party C3PAO audit, depending on sensitivity. POA&Ms are limited and must be closed within 180 days.
  • Level 3 → For contractors on critical DoD programs; require advanced DCMA DIBCAC-led assessments, with strict rules for POA&Ms.
• Phased rollout: The program will roll out over several years in four stages, allowing assessors and contractors time to ramp up.
• SPRS reporting: Contractors must now submit their status and annual affirmations into the Supplier Performance Risk System (SPRS), giving contracting officers a clear picture of readiness.

When Will You See CMMC in Contracts?

While the rule technically went into effect in December 2024, it won’t fully bite until it appears in contract language through the complementary 48 CFR Part 204 regulation.

Here’s the latest:

• July 22, 2025 → DoD submitted the acquisition rule to OIRA for review (a process that usually takes 90–120 days).
• Next step → Once approved, it will be published in the Federal Register and take effect immediately.
• Reality check → That means we’ll start seeing CMMC requirements in contracts by late 2025, with near-universal enforcement expected in early 2026.

Lockheed Martin Is Already Moving

One of the clearest signals that the time to prepare is now comes from Lockheed Martin. As one of the DoD’s largest prime contractors, they’ve already begun enforcing CMMC standards in their supply chain:

• Level 1 suppliers must be fully compliant—no POA&Ms allowed.
• Level 2 suppliers must prove they’ve implemented NIST SP 800-171 Rev 2 controls, not just planned them.

Lockheed has started contacting suppliers whose self-assessments show gaps, making it clear: if you can’t demonstrate compliance, you risk losing business. And if Lockheed is already holding suppliers accountable, you can bet other primes will soon follow.

How FirstCall Federal Can Help 

Waiting for CMMC to “officially” show up in contracts is a dangerous gamble. By the time it does, primes like Lockheed may already have passed you over for being unprepared. That’s why we’re here to help you get ahead of the curve:

• Conducting CMMC assessments tailored to your business.
• Performing a GAP analysis of your current cybersecurity posture.
• Running on-site mock audits so you’re prepared for the real thing.

Bottom Line

CMMC isn’t a checkbox exercise—it’s quickly becoming a competitive differentiator. Prime contractors are already demanding proof of compliance, and the DoD is lining up the regulations to back them.

Don’t wait until it’s too late. Get compliant, stay compliant, and protect your share of DoD contracts.