The 32 CFR Updates: Now Is the Time to Stop Pretending CMMC is Optional
In our latest Climbing Mount CMMC episode, Bobby Guerra and Kaleigh Floyd discuss the parameters of 32 CFR final rule and how to prepare yourself for the upcoming updates that will be implemented soon with 48 CFR.
If you’re a contractor working with the Department of Defense (DoD) or handling Controlled Unclassified Information (CUI), CMMC isn’t just another acronym-it’s a critical business requirement.
Many organizations still treat CMMC as a future concern, but the truth is, key compliance requirements have been in place for years. Defense Federal Acquisition Regulation Supplement (DFARS) clauses requiring adherence to NIST SP 800-171 are already embedded in many contracts.
As stated in 32 CFR Part 170:
“Defense contracts involving the development or transfer of CUI to a nongovernment organization require applicable requirements of DFARS clause 252.204–7012.14. This clause requires defense contractors to provide adequate security on all covered contractor information systems by implementing the 110 security requirements specified in NIST SP 800–171” (83094).
If you’re working with the DoD or with CUI, you’ve likely already signed off on these clauses-whether you realized it or not.
Key CMMC Compliance Takeaways from 32 CFR for Defense Contractors
Start Now, Not Later
Achieving CMMC compliance takes time. Developing a System Security Plan (SSP) is foundational, but it’s not an easy nor a quick task by any means. Be sure to give yourself enough time to tackle that beast.
In 32 CFR, the DoD stresses the obligatory nature of a company’s SSP:
“To comply with DFARS clause 252.204–7012, contractors are required to develop a SSP 15 detailing the policies and procedures their organization has in place to comply with NIST SP 800–171” (83094).
Know Your Scope
CMMC compliance isn’t one-size-fits-all. Organizations must properly define the scope of their environment, identifying which systems and processes are in-scope for protecting CUI.
Subcontractors Are Responsible Too
Prime contractors are responsible for ensuring that their subs meet CMMC requirements too. As outlined in DFARS clause 252.204–7021 and reinforced in 32 CFR Part 170 (Vol 89, Pg. 83094):
Contractors must flow down CMMC requirements to all subcontractors involved in the contract.
Ignoring subcontractor compliance obligations can jeopardize a project and your eligibility for future contracts.
New Rules Are Coming Soon
The final rule under 48 CFR is expected soon, and it will introduce new enforcement mechanisms and potentially stricter requirements for contractors across the Defense Industrial Base (DIB).
Organizations that delay preparation risk being disqualified from upcoming opportunities.
Not Sure Where to Start?
The first step is simple: ask hard questions about your current cybersecurity posture. In today’s evolving cybersecurity landscape, delay isn’t just risky-it could disqualify you from defense work entirely.
For more information about Axiom, our services, CMMC templates, and more, check out our website!