.jpg?ext=.jpg)
What is 32 CFR, and Why Does It Matter for CMMC Compliance?
If your company is working toward CMMC compliance, you probably have been seeing “32 CFR” many times since December of 2024. In all of the details you need to track in order to get CMMC-certified, you may not have had time to sort through what the 32 CFR actually is, however.
32 CFR Defined
32 CFR stands for Title 32 of the Code of Federal Regulations. This segment of the CFR sets the regulations for the Department of Defense and associated agencies. Specifically, 32 CFR Part 170 defines how defense contractors shall process, transmit, and store Controlled Unclassified Information (CUI).
Of particular relevance to CMMC is Part 2002 of the 32 CFR, which speaks to CUI in particular, and Part 170, which defines the CMMC program. These two sections define CUI and mandate that NIST SP 800-171r2 is the standard for CMMC. The publication of 32 CFR in December 2024 did not mandate CMMC in all contracts, but it set the rules for the CMMC program, opening the way for voluntary assessments.
When Will CMMC Become Mandatory?
32 CFR is significant, but it is only 50% of what the total picture of CMMC will be. The other half of the puzzle is what is known in shorthand as the 48 CFR. While still in the Code of Federal Regulations, what defense contractors need to pay attention to is the supplement to the CFR called DFARS (Defense Federal Acquisition Regulation Supplement). DFARS 252.204.7021 will make CMMC certification mandatory for all Department of Defense contracts and subcontracts. When the 48 CFR (DFARS) rule is published the four-phase implementation will begin, meaning most contractors will have 12-24 months to become compliant with a CMMC Certification for all new and existing contracts.
What to Work On Now
While 48 CFR is still pending, work on making sure you are meeting the 110 NIST SP 800-171r2 controls by implementing the 320 assessment objectives in NIST SP 800-171a to properly prepare for your assessment. Whether you decide to work with us or another company, C3PAO calendars are filling up, so book as soon as you can, even if you are not yet ready for your assessment.
Additionally, be aware that your clients who are prime contractors need all suppliers to be compliant before they can be compliant, so regardless of the 48 CFR status, you may be asked about your CMMC status sooner than expected.
Questions
What questions do you have about the 32 CFR and the 48 CFR? Few manufacturers probably have the time or desire to dig deep into federal contracting rules and regulations, but for CMMC, attaining an understanding can be helpful. We can help you answer any questions you may have while also preparing to work with you as your C3PAO, if desired. Contact us today to learn more.