During the CMMC rulemaking process, the DoD has been crafting two separate but co-dependent Code of Federal Regulations (CFR) titles. Understanding the difference between these two titles may help you understand how the CMMC rollout will happen.
Title 32 establishes the CMMC program and the supporting ecosystem of consultants, trainers, and assessors. It enables the DoD to set and enforce cybersecurity standards for companies within the Defense Industrial Base (DIB), including both contractors and subcontractors. These standards include the three levels of CMMC cybersecurity controls, scoping guidelines, assessment requirements, and the phased rollout plan.
Title 48 defines the purchasing authority to include the CMMC program in DoD contracts. In the DoD, these purchase order requirements are called DFARS (Defense Federal Acquisition Requirements). Title 48 creates the DFARS 252.204-7021 clause that will enforce the CMMC program in DoD contracts. When 7021 is included in contracts it will require all contractors and subs to have a CMMC certification at the level specified in the contract. For levels 2 and 3 the requirement is a third party CMMC assessment.
Title 48 isn’t expected to be effective until early 2025. Title 32 is expected to be effective this December. Once Title 32 is effective, C3PAOs will be able to perform official third-party assessments and prime contractors will be able to mandate C3PAO assessments for their supply chains.
We have seen DoD primes already requiring their sub-contractors to have an SPRS score no lower than 70 to bid contracts. Don’t get left behind, the time to work on your CMMC program is now.
At AXIOTROP, we specialize in navigating the complexities of Title 32 and Title 48 to help clients meet CMMC compliance. We streamline the integration of these regulations, ensuring cybersecurity readiness and compliance with federal acquisition standards, enabling our clients to secure DoD contracts with confidence.
About AXIOTROP, LLC:
AXIOTROP’s mission is to make cybersecurity accessible, attainable, and sustainable for small and medium-sized businesses so they remain competitive and poised for growth. We simplify cybersecurity by working closely with businesses to right-size their program for their needs, resulting in client retention, business expansion, and reduced risk.
Comments