Knowledge Base
Frequently Asked Questions
Plain-language answers to the most common CMMC questions — from what the standard requires to what a certification actually involves. Can't find what you're looking for? Contact us directly.
The Cybersecurity Maturity Model Certification 2.0 (CMMC) is a Department of Defense standard for implementing cybersecurity across the Defense Industrial Base (DIB). It focuses on two data types: Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
CMMC replaced the previous self-attestation model with a tiered certification framework. A CMMC certification will be required to be awarded and/or maintain DoD contracts. The rule took effect on December 16, 2024 under 32 CFR Part 170.
Federal Contract Information is information provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not intended for public release.
If your contract includes DFARS clause 252.204-7008 or 252.204-7012, you almost certainly handle FCI and must meet at least CMMC Level 1 requirements (17 basic safeguarding practices from FAR 52.204-21).
Controlled Unclassified Information is information the Government creates or possesses that requires safeguarding or dissemination controls per law, regulation, or Government-wide policy. It is not classified, but it is sensitive and must be protected.
Common CUI categories in the DIB include technical drawings, export-controlled data (ITAR/EAR), manufacturing processes, and system vulnerability data. If your work involves CUI, you are subject to CMMC Level 2 requirements — 110 security practices aligned to NIST SP 800-171.
Review your contracts for specific DFARS clauses and look for CUI markings on documents and data you receive from the Government or prime contractors. Key indicators include:
- Your contract contains DFARS 252.204-7012 (Safeguarding Covered Defense Information)
- Documents you receive are marked "CUI" or with category banners like "EXPORT CONTROLLED" or "CTI"
- You work on DoD systems, technical designs, or logistics data
- Your prime contractor flows down CUI handling requirements
Not sure? A scoping assessment with a C3PAO like Cybersec Investments can definitively identify your CUI environment and determine your required CMMC level.
The DFARS interim rule (effective November 30, 2020) introduced three new clauses that remain in effect today:
- DFARS 252.204-7019 — Requires contractors to complete a NIST SP 800-171 self-assessment and submit their score to the Supplier Performance Risk System (SPRS) prior to contract award.
- DFARS 252.204-7020 — Grants DoD the right to access contractor systems to verify compliance with cybersecurity requirements.
- DFARS 252.204-7021 — Requires CMMC certification at the required level as a condition of contract performance.
These clauses work together with DFARS 252.204-7012 to form the current DoD cybersecurity compliance framework.
It depends on your CMMC level:
- Level 1 (FCI only) — Annual self-assessment is permitted. A senior company official must affirm compliance in SPRS.
- Level 2 (CUI) — Most contractors handling CUI on critical programs require a third-party assessment by a C3PAO. A subset of Level 2 contractors on non-critical programs may be permitted to self-assess annually.
- Level 3 — Requires a Government-led assessment conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
The days of unchecked self-attestation for CUI programs are over. DoD made clear that the old honor system was not working.
For Level 2 certification, the process with an Accredited C3PAO like Cybersec Investments typically follows these steps:
- Scoping — Define the assessment boundary: which systems, personnel, and locations handle CUI.
- Gap Assessment — Review current controls against the 110 NIST SP 800-171 practices and identify deficiencies.
- Remediation — Address identified gaps and document your System Security Plan (SSP).
- Assessment — C3PAO assessors conduct the formal evaluation using NIST SP 800-171A assessment procedures.
- Certification — Passing results are reported to the Cyber AB and DoD. Your certification is valid for three years.
A C3PAO is an organization authorized by the Cyber Accreditation Body (Cyber AB) to conduct official CMMC Level 2 assessments. Any C3PAO listed on the Cyber AB Marketplace can perform assessments that DoD accepts for contract compliance — and Accredited C3PAOs like Cybersec Investments meet an additional, higher bar (ISO/IEC 17020:2012).
C3PAOs employ CMMC Certified Assessors (CCAs) and Lead CMMC Certified Assessors (LCCAs) who are individually credentialed by the Cyber AB. Cybersec Investments is one of the few Accredited C3PAOs on Florida's Space Coast, with assessors holding CCA, LCCA, and CCP credentials.
It's important not to confuse a C3PAO with an RPO (Registered Practitioner Organization) — RPOs help contractors prepare for assessments but cannot conduct or certify them.
Assessment costs vary significantly based on scope, organizational complexity, number of assets in the assessment boundary, and number of assessor days required. Factors that influence cost include:
- Size and complexity of the CUI environment
- Number of locations and personnel in scope
- Use of cloud services (and whether FedRAMP authorization applies)
- Number of External Service Providers (ESPs) in scope
- Readiness of your System Security Plan and documentation
Cybersec Investments provides customized, transparent quotes based on your specific environment. Schedule a discovery call to discuss your scope and receive an estimate.
NIST Special Publication 800-171 is the National Institute of Standards and Technology publication that defines the 110 security requirements DoD contractors must implement to protect CUI in non-federal systems. It is the technical backbone of CMMC Level 2.
The requirements are organized into 14 families covering areas such as access control, incident response, configuration management, system and communications protection, and more. CMMC Level 2 maps directly to these 110 practices — passing a CMMC assessment means your organization can demonstrate it meets all of them.
The Supplier Performance Risk System (SPRS) score is a numerical score ranging from -203 to +110 that reflects your organization's self-assessed compliance with NIST SP 800-171. A perfect score of 110 means all practices are fully implemented. Each unimplemented requirement reduces the score based on its assigned weight.
Under DFARS 252.204-7019, contractors must submit their SPRS score before receiving DoD contracts. Contracting officers review SPRS scores as part of the award process. A low or negative score can be a risk factor that affects contract eligibility.
Important: self-assessed SPRS scores do not replace the need for a C3PAO assessment for Level 2 certification.
A System Security Plan is a formal document that describes how your organization implements the 110 NIST SP 800-171 security requirements. It defines the boundary of your assessment environment, identifies your assets, describes your security policies and controls, and documents the roles and responsibilities of personnel who manage CUI.
A complete, accurate SSP is one of the most critical artifacts in any CMMC assessment. Assessors use it as a primary reference point. Organizations without a well-developed SSP are rarely assessment-ready.
Yes — significantly. Any cloud service that processes, stores, or transmits CUI must meet FedRAMP Moderate equivalency standards. This is a frequently misunderstood and often under-prepared area for contractors.
Cloud Service Providers (CSPs) in scope are considered External Service Providers (ESPs). Your C3PAO must evaluate how each ESP handles CUI and whether appropriate security controls and contractual protections are in place. Using platforms like Microsoft 365 GCC High, which is FedRAMP Moderate authorized, is a common approach to meeting this requirement.
The CMMC rule (32 CFR Part 170) took effect on December 16, 2024. CMMC requirements are being phased into DoD contracts through a four-phase rollout:
- Phase 1 (Dec 2024 – Dec 2025) — CMMC Level 1 self-assessments required in select contracts.
- Phase 2 (Starting ~Dec 2025) — Level 2 C3PAO assessments required in contracts involving CUI.
- Phase 3 (Starting ~Dec 2026) — Level 2 requirements broadly applied; Level 3 assessments begin.
- Phase 4 (Starting ~Dec 2027) — Full implementation across all applicable DoD contracts.
Don't wait for your next solicitation. Assessment timelines can be 6–12 months depending on your readiness level.
Non-compliance has serious consequences that go beyond losing a contract bid:
- Contract ineligibility — Once CMMC clauses appear in a solicitation, non-certified contractors cannot bid or be awarded the contract.
- Contract termination — Existing contracts with CMMC requirements can be terminated for failure to maintain certification.
- False Claims Act liability — Submitting inaccurate SPRS scores or falsely affirming compliance can expose company leadership to civil and criminal liability under the False Claims Act.
- Supply chain disqualification — Prime contractors are increasingly requiring CMMC compliance from subcontractors as a teaming prerequisite.
A CMMC Level 2 certification issued by an Accredited C3PAO is valid for three years. Organizations must then undergo a new assessment to maintain their certified status.
During the three-year period, organizations are expected to maintain continuous compliance. Significant changes to your environment — such as adding new systems, personnel, or locations that handle CUI — may require updating your SSP and potentially notifying your C3PAO.
Quick Reference
Common Acronyms
Keeping track of all the acronyms isn't easy — here's a quick reference for the ones you'll encounter most.
Go Deeper
Additional Resources
Official sources for CMMC policy, accreditation, and compliance guidance.