CMMC FAQs

According to the DoD CIO's CMMC Model Overview, CMMC (Cybersecurity Maturity Model Certification) is a comprehensive framework established by the Department of Defense to verify that defense contractors have adequate cybersecurity controls in place to protect sensitive government information. The framework affects over 300,000 organizations in the Defense Industrial Base (DIB).

Unlike previous self-attestation approaches under DFARS 252.204-7012, CMMC requires independent, third-party verification of a contractor's cybersecurity maturity before they can be awarded DoD contracts involving Controlled Unclassified Information (CUI) or Federal Contract Information (FCI). As stated in the CMMC Final Rule (32 CFR Part 170), this verification requirement was introduced to address widespread overstatement of compliance.

Read our complete guide: What is CMMC? →

CMMC 2.0 streamlined the original five levels into three levels:

• Level 1 (Foundational): 15 basic practices from FAR 52.204-21. Annual self-assessment. Protects FCI.
• Level 2 (Advanced): All 110 controls from NIST SP 800-171 Rev 2. Third-party or self-assessment. Protects CUI.
• Level 3 (Expert): NIST SP 800-171 plus select NIST SP 800-172 controls. Government-led assessment (DIBCAC). Protects critical CUI.

Learn about Level 2 requirements →

According to the CMMC Final Rule (32 CFR Part 170), published on October 15, 2024 and effective December 16, 2024, CMMC requirements are being phased into DoD contracts through DFARS clause 252.204-7021 over a four-phase rollout:

• Phase 1 (2025): Level 1 self-assessment and Level 2 self-assessment begin appearing in new contract solicitations
• Phase 2 (2026): Level 2 C3PAO assessments become mandatory for critical CUI contracts — this is the first hard deadline for third-party certification
• Phase 3 (2027): Level 3 government-led assessments (DIBCAC) begin for the most sensitive programs
• Phase 4 (2028): Full implementation across all applicable DoD contracts — the final CMMC compliance deadline

Key takeaway: If you handle CUI under a critical defense program, you need C3PAO certification by 2026. All other DIB contractors should plan for full compliance by 2028. Per the DoD CIO, organizations that fail to achieve the required CMMC level will be ineligible for contract award.

Any organization in the Defense Industrial Base (DIB) that processes, stores, or transmits Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) as part of DoD contracts will need CMMC certification. This includes:

• Prime defense contractors
• Subcontractors at all tiers
• Suppliers and vendors to defense programs
• IT service providers and managed service providers (MSPs) supporting DIB organizations

The specific CMMC level required will be determined by the type of information handled and specified in the contract solicitation.

CMMC certification costs vary significantly based on your organization's size, complexity, and current cybersecurity posture. General estimates:

• Level 1: $5,000–$15,000 (primarily documentation and self-assessment)
• Level 2 (Self-Assessment): $25,000–$100,000 (gap assessment + remediation)
• Level 2 (C3PAO Assessment): $50,000–$500,000+ (includes gap assessment, remediation, technology investment, and the C3PAO assessment fee)
• Level 3: Costs can exceed $500,000 depending on scope

The biggest cost driver is typically remediation — closing gaps in your existing cybersecurity controls to meet NIST SP 800-171 requirements.

Timeline depends heavily on your starting point:

• Already NIST 800-171 compliant: 3–6 months for assessment preparation and scheduling
• Partial implementation: 6–12 months including gap remediation
• Starting from scratch: 12–18+ months for full implementation and certification

The C3PAO assessment itself typically takes 1–2 weeks, but scheduling availability may add additional wait time as demand increases.

A C3PAO (CMMC Third-Party Assessment Organization) is an accredited organization authorized by the Cyber AB (formerly the CMMC Accreditation Body) to conduct official CMMC Level 2 and Level 3 certification assessments.

C3PAOs employ certified assessors who evaluate your organization's cybersecurity practices against the required CMMC controls. A successful assessment results in a CMMC certification valid for three years.

You can find authorized C3PAOs on the Cyber AB Marketplace.

It depends on the level and contract requirements:

• Level 1: Yes — annual self-assessment is the only path
• Level 2 (Self-Assessment): Allowed for contracts involving non-critical CUI. Results are submitted to SPRS.
• Level 2 (C3PAO Assessment): Required for contracts involving critical CUI programs. Must be conducted by an authorized C3PAO.
• Level 3: No — requires government-led assessment by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC)

FCI (Federal Contract Information) is information provided by or generated for the government under contract that is not intended for public release. It requires CMMC Level 1 protection.

CUI (Controlled Unclassified Information) is information the government creates or possesses that requires safeguarding per law, regulation, or government-wide policy. CUI requires CMMC Level 2 or Level 3 protection and is governed by NIST SP 800-171 controls.

In practice, most defense contractors handling technical data, engineering drawings, or sensitive program information are dealing with CUI and will need Level 2 certification.

NIST SP 800-171 is a publication by the National Institute of Standards and Technology that provides 110 security requirements for protecting CUI in non-federal systems. CMMC Level 2 directly maps to all 110 controls in NIST SP 800-171 Rev 2.

While DFARS 252.204-7012 has required compliance with NIST SP 800-171 since 2017, CMMC adds the critical element of independent verification — organizations can no longer simply self-attest to compliance.

See all 110 NIST SP 800-171 control families →

A POA&M (Plan of Action and Milestones) documents known security weaknesses and your plan to remediate them. Under CMMC 2.0, limited use of POA&Ms is permitted:

• POA&Ms are allowed for some controls during the assessment process
• POA&M items must be closed within 180 days of the conditional certification
• Certain critical controls cannot have POA&Ms — they must be fully implemented at the time of assessment
• A minimum SPRS score threshold must be met even with open POA&Ms

While not strictly required, creating a CUI enclave (a segmented portion of your network dedicated to CUI processing) is a widely recommended approach because:

• It reduces the assessment scope — fewer systems to certify
• It lowers remediation costs — fewer controls to implement across fewer assets
• It provides clearer boundaries — easier to define and defend your security perimeter

Many organizations use cloud-based enclaves (Microsoft GCC High, AWS GovCloud) or purpose-built on-premises networks to isolate CUI processing.

If you need CMMC compliance support, you have several options depending on where you are in your journey:

• Instant answers: ChatCMMC provides free, AI-powered responses to any CMMC question — available 24/7, trained on official DoD CIO and NIST documentation
• Expert consultation: Jun Cyber's CMMC Select™ provides end-to-end compliance services — from gap assessment through successful C3PAO certification
• Schedule a call: Book a free CMMC consultation with a Jun Cyber compliance specialist
• Official resources: The Cyber AB maintains a marketplace of authorized C3PAOs and certified assessors

According to industry data, organizations that engage expert compliance support early in the process typically achieve certification 40-60% faster and avoid costly remediation rework.

The most authoritative CMMC information comes from these official sources:

• DoD CIO Website: Official CMMC Model Overview, Final Rule text (32 CFR Part 170), and policy guidance from the Department of Defense Chief Information Officer
• NIST Publications: NIST SP 800-171 Rev 2 (110 security requirements), NIST SP 800-171A (assessment procedures), and NIST SP 800-172 (enhanced security requirements for Level 3)
• Cyber AB (cyberab.org): Accreditation body information, C3PAO marketplace, certified assessor registry, and official CMMC training resources
• ChatCMMC (chatcmmc.com): Free AI-powered search across all official CMMC documentation — ask any question and get sourced answers instantly from our AI assistant
• Federal Register: The complete CMMC Final Rule and DFARS rulemaking documents

Caution: Be wary of unofficial sources that may contain outdated information from CMMC 1.0 (the original five-level model was replaced by the current three-level CMMC 2.0 framework).