CYBERSECURITY SERVICES
APPROVEDÂ TRAINING PROVIDER (ATP)
CMMC accredited learning institution
"CMMC Certified Professionals" (CCP)
"CMMC Certified Assessors" (CCA) training
APPROVED PARTNER PUBLISHER (APP)
CMMC accredited learning material
CMMC-AB Approved Training Material (CATM) for use by ATPs
FREQUENTLY ASKED QUESTIONS
CMMC FAQ
CyberDI
WHAT IS CMMC?
CMMC stands for Cybersecurity Maturity Model Certification (CMMC). CMMC is a Program of the Department of War (DoW) / Department of Defense (DoD) and establishes requirements for defense contractors and subcontractors to implement prescribed cybersecurity standards for safeguarding Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). This includes the use of CMMC third party assessor organizations (C3PAO) validating specific security requirements get met.
WHAT IS THE PURPOSE OF CMMC?
The CMMC Program provides DoW / DoD with a viable means of conducting the volume of assessments necessary to verify contractor and subcontractor implementation of required cybersecurity requirements. The CMMC Program provides a consistent methodology to assess a defense contractor's implementation of required cybersecurity requirements.
WHAT IS Controlled Unclassified Information (CUI)?
Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified. CUI is NOT classified information. It is not corporate intellectual property unless created for or included in requirements related to a government contract.
WHAT ARE THE THREE LEVELS OF CMMC?
The CMMC model has three levels including:
​
-
Level 1 (Foundational)
Contractors must submit annual self-assessments to the DoW / DoD and comply with 17 NIST 800-171 controls
-
Level 2 (Advanced)
Contractors must undergo third-party assessments every three years and comply with 110 NIST 800-171 practices
-
Level 3 (Expert)
Contractors must comply with more than 110+ practices aligned with the requirements of NIST 800-172 and complete third-party assessments led by the government triennially
WHO NEEDS TO COMPLY WITH CMMC?
All DoW / DoD contract and subcontract awardees that will process, store, or transmit information, in performance of the DoW / DoD contract, that meets the standards for FCI or CUI on contractor information systems and; Private-sector businesses or other entities comprising the CMMC Assessment and Certification Ecosystem.
WHAT IS THE TIMELINE OF CMMC COMPLIANCE?
While companies have had to meet the security requirements of NIST-SP-800-171 for over a decade the third party validation of compliance is about to begin.
​
32 CFR Part 170, which establishes the CMMC program, operationalizes CMMC; and spells out the role of third party assessors, which is already approved and part of the Federal Register.
​
48 CFR, known as the contract rule, spells out how CMMC requirements get incorporated into the acquisition process. 48 CFR will authorize CMMC into the Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS). Which means it can go live in Contracts. The Office of Management and Budget (OM) has officially received the rule. Official publication is expected in October 2025.
​
There is no waiting period for the rule to go live.
WILL I NEED A CMMC ASSESSMENT BY OCTOBER 2025 WHEN 48 CFR GETS PUBLISHED?
No. The Department of Defense is still doing a phased roll out. Once 48 CFR part 204 CMMC Acquisition rule is finalized the DoW / DoD intends to include the requirement for CMMC Statuses of Level 1 (Self) or Level 2 (Self) for all applicable DoW / DoD solicitations and contracts as a condition of contract award.
​
One Year later Phase 2 will begin and DoW / DoD will start mandating A Level 2 C3PAO assessment. More assessments are introduced during the third and fourth phases. Some prime contractors are moving faster than the Department of Defense and are requiring suppliers to meet Level 2 self or third party assessments using timelines of about one year.
HOW DO YOU KNOW WHAT LEVEL OF CMMC COMPLIANCE IS NEEDED FOR MY COMPANY?
48 CFR part 204 will spell out the contracting requirements. CMMC levels are defined at the contract level. The RFP (Request for Proposal) will declare what CMMC level is required at contract award.
When 48 CFR part 204 gets finalized assessment requirements will impact three specific clauses:
​
-
DFARS 252.204-7012 “Safeguarding Covered Defense Information and Cyber Incident Reporting”
-
DFARS 252.204-7019 “Notice of NIST SP 800-171 DoW / DoD Assessment Requirements”
-
DFARS 252.204-7020 "NIST SP 800-171 DoW / DoD Assessment Requirements”
7012 requires the protection of Controlled Technical information and mandatory reporting of cyber incidents. 7019 requires self-assessment and SPRS score submission. 7020 gives the DoW / DoD authority to review and validate contractor SSPs and compliance efforts.
The update to 48 CFR part 204 will include changes to DFARS 252.204-7021 and formally require CMMC certification and flow-down to subcontractors.
Again the requirements prime contractors may be stricter and have more accelerated timelines than the Department of Defense.
WHAT IS THE DIFFERENCE BETWEEN NIST 800-171 & NIST 800-172 & CMMC?
NIST 800-172 is a supplementary document to NIST SP 800-171. It is designed to help safeguard sensitive information on non-federal systems and applies to federal contractors that handle, process or store CUI on their networks. CMMC Level 2 uses all 110 security requirements NIST SP 800-171 as measured by the 320 assessment objectives of NIST SP 800-171a. CMMC Level 3, which is conducted by DIBCAC, uses a subset of requirements selected from NIST SP 800-171.
​
CMMC is an auditable implementation of NIST-SP-800-171. Unlike NIST-SP-800-171, CMMC outlines assessment requirements through third-party certifications as spelled out in. The CMMC Program is designed to ensure defense contractors are properly safeguarding data that is processed, stored, or transmitted on defense contractor information systems.
​
The use of NIST SP-80-171 as a minimum benchmark for protecting the confidentiality of Government data is a compliance requirement of federal regulations under authority of the Federal Information Security Modernization Act.
​​
CMMC is a Department of Defense Program for third party assessments authorized under the Code of Federal Regulation 32 Part 170.
​
In other words CMMC is just a measurement to validate how well your organization meets the security requirements of NIST-SP-800-171.