Frequently Asked Questions


Will prime contractors and subcontractors be required to maintain the same CMMC level?2024-01-06T00:41:13+00:00

If contractors and subcontractors are handling the same type of FCI and CUI, then the same CMMC level will apply. In cases where the prime only flows down select information, a lower CMMC level may apply to the subcontractor.

What is the relationship between National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 and CMMC?2024-01-06T00:41:06+00:00

Under CMMC 2.0, the “Advanced” level (Level 2) will be equivalent to the NIST SP 800-171. The “Expert” level (Level 3), which is currently under development, will be based on a subset of NIST SP 800-172 requirements.

How will my organization know what CMMC level is required for a contract?2024-01-06T00:40:59+00:00

Once CMMC 2.0 is implemented, DoD will specify the required CMMC level in the solicitation and in any Requests for Information (RFIs), if utilized.

How much will it cost to implement CMMC 2.0?2024-01-06T00:40:38+00:00

The Department will publish a comprehensive cost analysis associated with each level of CMMC 2.0 as part of rulemaking. Costs are projected to be significantly lower relative to CMMC 1.0 because the Department intends to (a) streamline requirements at all levels, eliminating CMMC-unique practices and maturity processes, (b) allow companies associated with the new Level 1 (Foundational) and some Level 2 (Advanced) acquisition programs to perform self-assessments rather than third-party assessments, and (c) increase oversight of the third-party assessment ecosystem.

Why did the Department make these changes?2024-01-06T00:40:50+00:00

The Department values feedback from industry, Congress, and other stakeholders and received over 850 public comments in response to the interim rule establishing CMMC 1.0. These comments focused on the need to enhance CMMC by (1) reducing costs, particularly for small businesses; (2) increasing trust in the CMMC assessment ecosystem; and (3) clarifying and aligning cybersecurity requirements to other federal requirements and commonly accepted standards. CMMC 2.0 was designed to meet these goals, which also contribute toward enhancing the cybersecurity of the defense industrial base.

When will CMMC 2.0 be required for DoD contracts?2024-01-06T00:37:07+00:00

The publication of materials relating to CMMC 2.0 reflect the Department’s strategic intent with respect to the CMMC program; however, CMMC 2.0 will not be a contractual requirement until the Department completes rulemaking to implement the program. The rulemaking process and timelines can take 9-24 months. CMMC 2.0 will become a contract requirement once rulemaking is completed.

Now that CMMC 2.0 is published, will companies be required to comply with CMMC 1.0?2024-01-06T00:37:01+00:00

The interim DFARS rule established a five-year phase-in period, during which CMMC compliance is only required in select pilot contracts, as approved by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)). The Department does not intend to approve inclusion of a CMMC requirement in any contract prior to completion of the CMMC 2.0 rulemaking process.

Once CMMC 2.0 is codified through rulemaking, the Department will require companies to adhere to the revised CMMC framework according to requirements set forth in regulation.

What is the CMMC Program?2024-01-06T00:36:54+00:00

The Cybersecurity Maturity Model Certification (CMMC) program enhances cyber protection standards for companies in the DIB. It is designed to protect sensitive unclassified information that is shared by the Department with its contractors and subcontractors. The program incorporates a set of cybersecurity requirements into acquisition programs and provides the Department increased assurance that contractors and subcontractors are meeting these requirements.

The framework has three key features:

  1. Tiered Model: CMMC requires that companies entrusted with national security information implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. The program also sets forward the process for information flow down to subcontractors.
  2. Assessment Requirement: CMMC assessments allow the Department to verify the implementation of clear cybersecurity standards.
  3. Implementation through Contracts: Once CMMC is fully implemented, certain DoD contractors that handle sensitive unclassified DoD information will be required to achieve a particular CMMC level as a condition of contract award.

CMMC Assessment FAQs

What is the difference between a CMMC self-assessment and a basic assessment required as part of the DoD Assessment Methodology?2024-01-06T00:39:04+00:00

A CMMC self-assessment will apply to those companies that are only required to protect the information systems on which FCI is processed, stored or transmitted; and a subset of companies that are required to protect CUI. The CMMC self-assessment should be completed using the CMMC Assessment Guide codified in 32 CFR for the appropriate CMMC level. A CMMC self-attestation is a representation that the offeror meets the requirements of the CMMC level required by the solicitation. The CMMC program will require an annual self-assessment and an annual affirmation by a senior company official.

A “Basic Assessment”, as defined in DFARS clause 252.204-7020, NIST SP 800-171 DoD Assessment Requirements, means a contractor’s self-assessment of the contractor’s implementation of NIST SP 800-171 that —

Is based on the Contractor’s review of their system security plan(s) associated with covered contractor information system(s);

Is conducted in accordance with the NIST SP 800-171 DoD Assessment Methodology; and

Results in a confidence level of “Low” in the resulting score, because it is a self-generated score.

How much will CMMC certification cost?2024-01-06T00:38:55+00:00

The CMMC assessment costs will depend upon several factors including the CMMC level, complexity of the DIB company’s unclassified network for the certification boundary, and market forces. DoD will develop a new cost estimate associated with CMMC 2.0 to account for the changes made to the program which will be published on the Federal Register as part of the rulemaking process.

Will the results of my assessment be public? Will the DoD see my results?2024-01-06T00:38:35+00:00

Once CMMC 2.0 is fully implemented, the DoD will have access to information and data relating to a company’s assessment, to include the assessment results and final report. The DoD will store all self-assessment results on SPRS. CMMC certificates and the associated third-party assessment data will be stored in the CMMC Enterprise Mission Assurance Support Services (eMASS) database. CMMC eMASS will automatically post a copy of a company’s CMMC certificate to the Supplier Performance Risk System (SPRS). The detailed results of a CMMC assessment will not be made public.

If a company voluntarily chooses to obtain a CMMC assessment and certification from a third-party assessment organization in the absence of a contractual requirement, the company must provide written consent to allow DoD access to or use of those assessment results. If a company consents to DoD access and use of data relating to the assessment, then DoD intends to store that information on eMASS.

Will CMMC certifications and the associated third-party assessments apply to classified systems and / or classified environments within the Defense Industrial Base?2024-01-06T00:38:29+00:00

CMMC only applies to DIB contractor’s unclassified networks that process, store or transmit FCI or CUI.

Will my organization need to be certified if it does not handle CUI?2024-01-06T00:38:07+00:00

DoD’s intent under CMMC 2.0 is that if a DIB company does not process, store, or transmit Controlled Unclassified Information (CUI) on its unclassified network, but does process, store or handle Federal Contract Information (FCI), then it must perform a CMMC Level 1 self-assessment and submit the results with an annual affirmation by a senior company official into SPRS.

Who will perform third-party CMMC assessments?2024-01-06T00:37:57+00:00

Once CMMC 2.0 is fully implemented, DoD will only accept CMMC assessments provided by an authorized and accredited C3PAO or certified CMMC Assessor, and C3PAOs shall use only certified CMMC assessors for the conduct of CMMC assessments.

How frequently will assessments be required?2024-01-06T00:41:21+00:00

Once CMMC 2.0 is implemented, self-assessments, associated with Level 1 and a subset of Level 2 programs, will be required on an annual basis. Third-party and government-led assessments, associated with some Level 2 and all Level 3 programs, will be required on a triennial basis.

SMPL-C Company FAQs

How do I know if my answer to a particular question is accurate and can pass an audit?2024-01-06T00:39:53+00:00

SMPL-C uses AI and NLP based algorithms to analyze your answer and provide a probability of passing certification. This probability is rolled up to the section level as well, providing a intuitive understanding of where to focus and get better.

Ultimately it’s good to do ‘Gap Assessment’, but the real value for you is in the ‘Audit Readiness’ level, and something that SMPL-C makes easy to comprehend and tackle.

Overall, we can guarantee certification 40% faster than industry average.

How will SMPL-C make life easier for me?2024-01-06T00:39:31+00:00

SMPL-C allows users to build to their desired state of CMMC 2.0 certification.

Additionally, since the data is available in the cloud, next year’s self or audit based assessment is a simple matter of copying a completed and certified assessment, and updating what’s changed.

How do I know if the latest regulations are reflected in my Assessments?2024-01-06T00:39:25+00:00

SMPL-C will work with industry SMEs and the Office of the US DoD to ensure regulations are up-to-date and simplified for all users.

Industry Acronyms

Confused by all of the industry acronyms around the CMMC update? Don’t worry, we have you covered.

Go to Top