Question 1

What is CMMC?

Accepted Answer

CMMC (Cybersecurity Maturity Model Certification) is a cybersecurity framework developed by the Department of Defense (DoD) to protect sensitive defense information. It requires defense contractors and their supply chains to implement and certify cybersecurity practices based on the sensitivity of the information they handle.

Question 2

What are the CMMC 2.0 levels?

Accepted Answer

CMMC 2.0 has three levels: Level 1 (Foundational) - 17 practices for Federal Contract Information (FCI), self-assessment allowed. Level 2 (Advanced) - 110 practices based on NIST SP 800-171 for CUI, third-party assessment required for critical programs. Level 3 (Expert) - 110+ practices based on NIST SP 800-172 for highest-priority programs, government-led assessment.

Question 3

What is the difference between FCI and CUI?

Accepted Answer

Federal Contract Information (FCI) is information provided by or generated for the government under contract, not intended for public release. Controlled Unclassified Information (CUI) is information requiring safeguarding per law, regulation, or government policy. CUI has higher protection requirements and typically requires CMMC Level 2.

Question 4

When is CMMC certification required?

Accepted Answer

CMMC certification will be required in DoD contracts based on the DFARS 7012 clause. Phased implementation began in 2023, with wider rollout through 2025. Eventually, all contractors handling FCI or CUI will need appropriate CMMC certification to bid on and perform DoD contracts.

Question 5

What is a CMMC assessment?

Accepted Answer

CMMC assessments verify that organizations meet required security practices. Level 1 allows annual self-assessment. Level 2 requires assessment by a CMMC Third-Party Assessment Organization (C3PAO) for critical programs (self-assessment for non-critical). Level 3 requires government-led assessment by DIBCAC.

Question 6

How does CMMC relate to NIST 800-171?

Accepted Answer

CMMC Level 2 is directly based on NIST SP 800-171, which has 110 security requirements across 14 families. Organizations already compliant with NIST 800-171 are well-positioned for CMMC Level 2. The key difference is that CMMC requires third-party certification rather than self-attestation.

Question 7

What is a System Security Plan (SSP)?

Accepted Answer

An SSP documents how an organization implements each security requirement. It describes the system boundary, security controls, implementation details, and responsible parties. The SSP is required for CMMC compliance and serves as the primary evidence document during assessments.

Question 8

What is a Plan of Action and Milestones (POA&M)?

Accepted Answer

A POA&M documents security deficiencies and the plan to remediate them, including responsible parties, resources, and completion dates. CMMC 2.0 allows limited use of POA&Ms for non-critical requirements, but organizations must close POA&Ms within 180 days of assessment.

Question 9

What are the 14 CMMC/NIST 800-171 control families?

Accepted Answer

The 14 families are: Access Control (AC), Awareness and Training (AT), Audit and Accountability (AU), Configuration Management (CM), Identification and Authentication (IA), Incident Response (IR), Maintenance (MA), Media Protection (MP), Physical Protection (PE), Personnel Security (PS), Risk Assessment (RA), Security Assessment (CA), System and Communications Protection (SC), and System and Information Integrity (SI).

Question 10

How long does it take to achieve CMMC certification?

Accepted Answer

Timeline varies based on current security maturity. Organizations with minimal existing controls typically need 12-18 months. Those with existing NIST 800-171 compliance may need 3-6 months for certification preparation. The assessment process itself takes 2-4 weeks once ready.

Question 11

What is a CUI enclave?

Accepted Answer

A CUI enclave is a defined boundary within which CUI is processed, stored, or transmitted. Scoping your enclave carefully limits the systems and controls requiring CMMC compliance. Smaller, well-defined enclaves reduce compliance cost and complexity while maintaining security.

Question 12

What are CMMC assessor requirements?

Accepted Answer

CMMC assessments must be conducted by authorized entities. C3PAOs (Certified Third-Party Assessment Organizations) are accredited by the Cyber AB to conduct Level 2 assessments. DIBCAC (Defense Industrial Base Cybersecurity Assessment Center) conducts Level 3 assessments.

Question 13

How much does CMMC certification cost?

Accepted Answer

Costs vary significantly. Small organizations might spend $50,000-$150,000 total (implementation and assessment). Larger organizations may spend $500,000+. Costs include: gap assessment, control implementation, documentation, tools/technology, and assessment fees. Level 1 self-assessment has lower costs.

Question 14

Can subcontractors affect my CMMC compliance?

Accepted Answer

Yes, contractors must flow down CMMC requirements to subcontractors who handle FCI or CUI. You are responsible for ensuring subcontractors meet appropriate CMMC levels. This requires contractual requirements, verification processes, and ongoing monitoring of subcontractor compliance.

Question 15

What happens if I fail a CMMC assessment?

Accepted Answer

If you fail, you can remediate deficiencies and request reassessment. However, you cannot bid on or perform contracts requiring that CMMC level until certified. The assessment report details findings, and organizations typically have opportunities to address issues before final determination.

CMMC Checklist Generator

What type of defense contractor are you?

How It Works

Who Should Use the CMMC Checklist?

CMMC Checklist FAQ

More Resources

Policy Templates

Core Security

Access & Identity

Data Protection

Network & Infrastructure

Operations

Incident & Continuity

Development

Governance