CMMC is a framework created by the U.S. Department of Defense to verify that companies working with the DoD have strong cybersecurity practices. CMMC ensures that companies can adequately protect sensitive information related to national security, including Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

Any prime or subcontractor whose DoD contract requires handling FCI or CUI on non-federal systems will be assigned a CMMC level and assessment type in the solicitation. You must meet that requirement to be eligible for award.

Yes. The DoD issued the final DFARS (48 CFR) rule on September 10, 2025, with an effective date of November 10, 2025. That date starts Phase 1 of the rollout, and CMMC requirements will begin appearing in new DoD solicitations and contracts.

Yes. CMMC applies to any company performing under a DoD contract, regardless of where the company is based. Foreign companies may work with U.S.-based or foreign-based C3PAOs that meet program requirements.

Non-compliance puts current and future DoD contracts at risk. You won’t be eligible for award if you don’t meet the CMMC requirement in the solicitation, and you could be ineligible for option exercises on existing contracts if CMMC is added.

CMMC certifications are issued for three levels of compliance, based on the type of data you handle.

• Level 1 (FCI): Annual self-assessment by your organization submitted to SPRS, plus an annual affirmation.
• Level 2 (CUI): Either a self-assessment or a C3PAO third-party assessment every 3 years, plus an annual affirmation. DoD only accepts Level 2 assessments performed by an authorized or accredited C3PAO using certified assessors.
• Level 3 (high-value CUI): Government-led assessment (DIBCAC) every 3 years, plus an annual affirmation.

Federal Contract Information is information not intended for public release that’s provided by or generated for the Government under a federal contract (excluding public website info or simple payment data). Handling only FCI maps to CMMC Level 1 safeguards.

Controlled Unclassified Information is government information that isn’t classified but must be protected under law, regulation, or government-wide policy (for example, export-controlled technical data, certain engineering drawings, etc.). In DoD contracts, if your non-federal systems handle CUI, you’re generally looking at CMMC Level 2 requirements.

Security Protection Data (SPD) is supporting data like logs, configurations, and similar security telemetry that is processed or handled by you or an External Service Provider (ESP) as part of protecting CUI/FCI systems. If an ESP (such as an internal corporate SOC or an MSP) handles your SPD for the in-scope environment, that service falls in scope for your assessment and needs a clear service description and customer responsibility matrix.

Yes. “Export Controlled” is a formal CUI category (EXPT) that covers information subject to ITAR/EAR and related controls. If your non-federal systems process, store, or transmit export-controlled data, you are handling CUI and should expect CMMC Level 2 requirements to apply.

Sometimes. CMMC applies to all DoD contractors. If CUI is in a cloud service, that cloud service offering must be FedRAMP Moderate (or DoD-approved equivalent) at the time of your assessment. That means even if you’re not a cloud provider, the CSP you use must be authorized appropriately.

• Prime contractor with CUI: If you’re the prime, you must meet the CMMC level in your contract. You only flow down the level necessary for subs based on the information they’ll receive. If the prime is Level 3, subs handling CUI must be at least Level 2 unless the contract says otherwise.
• Subcontractor with only FCI: If you only handle Federal Contract Information (FCI), you’re likely subject to Level 1 (self-assessment).
• Managed Service Provider (MSP) storing your CUI (non-cloud): The MSP’s systems fall within your scope, and those services must meet all relevant security requirements. The MSP doesn’t need a separate certification, but it may elect to pursue one. Its security level must be at least equal to the one your contract requires.
• MSP/MSSP that supports you but doesn’t handle CUI: They’re treated as External Service Providers (ESPs). Their services are assessed as Security Protection Assets during your assessment.
• MSP using cloud tools: No, using cloud tools to deliver service doesn’t make the MSP a Cloud Service Provider (CSP).
• MSP remotely administering your environments (on-prem or cloud with CUI): The MSP doesn’t need its own CMMC certification so long as CUI never resides on its systems.
• CUI in a cloud administered by your MSP: If you are the cloud tenant and the MSP simply administers, it’s not a CSP. If the MSP modifies and provides the cloud service, then it may be treated as a CSP and must meet FedRAMP or equivalent.
• Virtual Desktop Infrastructure (VDI): If endpoints are locked down so they don’t process, store, or transmit CUI locally, they’re out of scope. If not, they’re in scope.

A CUI enclave is a dedicated, secured environment where your organization processes, stores, and transmits Controlled Unclassified Information. Think of it as drawing a boundary around the specific systems, networks, and people that actually handle CUI so you don’t have to bring your entire IT environment into scope for CMMC.

CMMC requirements will start appearing in DoD contracts November 10, 2025, when the final DFARS rule becomes effective.

The CMMC program is governed by two separate rules:

• 32 CFR Part 170 – CMMC Program Rule: This rule establishes the CMMC program itself — the structure, levels, definitions, and processes. It was finalized on October 15, 2024 and became effective on December 16, 2024.
• 48 CFR (DFARS) – CMMC Acquisition Rule: This rule makes CMMC enforceable in contracts by adding clauses to the Defense Federal Acquisition Regulation Supplement (DFARS). The Final Rule was published on September 10, 2025 and is effective November 10, 2025. Starting then, DoD contracts can require CMMC certification for award.

There isn’t a single date when every contractor must be CMMC certified. Instead, the Department of Defense is using a phased rollout over three years starting November 10, 2025, the effective date of the DFARS acquisition rule.

• Phase 1 (Year 1): CMMC Level 1 and some Level 2 self-assessments begin appearing in solicitations. Companies handling basic Federal Contract Information (FCI) will need to post self-assessment results in SPRS to be eligible for award.
• Phase 2 (Year 2): More contracts require Level 2 third-party assessments by C3PAOs. At this point, contractors handling Controlled Unclassified Information (CUI) will start to see certification as a condition of award.
• Phase 3 (Year 3): CMMC requirements expand to additional contract types and programs. DoD ramps up oversight and expects most CUI environments in the DIB to be covered by a third-party assessment.
• Phase 4 (Full Implementation): By the end of the three-year window, all new DoD contracts will require the applicable CMMC level for award.

The Department of Defense has published official cost projections for CMMC certification that vary by level and company size. These figures cover the assessment itself and some basic preparation:

• Level 1 self-assessment: About $6,000 for small entities and $4,000 for larger entities.
• Level 2 self-assessment: Over $37,000 for small entities and nearly $49,000 for larger entities.
• Level 2 third-party certification: Roughly $105,000 for small entities and about $118,000 for larger entities.

On paper, those are the DoD’s estimates. But in practice, contractors should expect to spend more. These projections don’t include the associated costs of actually getting ready for a CMMC certification, which often dwarf the assessment fee. Key areas to budget for include:

• Gap analysis to see where your current security program falls short.
• Remediation work to implement missing controls. This is often the most expensive step, since it may require IT upgrades, new tools, and revised processes.
• Consulting or advisory fees if you need outside help preparing for the assessment.
• Ongoing maintenance costs for continuous monitoring, documentation updates, and annual affirmations.

The exact price tag depends on your size, complexity, and how much of NIST SP 800-171 you’ve already implemented under DFARS 252.204-7012.

• The DoD provides no-cost “Cybersecurity-as-a-Service” resources for DIB companies via the DIB Cybersecurity Program.
• The Cyber AB publishes directories and guidance for CMMC RPs, RPOs, and C3PAOs.
• CMMC.com provides free policy and procedure templates, compliance checklists, and other tools to help companies achieve compliance.

The Cyber AB is the DoD’s official accreditation partner for CMMC. It authorizes and accredits C3PAOs and oversees Registered Practitioners and Organizations. Use Cyber AB to find assessors and training resources, and CAICO for assessor and instructor certifications.

General CMMC program questions can go to the DoD CIO’s CMMC PMO via the official contact form. For RPO/RP/C3PAO status questions, contact the Cyber AB. For CCP/CCA certification questions, contact CAICO.

CMMC has three levels, each tied to the sensitivity of the information you handle:

• Level 1 – Foundational: Basic safeguarding of FCI. Requires 17 practices aligned with FAR 52.204-21. Assessed by annual self-assessment.
• Level 2 – Advanced: Full protection of CUI. Requires implementation of all 110 practices from NIST SP 800-171. Depending on the contract, you may complete either a self-assessment or a C3PAO assessment every 3 years.
• Level 3 – Expert: Additional safeguards for programs at highest risk. Builds on Level 2 and adds selected requirements from NIST SP 800-172. Assessed directly by the DoD (DIBCAC) every 3 years.

The CMMC framework is organized into 14 domains, carried over from NIST SP 800-171:

1. Access Control (AC)
2. Awareness and Training (AT)
3. Audit and Accountability (AU)
4. Configuration Management (CM)
5. Identification and Authentication (IA)
6. Incident Response (IR)
7. Maintenance (MA)
8. Media Protection (MP)
9. Personnel Security (PS)
10. Physical Protection (PE)
11. Risk Assessment (RA)
12. Security Assessment (CA)
13. System and Communications Protection (SC)
14. System and Information Integrity (SI)

Each domain covers a specific area of cybersecurity practices that contractors must address at their assigned level.

CMMC builds directly on NIST SP 800-171, which has long been required under DFARS 252.204-7012.

At Level 2, CMMC requires you to fully implement all 110 controls in NIST SP 800-171. CMMC does not add new requirements at this level, it just makes compliance enforceable through certification.

At Level 3, CMMC also draws on selected requirements from NIST SP 800-172, which is designed for advanced persistent threat (APT) protection.

Right now, CMMC Level 2 is assessed against NIST SP 800-171 Revision 2. The DoD has confirmed it will transition to Revision 3 through a future rulemaking process. That means contractors can adopt Rev. 3 now if they choose, but official CMMC assessments will still test against Rev. 2 until the DoD updates the rule.

Prime contractor responsibility: If you’re the prime, you must identify which subcontractors will handle FCI or CUI and flow down the appropriate CMMC level in their subcontracts. You’re also responsible for validating that your subs hold the required certification or self-assessment status.

Subcontractor responsibility: You only need to meet the level appropriate to the data you’ll handle. If you only work with FCI, you only need Level 1. If you receive CUI, you must meet at least Level 2, even if your prime is Level 3.

A System Security Plan (SSP) is a cornerstone compliance document for CMMC. It describes:

• The systems and assets in scope
• The boundaries of where FCI and CUI are handled
• How each required security control is implemented
• Roles and responsibilities for maintaining security

Assessors will rely heavily on your SSP to verify how your environment is designed and secured. Without a complete, accurate SSP, you cannot achieve certification.

A POA&M (Plan of Action and Milestones) is a short-term plan to fix certain gaps after your assessment, but it’s tightly restricted:

• You must achieve at least 0.8 of the total score to even qualify for a POA&M.
• Only a limited set of lower-value requirements can be deferred.
• Critical items cannot be placed on a POA&M, including:

     • AC.L2-3.1.20 External Connections (CUI)
     • AC.L2-3.1.22 Control Public Information (CUI)
     • CA.L2-3.12.4 System Security Plan
     • PE.L2-3.10.3 Escort Visitors (CUI)
     • PE.L2-3.10.4 Physical Access Logs (CUI)
     • PE.L2-3.10.5 Manage Physical Access (CUI)

• POA&M items must be closed within 180 days and confirmed in a closeout assessment.
• Level 1 assessments never allow POA&Ms.

A POA&M can only cover certain less critical gaps, it’s time-limited, and it’s never a substitute for core documentation like your SSP.

It depends on your CMMC level:

Level 1: You complete an annual self-assessment and submit results to SPRS.

Level 2: Some contracts allow a self-assessment, but others require a third-party assessment performed by a Certified Third-Party Assessment Organization (C3PAO) using certified assessors.

Level 3: Assessments are conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) on behalf of the DoD.

Both authorized and accredited C3PAOs are approved to conduct official CMMC Level 2 assessments. The difference comes down to timing in the accreditation process:

• Authorized C3PAO: A temporary status used while the Cyber AB completes its own ISO/IEC 17011 accreditation.
• Accredited C3PAO: A fully accredited organization.

Both authorized and accredited C3PAOs can issue valid assessments and certifications.

Level 1: Every year (self-assessment + annual affirmation).

Level 2: Every three years (third-party or self, depending on contract) + annual affirmation.

Level 3: Every three years (government-led assessment) + annual affirmation. Even if your formal certification is valid for three years, you still have to affirm compliance annually to keep your status active.

For Level 1, you’ll complete a self-assessment annually, post your results and score in the Supplier Performance Risk System (SPRS), and provide an annual affirmation.

For Level 2, whether you can self-assess or need a third-party depends on your contract. If self-assessment is allowed, you’ll follow the same process as Level 1: assess against NIST SP 800-171, post your score in SPRS, and affirm annually. If a C3PAO assessment is required, self-assessment isn’t an option.

No, assessment results are not made public. The DoD will have access to them, but competitors, subcontractors, and the general public will not.

The 10-day reevaluation period, outlined in 32 CFR §170.17(c)(2), is a narrow window of time that allows an assessor to revisit a finding under very specific conditions:

• A requirement was initially assessed as “Not Met.”
• The Organization Seeking Certification (OSC) can provide existing evidence that wasn’t available or reviewed during the assessment.
• The CMMC Assessment Findings Report has not yet been submitted.

It’s important to understand that this period is not an opportunity to remediate gaps, create new documentation, or implement missing controls after the fact. It is not a grace period to fix your environment. It exists solely for presenting overlooked or previously unavailable evidence that shows the requirement was actually being met at the time of the assessment.

IT teams don’t have to manage CMMC compliance manually. The right tools can automate much of the heavy lifting, including:

• Dashboards that show real-time compliance status across all CMMC domains.
• Continuous monitoring to flag vulnerabilities or failing controls as they happen.
• Automated gap analysis to identify where your environment falls short of NIST SP 800-171 requirements.
• Document creation and policy templates that reduce the time spent writing System Security Plans (SSPs), incident response policies, and other required documents.
• Evidence collection through integrations with your existing tools to automatically gather audit artifacts.
• Support for CUI enclaves and federal cloud environments (like Microsoft GCC High and Azure Government) to help isolate sensitive data and ensure it’s stored and managed securely.

These tools save IT teams time, reduce errors, and provide a clear path to certification.

Secureframe combines automation and expert guidance to make CMMC preparation and certification faster and less painful. With over 300 integrations, the platform automatically collects evidence, maps your controls to CMMC requirements, and continuously monitors for gaps. It also generates key documentation like your SSP and POA&M, provides dashboards to track progress, and connects you with experienced compliance advisors who understand federal requirements. Secureframe significantly reduces the manual work, confusion, and cost of getting CMMC certified.

Secureframe offers out-of-the-box support for all three levels of CMMC. Whether you’re a small contractor that only needs Level 1 self-assessments, a mid-sized business pursuing Level 2 with C3PAO certification, or a large defense contractor preparing for Level 3, Secureframe’s automation and expert support can help you streamline the process.

Yes. Secureframe is CMMC Level 2 certified, which means the platform and processes meet the same rigorous standards required of defense contractors handling CUI. The platform also integrates with compliant federal cloud environments such as Microsoft GCC High, Azure Government, and AWS GovCloud, making Secureframe a trusted solution for organizations building and maintaining CUI enclaves.

Identify scope
☐ Map where Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) reside in your systems.

☐ Identify the people, processes, assets, and external service providers (ESPs) in scope.

☐ Use the DoD Level 2 scoping guide and 32 CFR §170.19 to define the assessment boundary.

Implement controls
☐ For Level 1: Apply the 17 basic safeguarding practices from FAR 52.204-21.

☐ For Level 2: Implement all 110 practices in NIST SP 800-171 Rev. 2.

☐ For Level 3: Layer in selected requirements from NIST SP 800-172.

☐ Collect objective evidence that each practice is in place using the CMMC assessment guide.

Prepare documentation
☐ Develop your System Security Plan (SSP)

☐ Create required supporting documentation: POA&M, risk assessments, incident response plan, disaster recovery plan, policies, procedures, inventories, and network diagrams.

☐ Keep documentation updated and aligned with your implemented controls.

Complete an assessment
☐ Level 1: Complete a self-assessment annually and post your score in SPRS.

☐ Level 2: Follow your contract—either complete a self-assessment or undergo a third-party assessment by a certified C3PAO every 3 years. Results are posted in CMMC eMASS.

☐ Level 3: Prepare for a government-led assessment (DIBCAC) every 3 years.

Affirm compliance annually
☐ After each assessment, submit an annual affirmation of continued compliance.

☐ Failure to affirm means your certification status lapses, even if you’re still within the 3-year assessment window.