CMMC FAQs 2025:
Readiness, Mock Assessments, NIST SP 800-171, and C3PAO assessments

CMMC 2.0 (Cybersecurity Maturity Model Certification) is a program from the U.S. Department of Defense (DoD) that verifies defense contractors are protecting:

• Federal Contract Information (FCI), which is information not intended for public release and provided or generated under a government contract

• Controlled Unclassified Information (CUI), which is sensitive information that requires safeguarding under federal law and policy

CMMC 2.0 uses a three-level maturity model to align cybersecurity practices with the type of data handled.

Any prime contractor or subcontractor in the Defense Industrial Base (DIB) that stores, processes, or transmits FCI or CUI must comply. CMMC requirements flow down through DoD contract solicitations and subcontracts.

There are three certification levels:

Level 1: Foundational

• For contractors handling FCI only

• Based on 17 basic safeguarding practices

• Requires annual self-assessment

Level 2: Advanced

• For contractors handling CUI

• Aligned with NIST SP 800-171 (110 practices)

• Requires third-party or self-assessment depending on contract

Level 3: Expert

• For the highest risk programs with sensitive CUI

• Builds on NIST SP 800-171 with select NIST SP 800-172 controls

• Assessed by DCMA’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC)

Item descriptionCMMC requirements are now in effect. The Office of Information and Regulatory Affairs (OIRA) published the Title 48 rule on September 10, 2025, with an effective date of November 10, 2025. This means CMMC requirements are already included in applicable DFARS clauses, and contractors must comply to be eligible for award.

The required level depends on the type of information you handle and the DoD contract solicitation or flowdown requirements from a prime contractor. If you do not yet have a contract, use the DoD’s scoping and levels determination guides to assess which level applies.

• Level 1 requires self-assessment only

• Level 2 requires either self-assessment or third-party certification by a Certified Third Party Assessment Organization (C3PAO), depending on the contract

• Level 3 requires an assessment by DIBCAC

A Certified Third Party Assessment Organization (C3PAO) is an independent assessor authorized by The Cyber AB to perform official CMMC Level 2 assessments. Use the official Cyber AB Marketplace to find accredited C3PAOs.

No. Conflict of interest rules require separation between consulting support and certification assessments. Your assessment organization must be independent.

Consider the following when selecting a C3PAO:

• Active Cyber AB accreditation

• Relevant industry experience

• Transparent pricing and assessment plan

• Clear communication on scope, timelines, and expectations

Download our C3PAO Hiring Guide for additional recommendations.

A C3PAO team follows the CMMC Assessment Process (CAP) and the Level 2 Assessment Guide. Assessors will:

• Examine documentation and evidence

• Interview personnel

• Test technical controls

Organizations should prepare:

• A complete System Security Plan (SSP)

• A current Plan of Action and Milestones (POA&M)

• Policies and procedures mapped to NIST SP 800-171

• System evidence such as screenshots, logs, and configurations

• Proof of CUI boundary scoping and involvement of external service providers

Use our SSP Templates to accelerate your CMMC package development.

Use of POA&Ms is limited. Only 1-point controls may remain open. All 3-point and 5-point controls must be fully implemented. Certain FIPS requirements may be downgraded with compensating controls. Try our CMMC Mock Assessment Tool to evaluate your readiness and avoid surprises.

Timelines vary by organization size, scope, and readiness. Plan for multiple weeks covering planning, fieldwork, and closeout.

Costs vary widely depending on IT environment size, complexity, and readiness level. The DoD has emphasized reducing costs for small businesses, but certification expenses may range from $40,000 for small, enclave CMMC environments to over $100,000 for complex enterprise-wide environments

Assessment results are submitted into DoD’s Enterprise Mission Assurance Support Service (eMASS) and linked to the Supplier Performance Risk System (SPRS). The DoD uses this data to validate compliance.

• FCI is federal contract information provided or created under a DoD contract that is not intended for public release.

• CUI is controlled unclassified information that requires protection under federal law and regulation.

CUI safeguarding requirements are defined in NIST SP 800-171. Download our CMMC 101 Guide to dive into the details for your organization.

CMMC does not use NIST 800-171 Revision 3 yet. Revision 2 remains in effect. Although NIST released Revision 3 in 2024 and the DoD has issued parameter guidance, contracts will continue to enforce Revision 2 until Title 32 is updated.

If your managed service provider (MSP) or managed security service provider (MSSP) handles CUI, they must be included in your assessment scope.

• If they are a cloud service provider (CSP), they must have FedRAMP Moderate authorization or equivalent evidence through a formal Body of Evidence (BOE).

• Non-CSP providers can either obtain their own Level 2 certification or be fully assessed as part of your environment.

Not automatically. DIBCAC High assessments under DFARS are not equivalent to CMMC certification. Joint Surveillance assessments completed before the cutoff date may convert to CMMC certification, but organizations should confirm with their C3PAO and the DoD.

Follow these steps:

1. Map your CUI data flows and external service providers

2. Run a self-assessment against NIST SP 800-171

3. Submit your score to SPRS

4. Update your System Security Plan (SSP) and POA&M

5. Implement any missing controls

6. Contact a C3PAO to plan your certification

Download our CMMC Readiness Roadmap to begin preparing.