Question 1

What is CMMC 2.0 and why does it exist?

Accepted Answer

CMMC 2.0 is the Cybersecurity Maturity Model Certification program the Department of Defense uses to verify that defense contractors protect Controlled Unclassified Information. It replaced the previous CMMC 1.0 model and became mandatory on November 10, 2025. The DoD created CMMC because too many contractors were self certifying NIST SP 800-171 compliance without actually implementing the required security controls. This led to data breaches exposing sensitive defense information. Under CMMC, most contractors handling CUI must undergo third party assessment by certified C3PAOs, and the highest security programs require government led assessments. The program has three levels. Level 1 for basic protection of Federal Contract Information, Level 2 for CUI using NIST 800-171, and Level 3 for advanced threats requiring enhanced controls from NIST 800-172.

Question 2

Which CMMC level do I need for my DoD contract?

Accepted Answer

Your required CMMC level depends on what type of information your contract involves and how sensitive it is. If you only handle Federal Contract Information like delivery schedules, correspondence, or pricing, you need Level 1. If your contract involves Controlled Unclassified Information, technical data, specifications, or other sensitive government information, you need Level 2. Level 3 is rare and only required for programs involving the most sensitive CUI against advanced persistent threats. Check your contract's DFARS clause 252.204-7021, which specifies the required level. If you're a subcontractor, your prime contractor will tell you which level you need. When in doubt, assume Level 2. It covers about 90 percent of DoD contractors. The assessment requirement flows down from primes to subs, so even small contractors in the supply chain need certification.

Question 3

What's the difference between CMMC Level 1, 2, and 3?

Accepted Answer

Level 1 requires 17 basic security practices from FAR 52.204-21, allows annual self assessment, and protects Federal Contract Information. You don't need a C3PAO for Level 1. Level 2 requires all 110 practices from NIST SP 800-171, mandates third party C3PAO assessment every three years, and protects Controlled Unclassified Information. Most defense contractors need Level 2. Level 3 requires the 110 Level 2 practices plus 24 enhanced controls from NIST 800-172, requires government led assessment, and protects high value CUI programs against advanced threats. The DoD estimates only 1 percent of contractors will need Level 3. The main practical difference is assessment rigor, self assessment for Level 1, paid third party for Level 2, and direct government evaluation for Level 3. Level 2 costs typically run fifty thousand and up for the C3PAO assessment alone, not counting implementation.

Question 4

How long does CMMC certification take?

Accepted Answer

Level 1 typically takes one to two months if you're starting from a reasonable security baseline. Level 2 takes six to twelve months for most organizations from gap assessment to successful C3PAO audit. Level 3 can take twelve to eighteen months given the advanced controls and government assessment coordination. These timelines assume you're actively working on remediation and have budget allocated. If you're starting from scratch with minimal security controls, add three to six months. The C3PAO assessment itself runs six to eight weeks once you're ready. You also need to account for C3PAO scheduling. There's limited assessor capacity and high demand, especially near contract deadlines. I help you plan realistic timelines and avoid the common mistake of assuming you can rush through certification. The DoD designed this as a deliberate process, and trying to shortcut it usually means failed assessments and wasted money.

Question 5

How much does CMMC certification cost?

Accepted Answer

Level 1 costs five to fifteen thousand dollars in internal labor and documentation, with no auditor fees since it's self assessed. Level 2 costs fifty thousand and up just for the C3PAO assessment, depending on your organization's size, number of locations, and complexity. Add another twenty to eighty thousand for implementation, security tools, staff time, consultant fees if you need help, and remediation work. Level 3 costs significantly more given the enhanced controls and government assessment requirements. These numbers don't include ongoing compliance costs like annual training, continuous monitoring tools, or triennial reassessments. The biggest cost isn't the auditor. It's the time your staff spends implementing 110 security practices across your entire organization. I help optimize costs by implementing controls that provide actual security value rather than building security theater that wastes budget on checkbox compliance.

Question 6

What is DFARS 252.204-7012 and how does it relate to CMMC?

Accepted Answer

DFARS 252.204-7012 is the Defense Federal Acquisition Regulation Supplement clause titled 'Safeguarding Covered Defense Information and Cyber Incident Reporting.' It went into effect in 2017 and requires contractors to implement NIST SP 800-171 security requirements and report cyber incidents within 72 hours. This clause is the foundation that CMMC builds on. The key difference is that 7012 allowed self-certification, which many contractors abused by claiming compliance without actually implementing controls. CMMC fixes this by requiring third-party verification. Most new DoD contracts now include both DFARS 7012 and the new DFARS 252.204-7021, which specifies CMMC level requirements. You still need to comply with 7012's incident reporting rules even after achieving CMMC certification. Think of 7012 as the 'what' you need to do and CMMC as the 'proof' you actually did it.

Question 7

Can I do a self-assessment or do I need a C3PAO?

Accepted Answer

Level 1 requires annual self assessment with no third party involvement. You evaluate your own implementation of the 17 required practices, document your findings, and submit your score to the Supplier Performance Risk System. Level 2 and Level 3 require third party assessment. For Level 2, you hire a certified C3PAO from the CMMC Accreditation Body's registry. These are independent firms authorized to conduct CMMC assessments. The C3PAO evaluates your implementation against all 110 NIST 800-171 practices and issues either a certification or a list of findings you must remediate. Level 3 requires government led assessment by the Defense Industrial Base Cybersecurity Assessment Center, not a C3PAO. Self assessment saves money but only works for Level 1. If your contract specifies Level 2 or higher, you must pay for professional assessment, no exceptions. The C3PAO assessment is pass/fail, unlike the old NIST 800-171 scoring system where you could get partial credit.

Question 8

What is NIST SP 800-171 and how does it fit into CMMC?

Accepted Answer

NIST SP 800-171 is the National Institute of Standards and Technology Special Publication 800-171, titled 'Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.' It defines 110 security requirements organized into 14 families: access control, awareness training, audit logging, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system protection, and system communications. CMMC Level 2 requires full implementation of all 110 practices from 800-171 Revision 2. Level 1 uses a subset of 17 basic practices. Level 3 adds 24 enhanced controls from NIST SP 800-172 on top of the full 800-171 baseline. So 800-171 is the foundation. You can't achieve CMMC Level 2 without implementing every single one of those 110 requirements. The difference is that CMMC adds independent verification through C3PAO assessment, whereas the old DFARS 7012 approach let contractors self certify.

Question 9

What happens if I fail my CMMC assessment?

Accepted Answer

CMMC assessments are pass or fail. There's no partial credit or compliance score like the old NIST 800-171 system. If you have any practice assessed as 'Not Met,' you fail and don't get certification. The C3PAO documents all findings in your assessment report. You then have 180 days to remediate those findings and undergo a POA&M closure assessment to verify you fixed the gaps. If you don't remediate within 180 days, your Conditional Level 2 status expires and you start over. Failed assessments mean delayed contracts, wasted assessment fees (you still pay the C3PAO), and potential loss of business if you can't get certified in time. The DoD won't award contracts to uncertified contractors once CMMC is required. This is why proper preparation matters. I help contractors verify readiness before engaging a C3PAO, avoiding expensive failed assessments and the scramble to remediate under time pressure.

CMMC 2.0 Certification for DoD Contractors

Defense Industrial Base Cybersecurity Compliance

Understanding CMMC 2.0 Certification Levels

Level 1

Level 2

Level 3

CMMC 2.0 Framework Overview

DFARS Cybersecurity Requirements

DFARS 252.204-7012

Safeguarding Covered Defense Information and Cyber Incident Reporting

DFARS 252.204-7019

Notice of NIST SP 800-171 DoD Assessment Requirements

DFARS 252.204-7020

NIST SP 800-171 DoD Assessment Requirements

DFARS 252.204-7021

Cybersecurity Maturity Model Certification Requirements

CMMC Certification Services

Initial Certification (Levels 1-3)

Ongoing CMMC Compliance & Maintenance

Free Self-Service Assessment Tool

CMMC Certification Questions

Start Your CMMC Certification Journey

Loading