FAQ
ABOUT CMMC
Q. Now that CMMC 2.0 is published, will companies be required to comply with CMMC 1.0?
Once CMMC 2.0 is codified through rulemaking, the Department will require companies to adhere to the revised CMMC framework according to requirements set forth in regulation.
Q. When will CMMC 2.0 be required for DoD contracts?
Q. Why did the Department make these changes?
Q. How much will it cost to implement CMMC 2.0?


CMMC 2.0 MODEL
Q. How will my organization know what CMMC level is required for a contract?
Q. What is the relationship between National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 and CMMC?
Q. Will prime contractors and subcontractors be required to maintain the same CMMC level?
ASSESSMENTS
Q. How does my company become a C3PAO?
Q. How frequently will assessments be required?
Q. Who will perform third-party CMMC assessments?
Q. Will my organization need to be certified if it does not handle CUI?
Q. Will CMMC certifications and the associated third-party assessments apply to a classified systems and / or classified environments within the Defense Industrial Base?
Q. Will the results of my assessment be public? Will the DoD see my results?
If a company voluntarily chooses to obtain a CMMC assessment and certification from a third-party assessment organization in the absence of a contractual requirement, the company must provide written consent to allow DoD access to or use of those assessment results. If a company consents to DoD access and use of data relating to the assessment, then DoD intends to store that information on eMASS.
Q. How much will CMMC certification cost?
Q. What is the difference between a CMMC self-assessment and a basic assessment required as part of the DoD Assessment Methodology?
A “Basic Assessment”, as defined in DFARS clause 252.204-7020, NIST SP 800-171 DoD Assessment Requirements, means a contractor’s self-assessment of the contractor’s implementation of NIST SP 800-171 that —
- Is based on the Contractor’s review of their system security plan(s) associated with covered contractor information system(s);
- Is conducted in accordance with the NIST SP 800-171 DoD Assessment Methodology; and
- Results in a confidence level of “Low” in the resulting score, because it is a self-generated score.


IMPLEMENTATION
Q. How will CMMC apply to non-US companies?
Q. What is the Department’s intent regarding acceptance agreements between CMMC and other cybersecurity standards and assessments?
Furthermore, DoD is working with international partners to coordinate on potential agreements between CMMC and their respective cybersecurity programs.
Any such equivalencies or acceptance standards, if established, will be implemented as part of the rulemaking process.