‍KEY TAKEAWAYS

• CMMC enforcement began November 10, 2025 — compliance is now mandatory for new DoD contracts
• Three certification levels exist: Level 1 (FCI), Level 2 (CUI), and Level 3 (Critical CUI)
• Requirements flow down to all subcontractors handling FCI or CUI
• Phase 1 focuses on self-assessments; third-party assessments expand in Phase 2 (November 2026)

If your organization works with the Department of Defense, the Cybersecurity Maturity Model Certification (CMMC) program is no longer something you can postpone. As of November 10, 2025, CMMC requirements have begun appearing in DoD contract solicitations, and contractors without proper certification risk losing their ability to compete for defense work.

This comprehensive guide breaks down everything defense contractors and subcontractors need to know about CMMC requirements, assessment processes, timelines, and costs. Whether you handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), understanding these requirements is essential to maintaining your place in the defense industrial base (DIB).

What Is CMMC and Why Does It Matter for Contractors?

The Cybersecurity Maturity Model Certification (CMMC) is a unified cybersecurity standard developed by the Department of Defense to protect sensitive information across the defense industrial base. Unlike previous self-attestation requirements under DFARS 252.204-7012, CMMC requires contractors to demonstrate their cybersecurity practices through verified assessments before contract award.

The program addresses a critical national security concern: adversaries have increasingly targeted defense contractors to steal sensitive technical data, intellectual property, and classified information. By requiring verified compliance, CMMC ensures that every organization handling defense-related information meets minimum cybersecurity standards.

The Difference Between FCI and CUI

Understanding the distinction between Federal Contract Information and Controlled Unclassified Information determines which CMMC level your organization needs.

Federal Contract Information (FCI) refers to information provided by or generated for the government under contract that is not intended for public release. This includes contract performance data, delivery schedules, and contractor business information related to federal contracts. FCI requires basic safeguarding under FAR clause 52.204-21.

Controlled Unclassified Information (CUI) requires additional protection beyond FCI. CUI includes technical data, engineering drawings, specifications, and other sensitive information that, while unclassified, could damage national security if disclosed. CUI is governed by 32 CFR Part 2002 and requires compliance with NIST SP 800-171.

Important: Encrypted CUI is still considered CUI. According to 32 CFR Part 2002, CUI remains controlled until formally decontrolled. Encryption protects data in transit but does not change its classification status.

The Three CMMC Levels Explained

CMMC 2.0 streamlined the original five-level framework into three distinct certification levels. Each level builds upon the previous one, with increasingly rigorous cybersecurity requirements.

CMMC Level 1: Foundational Cybersecurity

Level 1 applies to organizations that only handle Federal Contract Information. It requires implementation of 17 15 basic cybersecurity practices derived from FAR clause 52.204-21. These represent fundamental cyber hygiene that every organization should already have in place.

Key Level 1 requirements include:

• Limiting system access to authorized users
• Authenticating users before granting access
• Sanitizing or destroying media containing FCI before disposal
• Protecting and monitoring physical facility boundaries
• Identifying and reporting information security incidents

Level 1 requires an annual self-assessment with results entered into the Supplier Performance Risk System (SPRS), plus an annual affirmation of continued compliance.

CMMC Level 2: Advanced Cybersecurity

Level 2 applies to contractors handling Controlled Unclassified Information. It requires full implementation of the 110 security requirements (controls), 320 assessment objectives in NIST SP 800-171 Revision 2, organized across 14 security domains.

The 14 NIST 800-171 security domains include:

• Access Control (22 requirements)
• Awareness and Training (3 requirements)
• Audit and Accountability (9 requirements)
• Configuration Management (9 requirements)
• Identification and Authentication (11 requirements)
• Incident Response (3 requirements)
• Maintenance (6 requirements)
• Media Protection (9 requirements)
• Personnel Security (2 requirements)
• Physical Protection (6 requirements)
• Risk Assessment (3 requirements)
• Security Assessment (4 requirements)
• System and Communications Protection (16 requirements)
• System and Information Integrity (7 requirements)

Level 2 assessments can be either self-assessments or third-party assessments conducted by a CMMC Third-Party Assessment Organization (C3PAO), depending on the contract requirements. Assessments are required every three years with annual affirmations or self attestations.

CMMC Level 3: Expert Cybersecurity

Level 3 is required for contractors handling the most sensitive CUI or facing advanced persistent threats (APTs). It builds on Level 2 by adding 24 enhanced security requirements from NIST SP 800-172, bringing the total to 134 requirements.

Level 3 assessments are conducted by the Defense Contract Management Agency's Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), not third-party assessors. This government-led assessment reflects the heightened sensitivity of the information being protected.

November 2025: CMMC Is Now in Effect

The CMMC program became contractually enforceable on November 10, 2025, when the revised DFARS clause 252.204-7021 took effect. The Department of Defense is implementing requirements through a four-phase rollout designed to minimize disruption while ensuring the defense industrial base achieves compliance.

What Phase 1 Means for Your Organization

During Phase 1, the Department's focus is on self-assessments. Solicitations will specify CMMC Level 1 when only FCI will be processed, stored, or transmitted, and CMMC Level 2 (Self) when any CUI is involved. While program managers have discretion to include C3PAO requirements during Phase 1, this is not mandatory.

This phased approach provides time for the CMMC ecosystem to mature, allowing additional C3PAOs to be certified and giving contractors runway to implement required security controls. However, organizations should not interpret this as permission to delay starting your compliance journey now positions you for success when stricter requirements take effect.

Who Needs CMMC Certification?

CMMC requirements apply to any organization that processes, stores, or transmits FCI or CUI in performance of a DoD contract. This includes prime contractors, subcontractors at all tiers, and external service providers that access contractor systems.

CMMC Requirements Flow Down to Subcontractors

One of the most significant aspects of CMMC is the flowdownflow down requirement. As outlined in 32 CFR 170.23, prime contractors must ensure their subcontractors meet appropriate CMMC levels based on the information they handle.

Key flowdownflow down rules:

• Subcontractors handling FCI must achieve CMMC Level 1
• Subcontractors handling CUI must achieve CMMC Level 2
• When the prime contract requires Level 3, subcontractors must achieve minimum Level 2 (C3PAO)
• Government may provide specific guidance through Security Classification Guides

Prime contractors are responsible for verifying subcontractor compliance. The Department expects defense contractors to share CMMC status information to facilitate effective teaming arrangements when bidding for contracts.

International Contractors and CMMC

CMMC requirements apply to all companies performing under DoD contracts, whether domestic or international. Non-U.S. companies and individuals that meet all requirements under 32 CFR are eligible to participate in the CMMC ecosystem, including serving as C3PAOs.

INTERWEAVE TECHNOLOGIES PRESENTS

The 6 Steps to a Perfect 110

Your Proven Roadmap to CMMC Level 2 Certification

Achieving a perfect 110/110 score on your CMMC Level 2 assessment requires a systematic, comprehensive approach. At Interweave Technologies, we've developed a proven six-step methodology that has guided defense contractors from initial assessment through successful certification. Here's the roadmap we use with every client.

STEP 1: Identify, Define & Determine

Before implementing any controls, you must understand exactly what you're protecting and why. This foundational step establishes the scope of your compliance effort.

Identify DFARS Clause 7012 in Your Contracts

Review all current and prospective DoD contracts to identify where DFARS 252.204-7012 appears. This clause triggers your safeguarding obligations and determines whether you need CMMC certification.

Define Your Data Flow

Map exactly where FCI and CUI are processed, stored, and transmitted within your organization. This includes identifying all systems, applications, storage locations, and transmission paths that touch controlled information. Understanding your data flow is critical for accurate scoping.

Determine Your Required CMMC Level

• FCI only → CMMC Level 1 (175 controls)
• CUI involved → CMMC Level 2 (110 controls)
• Critical CUI or APT concerns → CMMC Level 3 (134 controls)

STEP 2: Conduct Scoping & Gap Assessment

With your requirements defined, the next step is understanding your current security posture and identifying gaps that must be addressed.

Define Assets & Boundaries

Document all assets within your assessment scope, including hardware, software, network components, and personnel. Clearly define system boundaries—knowing what's in scope and out of scope directly impacts your compliance cost and complexity. Consider whether an enclave approach (isolating CUI in a smaller environment) makes sense for your organization.

Perform Initial Assessment

Conduct a thorough assessment against the appropriate standard based on your required level:

• Level 1: Assess against FAR 52.204-21 (175 requirements)
• Level 2: Assess against NIST SP 800-171 Revision 2 (110 requirements)
• Level 3: Assess against NIST SP 800-171 + NIST SP 800-172 (134 requirements)

For each requirement, document whether it is fully MET, partially met, or NOT MET. This gap assessment establishes your baseline and drives remediation priorities.

STEP 3: Prepare Documentation

CMMC compliance isn't just about implementing controls—it requires comprehensive documentation that demonstrates how you meet each requirement.

Develop & Organize the System Security Plan (SSP)

The SSP is your foundational compliance document. It describes your system boundaries, security controls implementation, responsible parties, and operational procedures. An up-to-date SSP is mandatory—without one, assessments cannot be completed and you will receive a "No Score" result in SPRS.

Your SSP should address each of the 110 NIST 800-171 requirements (for Level 2), explaining specifically how your organization implements each control within your unique environment.

Create Plan of Action & Milestones (POA&M)

For any requirements not yet fully implemented, develop a POA&M documenting:

• Specific gaps and their associated requirements
• Remediation actions planned
• Responsible parties for each action
• Target completion dates
• Resources required

Critical note: Of the 320 assessment objectives there are only 45 that have a value of 1 point and can technically appear Six requirements cannot appear on a POA&M, however since you must score at least 88/110 (80%) to achieve conditional certification status, only 22 of these objectives can appear on a POA&M. All must be fully implemented within the 180 day conditional certification period to obtain full certification. and must be fully implemented before assessment. These "critical" requirements are defined in 32 CFR 170.21. Additionally, you must score at least 88/110 (80%) to achieve conditional certification status.

STEP 4: Remediation & Implementation

This is where the real work happens. Execute your remediation plan systematically to close identified gaps.

Remediate Items on POA&M

Work through your POA&M items according to priority, focusing first on critical requirements that cannot remain open. Track progress against your target dates and adjust resources as needed to stay on schedule.

Implement Required Elements

Comprehensive implementation typically includes:

• Technical controls: Security tools, configurations, and system hardening
• Policies & procedures: Written documentation governing security practices
• Technologies & tools: SIEM, endpoint protection, access management, encryption
• Support infrastructure: Help desk, incident response capabilities, monitoring
• Evidence collection: Screenshots, logs, reports, and audit trails
• Training: Security awareness and role-based training programs

Update Documentation

As you implement controls, continuously update your SSP and close POA&M items. Documentation should always reflect your current security posture, not aspirational goals.

STEP 5: Assessment & Certification

With controls implemented and documentation complete, you're ready for formal assessment.

Pre-Assessment Verification

Before your formal assessment, conduct an internal review to verify all controls are operating as documented. Test evidence collection processes, review documentation for completeness, and conduct mock interviews with key personnel. This pre-assessment catches issues before they become findings.

Complete Your Assessment

The assessment type depends on your required CMMC level:

• Level 1: Self-assessment with results entered into SPRS
• Level 2: For most contracts, C3PAO (CMMC Third-Party Assessment Organization) assessment
• Level 3: DIBCAC (Defense Industrial Base Cybersecurity Assessment Center) government assessment

C3PAO assessments involve document review, evidence examination, personnel interviews, and technical testing. Assessors verify that each control is not only documented but actually implemented and operating effectively.

STEP 6: Maintain Compliance

CMMC certification isn't a one-time achievement—it requires ongoing commitment to maintain your security posture.

Continuous Compliance Activities

• Continuous monitoring: Real-time security monitoring and alerting
• Routine audits: Regular internal assessments to verify control effectiveness
• Evidence collection: Ongoing documentation of compliance activities
• Compliance management: Tracking regulatory changes and updating controls accordingly
• Change management: Assessing security impact of system changes

Required Affirmations and Reassessments

• Annual self-attestation: Required for all ALL CMMC levels
• Level 2 third-party reassessment: Required every 3 years
• Level 3 government reassessment: Required every 3 years

Understanding POA&Ms and Conditional Certification

Plans of Action and Milestones (POA&Ms) allow organizations to achieve conditional CMMC status while continuing to remediate specific gaps. However, strict rules govern what can and cannot be included on a POA&M.

POA&M Rules and Limitations

• POA&Ms must be resolved within 180 days of achieving conditional status
• Only ONE POA&M Closeout Assessment is permitted per conditional status
• Six "critical" requirements (defined in 32 CFR 170.21) cannot be on a POA&M
• Minimum score of 88/110 (80%) required for conditional Level 2 status
• If POA&M requirements aren't met after closeout assessment, you will lose your certification and must restart the assessment process.must restart

POA&Ms vs. Operational Plans of Action (OPAs)

POA&Ms are formal plans identifying cybersecurity gaps that must be addressed to achieve CMMC compliance. They have a strict 180-day deadline and are created during the assessment process.

Operational Plans of Action (OPAs) are ongoing measures for managing risks or vulnerabilities after initial compliance is achieved, such as applying patches or addressing routine maintenance. OPAs are not tied to specific completion timelines.

Cloud Service Providers and Managed Service Providers

Many contractors rely on cloud services and managed service providers for their IT infrastructure. Understanding how these external relationships affect CMMC compliance is critical.

FedRAMP Requirements for Cloud Services

Per DFARS 252.204-7012, if you use a Cloud Service Provider (CSP) to store, process, or transmit CUI, that CSP must meet security requirements equivalent to FedRAMP Moderate baseline. This can be achieved through:

• FedRAMP Moderate authorization, OR
• DoD equivalency requirements (per December 2023 memo)

Important: Even encrypted CUI stored in the cloud requires FedRAMP Moderate compliance. Non-FedRAMP cloud services cannot store CUI data, encrypted or otherwise.

Managed Service Provider Assessment Requirements

Managed Service Providers (MSPs) that provide IT support or security services to your organization do not require their own CMMC certification. However, they will be assessed as part of your Organization Seeking Assessment (OSA) assessment against applicable security requirements.

If an MSP modifies cloud services (beyond simple administration), they may be classified as a CSP and must meet FedRAMP or equivalency requirements.

Virtual Desktop Infrastructure (VDI) Considerations

Endpoints used to access VDI can potentially be considered "out of scope" for CMMC assessment if properly configured. The VDI server must:

• Block copy-paste, file transfers, and screenshots
• Transmit only video, keyboard, and mouse data
• Implement multifactor authentication separate from the endpoint
• Restrict access to authorized users and allowable locations

How Much Does CMMC Compliance Cost?

CMMC compliance costs vary significantly based on your organization's size, current cybersecurity posture, required certification level, and infrastructure complexity. The Department of Defense distinguishes between existing safeguarding costs and CMMC-specific costs.

Important distinction: Costs to implement existing DFARS 252.204-7012 safeguarding requirements are NOT considered CMMC compliance costs. These are existing contractual obligations. CMMC compliance costs refer specifically to assessment and certification expenses.

Factors Affecting CMMC Costs

• Required CMMC level (Level 1, 2, or 3)
• Complexity of your network infrastructure
• Current cybersecurity maturity and SPRS score
• Size of CUI environment (full enterprise vs. enclave approach)
• Internal resources vs. consultant engagement
• C3PAO market availability and demand

Organizations should budget for gap assessment, remediation implementation, documentation development, training, and assessment fees. Engaging experienced compliance partners early can help optimize costs and avoid expensive rework.

NIST SP 800-171 Revision 2 vs. Revision 3

CMMC currently uses NIST SP 800-171 Revision 2 as its foundation. While Revision 3 has been published, the Department has issued a class deviation maintaining Revision 2 as the assessment standard until Revision 3 is incorporated through formal rulemaking.

Can You Implement Revision 3 Now?

Yes, organizations can implement NIST SP 800-171 Revision 3, but must:

• Use DoD's Organization-Defined Parameters (ODPs) from April 2025
• Ensure gaps between Revision 2 and 3 are addressed
• Understand assessments will be conducted against Revision 2 until further notice

Free Resources to Help You Prepare

The Department of Defense provides several no-cost resources to help contractors achieve CMMC compliance:

• DoD CIO DIB Cybersecurity Program: Cybersecurity-as-a-Service resources at dibnet.dod.mil
• Cyber AB Marketplace: Certified assessors and practitioners at cyberab.org/marketplace
• Defense Acquisition University: Free CMMC and cybersecurity training at dau.edu/cybersecurity/training
• DoD Small Business Programs: Resources for small and medium businesses at business.defense.gov

Frequently Asked Questions About CMMC Requirements

When do I need CMMC certification?

If your contract is awarded after November 10, 2025, and involves FCI or CUI, CMMC requirements will be specified in the solicitation. The required level depends on the type of information you'll handle.

Can I start preparing now?

Absolutely. Begin with self-assessments and gap remediation immediately. Organizations that start early will be better positioned when C3PAO assessments become standard in Phase 2.

What if I'm not sure which CMMC level I need?

The required level will be specified in each DoD solicitation and resulting contract. Review your current contracts and anticipated solicitations, or consult with contracting officers for guidance.

Are classified systems covered by CMMC?

No. CMMC only applies to nonfederal unclassified information systems that process, store, or transmit FCI or CUI. Classified systems are governed by separate requirements.

What if I fail my POA&M closeout assessment?

Your conditional status terminates, and you must begin a new full assessment. Only one POA&M closeout assessment is permitted per conditional status. If the 180-day period expires without closeout, conditional status automatically terminates.

Will assessment results be public?

No. The public will not have access to company assessment results. However, DoD procurement officers can view results, and you can see your own scores in SPRS. You may voluntarily share status with prime contractors for teaming purposes.

Do my subcontractors need CMMC?

Yes, if they handle FCI or CUI. CMMC requirements flow down through the supply chain. Prime contractors are responsible for ensuring subcontractor compliance at appropriate levels.

Partner with Interweave Technologies for CMMC Success

CMMC compliance doesn't have to be overwhelming. As your trusted partner in managed IT services and cybersecurity compliance, Interweave Technologies brings 20+ years of expertise to help you navigate the certification process efficiently and cost-effectively.

Our proven 6 Steps to a Perfect 110 methodology has guided defense contractors throughout North Alabama and the Southeast from initial assessment through successful certification. We don't just consult—we partner with you through every step of the journey.

Our CMMC Services Include:

• Data Flow & Risk Intelligence: Determine the FCI and/or CUI that you possess, store or transmit and how it flows within your organization
• CMMC Readiness Assessments: Gap analysis against NIST SP 800-171/172 with customized remediation roadmaps throughout the entire process
• Vulnerability and Network Assessments:
• Documentation: Prepare, update, revise the SSP processes and procedures and create the POA&M
• Compliance Remediation &Implementation: Full SSP ddevelopment, technical control implementation, and policy documentation to satisfy all controls and assessment objectives
• Managed IT & Security Services: Fully managed or co-managed IT services with 24/7/365 support response,  monitoring, incident response, and continuous compliance maintenance
• Assessment Coordination Advocation: Pre-certification assessment, and full advocation when questions arise during the C3PAO assessmentselection, assessment preparation, and POA&M tracking
• Ongoing Compliance Maintenance and Support:

As a minority-owned small business with deep roots in North Alabama's defense community, we understand the unique challenges facing contractors in our region. Our single-point-of-contact approach means you get integrated IT, cybersecurity, and compliance expertise—not fragmented solutions from multiple vendors.

DOWNLOAD THE OFFICIAL DoD CMMC FAQ

Get the complete CMMC Program FAQ document (Revision 2.1, November 2025)

directly from the Department of Defense.

Contact Interweave Technologies for your copy

and a free CMMC consultation.

www.interweavetech.net

Weaving Security into Your Digital Fabric

Your Security is Our Mission. Your Compliance is Our Commitment.

This guide is based on the official Department of Defense CMMC Program Frequently Asked Questions document (Revision 2.1, November 2025). Requirements and timelines are subject to change. For the latest regulatory updates, visit dodcio.defense.gov/cmmc.