As a trusted partner in managed IT services and cybersecurity compliance, Interweave Technologies is committed to keeping you informed about critical updates that affect your business. The Department of Defense has released Revision 2.1 of the CMMC Program FAQ (November 2025), and we're here to help you navigate these important changes.

What is CMMC and Why Does It Matter?

The Cybersecurity Maturity Model Certification (CMMC) is a unified standard for implementing cybersecurity across the Defense Industrial Base (DIB). If your organization works with the Department of Defense or handles Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), CMMC compliance is now mandatory.

Key Implementation Timeline

November 10, 2025: CMMC Goes Live

Starting November 10, 2025, the Department of Defense began incorporating CMMC assessment requirements into applicable contracts. Here's what you need to know about the phased rollout:

Phase 1 (First 12 Months):

• Primary focus on self-assessments
• CMMC Level 1 for organizations handling only FCI
• CMMC Level 2 (Self) for organizations handling CUI

Full Implementation:

• Rolled out over a 3-year period in 4 phases
• Designed to minimize disruption to the defense supply chain
• Allows time for assessor training and company preparation

Understanding CMMC Levels

Level 1: Basic Cybersecurity Hygiene

• Who needs it: Organizations handling only FCI
• Assessment type: Annual self-assessment
• Based on: FAR clause 52.204-21

Level 2: Advanced Cybersecurity

• Who needs it: Organizations handling CUI
• Assessment type: Self-assessment OR third-party assessment (C3PAO)
• Frequency: Every 3 years (with annual affirmation)
• Based on: NIST SP 800-171 Revision 2 (110 requirements)

Level 3: Expert Cybersecurity

• Who needs it: Organizations handling sensitive CUI or facing advanced persistent threats
• Assessment type: Government-led assessment
• Based on: NIST SP 800-171 + NIST SP 800-172 (134 total requirements)

Critical Questions Answered

Will CMMC Requirements Flow Down to Subcontractors?

Yes. CMMC requirements apply throughout the supply chain. If you're a subcontractor handling FCI or CUI, you must meet the appropriate CMMC level. When prime contracts require Level 3, subcontractors must achieve at minimum Level 2 (C3PAO).

How Much Will CMMC Compliance Cost?

Costs vary significantly based on:

• Required CMMC level
• Complexity of your network infrastructure
• Your current cybersecurity posture
• Market factors

Important: Costs to implement existing safeguarding requirements (DFARS 252.204-7012) are NOT considered CMMC compliance costs.

What About NIST SP 800-171 Revision 3?

Companies CAN implement Revision 3 now, but must:

• Use DoD's Organization-Defined Parameters (ODPs) from April 2025
• Ensure gaps between Revision 2 and 3 are addressed
• Note that assessments will be conducted against Revision 2 until further notice

Do Cloud Service Providers Need FedRAMP Moderate Authorization?

Yes. If you use a Cloud Service Provider (CSP) to store, process, or transmit CUI, the CSP must:

• Meet FedRAMP Moderate baseline requirements, OR
• Meet DoD's equivalency requirements (December 2023 memo)

Important: Even encrypted CUI requires FedRAMP Moderate compliance.

Assessment Frequency and Requirements

How Often Are Assessments Required?

CMMC LevelAssessment FrequencyAnnual Affirmation Required?Level 1Annual self-assessmentYesLevel 2Every 3 yearsYesLevel 3Every 3 yearsYes

Will Assessment Results Be Public?

No. The public will not have access to company assessment results. However:

• DoD procurement officers can view results
• You can view your own scores in SPRS (Supplier Performance Risk System)
• You may voluntarily share your status with prime contractors for teaming

Understanding POA&Ms (Plan of Actions & Milestones)

What Are POA&Ms?

POA&Ms are formal plans identifying cybersecurity gaps that must be addressed to achieve CMMC compliance. Key points:

• Must be resolved within 180 days
• Cannot include "critical" requirements (defined in 32 CFR 170.21)
• Only ONE POA&M Closeout Assessment allowed per conditional status
• If requirements aren't met after 180 days, you must restart the assessment process

POA&Ms vs. OPAs (Operational Plans of Action)

• POA&Ms: Formal remediation plans for gaps identified during assessment (180-day deadline)
• OPAs: Ongoing measures for routine maintenance and vulnerabilities after initial compliance

Special Considerations

Virtual Desktop Infrastructure (VDI)

Endpoints used to access VDI can be considered "out of scope" IF:

• VDI server blocks copy-paste, file transfers, and screenshots
• Only video, keyboard, and mouse data transmitted
• Multifactor authentication implemented separately from the endpoint
• Access restricted to authorized users and locations

Managed Service Providers (MSPs)

MSPs don't require their own CMMC assessment BUT:

• Will be assessed as part of your OSA (Organization Seeking Assessment)
• Must meet applicable security requirements
• If they modify cloud services, they may be classified as a CSP

International Contractors

CMMC requirements apply to ALL companies performing DoD contracts, whether domestic or international.

Free Resources to Help You Prepare

The Department of Defense offers several no-cost resources:

1. DoD CIO DIB Cybersecurity Program: Cybersecurity-as-a-Service resources at dibnet.dod.mil
2. Cyber AB Marketplace: Certified assessors and practitioners at cyberab.org/marketplace
3. Defense Acquisition University: Free CMMC and cybersecurity training at dau.edu/cybersecurity/training
4. DoD Small Business Programs: Resources specifically for small and medium businesses at business.defense.gov

How Interweave Technologies Can Help

As your compliance partner, Interweave Technologies offers:

CMMC Readiness Assessments

• Gap analysis against NIST SP 800-171/172
• Identification of critical requirements
• Customized remediation roadmaps

Compliance Implementation

• System Security Plan (SSP) development
• Technical control implementation
• Policy and procedure documentation

Managed Security Services

• 24/7 security monitoring
• Incident response
• Continuous compliance maintenance

Third-Party Assessment Coordination

• C3PAO selection and management
• Assessment preparation
• POA&M development and tracking

Take Action Now

Step 1: Assess Your Current State

Conduct a thorough self-assessment against FAR 52.204-21 (for FCI) or DFARS 252.204-7012 (for CUI).

Step 2: Identify Gaps

Document any unmet requirements and prioritize remediation efforts.

Step 3: Develop Your Plan

Create a realistic timeline for addressing gaps before initiating formal assessment.

Step 4: Partner with Experts

Don't navigate CMMC alone. Interweave Technologies brings deep expertise in both commercial and government compliance frameworks.

Contact Information

CMMC Program Management Office:

• Website: dodcio.defense.gov/cmmc/Contact/

Interweave Technologies:

• Services: Managed IT, Cybersecurity, CMMC Compliance
• Specializations: CMMC, NIST, HIPAA, ISO, FTC Safeguards
• Website: www.interweavetech.net

Frequently Asked Questions Quick Reference

When do I need CMMC?

If your contract is awarded after November 10, 2025, and involves FCI or CUI, CMMC requirements will be specified in the solicitation.

Can I start preparing now?

‍Absolutely! Begin with self-assessments and gap remediation immediately.

What if I'm not sure which CMMC level I need?

The required level will be specified in each DoD solicitation and resulting contract.

Are classified systems covered by CMMC?

No, CMMC only applies to nonfederal unclassified information systems.

What if I fail my POA&M closeout?

‍Your conditional status terminates, and you must begin a new full assessment.

Conclusion

CMMC compliance is no longer optional for DoD contractors. The November 2025 updates provide clarity on implementation timelines, assessment procedures, and technical requirements. While the road to compliance may seem complex, you don't have to navigate it alone.

Interweave Technologies stands ready as your trusted partner, combining managed IT services, cybersecurity expertise, and deep compliance knowledge under one roof. Our single point of contact approach ensures seamless integration and customized solutions for your specific needs.

Don't wait until the last minute. Start your CMMC journey today.

Download This Guide

Download the Official DoD CMMC FAQ Document (Revision 2.1 - November 2025)

This guide is based on the official Department of Defense CMMC Program Frequently Asked Questions document. For the complete regulatory text, download the PDF version.

Stay Informed

CMMC requirements continue to evolve. Subscribe to Interweave Technologies updates to receive:

• Regulatory change notifications
• Best practice guidance
• Compliance tips and strategies
• Industry insights

Your security is our mission. Your compliance is our commitment.