When will Cybersecurity Maturity Model Certification (CMMC) assessments be required for Department contracts?
How much will it cost to achieve CMMC compliance?
What resources are available to assist companies in complying with Department cybersecurity requirements?
Who is the point of contact for general inquiries regarding the CMMC Program?
How will my organization know what CMMC level is required for a contract?
What is the relationship between National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 and CMMC?
The CMMC model uses NIST SP 800-171, Revision 2. Will the Department update the program to use NIST SP 800-171, Revision 3?
Can Department contractors implement NIST SP 800-171 Revision 3?
What is the relationship between National Institute of Standards and Technology (NIST) Special Publication (SP) 800-172 and CMMC?
Will CMMC requirements flow down to subcontractors?
What is the difference between FCI and CUI?
How frequently will assessments be required?
Will my organization need to be independently assessed if it does not handle CUI?
Will CMMC independent assessments be required for classified systems and / or classified environments within the DIB?
Will the results of a DIB company’s assessment be made public? Will the Department be able to see assessment results?
Does my company’s administrative office or manufacturing facility require a specific Commercial and Government Entity (CAGE) code for that location to submit and comply with CMMC?
Which requirements are considered "critical" and are not allowed in a Plan of Actions and Milestone (POA&M)?
What happens after a POA&M Closeout Assessment if one or more of the security requirements on the POA&M still aren’t met?
I have entered my company’s CMMC self-assessment into SPRS and have received the following error(s) for ‘CMMC Status Type’: No CMMC Status or No CMMC Score. How can I fix this?
How will the DoD implement CMMC?
How can businesses best prepare for CMMC?
Will CMMC apply to non-U.S. companies?
Can non-U.S. citizens or organizations be part of the CMMC Ecosystem, e.g., C3PAOs?
Starting November 10, 2025, does Department policy (ref: https://dodprocurementtoolbox.com/uploads/DOPSR_Cleared_OSD_Memo_CMMC_Imple mentation_Policy_d26075de0f.pdf) require Program Managers to include CMMC Level 2 (C3PAO) in a solicitation if the contractor will handle CUI from the Defense Organizational Index Grouping?
External Service Providers
Must my cloud service provider (CSP) meet Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline requirements if it processes, stores, or transmits CUI?
An Organization Seeking Assessment (OSA) stores CUI in a system provided by a Managed Service Provider (MSP) that is not a cloud offering. Does the MSP require its own CMMC assessment?
We separately outsource our IT support to an External Service Provider (ESP) (that is an MSP), and our security tools are managed by a different ESP (that is a Managed Security Service Provider). No CUI is sent to either vendor. Are they required to be assessed?
We store CUI in the cloud and our MSP administers the environment. Is the MSP a CSP?
CUI is processed, stored, and transmitted in a Virtual Desktop Infrastructure (VDI). Are the endpoints used to access the VDI in scope as CUI assets?
