Frequently Asked Questions
Frequently Asked Questions
Frequently Asked Questions
You've got questions, we've got answers.
We're transforming the CMMC industry, see how.
You've got questions, we've got answers.
We're transforming the CMMC industry, see how.
About CMMC
About CMMC
Choose the right level of automation and support for your compliance needs.
Choose the right level of automation and support for your compliance needs.
When will Cybersecurity Maturity Model Certification (CMMC) assessments be required for Department contracts?
When will Cybersecurity Maturity Model Certification (CMMC) assessments be required for Department contracts?
When will Cybersecurity Maturity Model Certification (CMMC) assessments be required for Department contracts?
How much will it cost to achieve CMMC compliance?
How much will it cost to achieve CMMC compliance?
How much will it cost to achieve CMMC compliance?
What resources are available to assist companies in complying with Department cybersecurity requirements?
What resources are available to assist companies in complying with Department cybersecurity requirements?
What resources are available to assist companies in complying with Department cybersecurity requirements?
Who is the point of contact for general inquiries regarding the CMMC Program?
Who is the point of contact for general inquiries regarding the CMMC Program?
Who is the point of contact for general inquiries regarding the CMMC Program?
CMMC Models
CMMC Models
Choose the right level of automation and support for your compliance needs.
Choose the right level of automation and support for your compliance needs.
How will my organization know what CMMC level is required for a contract?
How will my organization know what CMMC level is required for a contract?
How will my organization know what CMMC level is required for a contract?
What is the relationship between National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 and CMMC?
What is the relationship between National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 and CMMC?
What is the relationship between National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 and CMMC?
The CMMC model uses NIST SP 800-171, Revision 2. Will the Department update the program to use NIST SP 800-171, Revision 3?
The CMMC model uses NIST SP 800-171, Revision 2. Will the Department update the program to use NIST SP 800-171, Revision 3?
The CMMC model uses NIST SP 800-171, Revision 2. Will the Department update the program to use NIST SP 800-171, Revision 3?
Can Department contractors implement NIST SP 800-171 Revision 3?
Can Department contractors implement NIST SP 800-171 Revision 3?
Can Department contractors implement NIST SP 800-171 Revision 3?
What is the relationship between National Institute of Standards and Technology (NIST) Special Publication (SP) 800-172 and CMMC?
What is the relationship between National Institute of Standards and Technology (NIST) Special Publication (SP) 800-172 and CMMC?
What is the relationship between National Institute of Standards and Technology (NIST) Special Publication (SP) 800-172 and CMMC?
Will CMMC requirements flow down to subcontractors?
Will CMMC requirements flow down to subcontractors?
Will CMMC requirements flow down to subcontractors?
What is the difference between FCI and CUI?
What is the difference between FCI and CUI?
What is the difference between FCI and CUI?
Assessments
Assessments
Choose the right level of automation and support for your compliance needs.
Choose the right level of automation and support for your compliance needs.
How frequently will assessments be required?
How frequently will assessments be required?
How frequently will assessments be required?
Will my organization need to be independently assessed if it does not handle CUI?
Will my organization need to be independently assessed if it does not handle CUI?
Will my organization need to be independently assessed if it does not handle CUI?
Will CMMC independent assessments be required for classified systems and / or classified environments within the DIB?
Will CMMC independent assessments be required for classified systems and / or classified environments within the DIB?
Will CMMC independent assessments be required for classified systems and / or classified environments within the DIB?
Will the results of a DIB company’s assessment be made public? Will the Department be able to see assessment results?
Will the results of a DIB company’s assessment be made public? Will the Department be able to see assessment results?
Will the results of a DIB company’s assessment be made public? Will the Department be able to see assessment results?
Does my company’s administrative office or manufacturing facility require a specific Commercial and Government Entity (CAGE) code for that location to submit and comply with CMMC?
Does my company’s administrative office or manufacturing facility require a specific Commercial and Government Entity (CAGE) code for that location to submit and comply with CMMC?
Does my company’s administrative office or manufacturing facility require a specific Commercial and Government Entity (CAGE) code for that location to submit and comply with CMMC?
Which requirements are considered "critical" and are not allowed in a Plan of Actions and Milestone (POA&M)?
Which requirements are considered "critical" and are not allowed in a Plan of Actions and Milestone (POA&M)?
Which requirements are considered "critical" and are not allowed in a Plan of Actions and Milestone (POA&M)?
What happens after a POA&M Closeout Assessment if one or more of the security requirements on the POA&M still aren’t met?
What happens after a POA&M Closeout Assessment if one or more of the security requirements on the POA&M still aren’t met?
What happens after a POA&M Closeout Assessment if one or more of the security requirements on the POA&M still aren’t met?
I have entered my company’s CMMC self-assessment into SPRS and have received the following error(s) for ‘CMMC Status Type’: No CMMC Status or No CMMC Score. How can I fix this?
I have entered my company’s CMMC self-assessment into SPRS and have received the following error(s) for ‘CMMC Status Type’: No CMMC Status or No CMMC Score. How can I fix this?
I have entered my company’s CMMC self-assessment into SPRS and have received the following error(s) for ‘CMMC Status Type’: No CMMC Status or No CMMC Score. How can I fix this?
Implementation
Implementation
Choose the right level of automation and support for your compliance needs.
Choose the right level of automation and support for your compliance needs.
How will the DoD implement CMMC?
How will the DoD implement CMMC?
How will the DoD implement CMMC?
How can businesses best prepare for CMMC?
How can businesses best prepare for CMMC?
How can businesses best prepare for CMMC?
Will CMMC apply to non-U.S. companies?
Will CMMC apply to non-U.S. companies?
Will CMMC apply to non-U.S. companies?
Can non-U.S. citizens or organizations be part of the CMMC Ecosystem, e.g., C3PAOs?
Can non-U.S. citizens or organizations be part of the CMMC Ecosystem, e.g., C3PAOs?
Can non-U.S. citizens or organizations be part of the CMMC Ecosystem, e.g., C3PAOs?
Starting November 10, 2025, does Department policy (ref: https://dodprocurementtoolbox.com/uploads/DOPSR_Cleared_OSD_Memo_CMMC_Imple mentation_Policy_d26075de0f.pdf) require Program Managers to include CMMC Level 2 (C3PAO) in a solicitation if the contractor will handle CUI from the Defense Organizational Index Grouping?
Starting November 10, 2025, does Department policy (ref: https://dodprocurementtoolbox.com/uploads/DOPSR_Cleared_OSD_Memo_CMMC_Imple mentation_Policy_d26075de0f.pdf) require Program Managers to include CMMC Level 2 (C3PAO) in a solicitation if the contractor will handle CUI from the Defense Organizational Index Grouping?
Starting November 10, 2025, does Department policy (ref: https://dodprocurementtoolbox.com/uploads/DOPSR_Cleared_OSD_Memo_CMMC_Imple mentation_Policy_d26075de0f.pdf) require Program Managers to include CMMC Level 2 (C3PAO) in a solicitation if the contractor will handle CUI from the Defense Organizational Index Grouping?
External Service Providers
Choose the right level of automation and support for your compliance needs.
Choose the right level of automation and support for your compliance needs.
Must my cloud service provider (CSP) meet Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline requirements if it processes, stores, or transmits CUI?
Must my cloud service provider (CSP) meet Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline requirements if it processes, stores, or transmits CUI?
Must my cloud service provider (CSP) meet Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline requirements if it processes, stores, or transmits CUI?
An Organization Seeking Assessment (OSA) stores CUI in a system provided by a Managed Service Provider (MSP) that is not a cloud offering. Does the MSP require its own CMMC assessment?
An Organization Seeking Assessment (OSA) stores CUI in a system provided by a Managed Service Provider (MSP) that is not a cloud offering. Does the MSP require its own CMMC assessment?
An Organization Seeking Assessment (OSA) stores CUI in a system provided by a Managed Service Provider (MSP) that is not a cloud offering. Does the MSP require its own CMMC assessment?
We separately outsource our IT support to an External Service Provider (ESP) (that is an MSP), and our security tools are managed by a different ESP (that is a Managed Security Service Provider). No CUI is sent to either vendor. Are they required to be assessed?
We separately outsource our IT support to an External Service Provider (ESP) (that is an MSP), and our security tools are managed by a different ESP (that is a Managed Security Service Provider). No CUI is sent to either vendor. Are they required to be assessed?
We separately outsource our IT support to an External Service Provider (ESP) (that is an MSP), and our security tools are managed by a different ESP (that is a Managed Security Service Provider). No CUI is sent to either vendor. Are they required to be assessed?
We store CUI in the cloud and our MSP administers the environment. Is the MSP a CSP?
We store CUI in the cloud and our MSP administers the environment. Is the MSP a CSP?
We store CUI in the cloud and our MSP administers the environment. Is the MSP a CSP?
CUI is processed, stored, and transmitted in a Virtual Desktop Infrastructure (VDI). Are the endpoints used to access the VDI in scope as CUI assets?
CUI is processed, stored, and transmitted in a Virtual Desktop Infrastructure (VDI). Are the endpoints used to access the VDI in scope as CUI assets?
CUI is processed, stored, and transmitted in a Virtual Desktop Infrastructure (VDI). Are the endpoints used to access the VDI in scope as CUI assets?
Ready to Make Compliance Simple?
Cut the chaos. Protect your contracts. Grow your business with SMPL-C® as your AI-powered compliance sidekick.
Subscribe to our newsletter for the latest updates on features and product releases.
By subscribing, you consent to our Privacy Policy and agree to receive updates.
Quick Links
Ready to Make Compliance Simple?
Cut the chaos. Protect your contracts. Grow your business with SMPL-C® as your AI-powered compliance sidekick.
Subscribe to our newsletter for the latest updates on features and product releases.
By subscribing, you consent to our Privacy Policy and agree to receive updates.
Quick Links
Ready to Make Compliance Simple?
Cut the chaos. Protect your contracts. Grow your business with SMPL-C® as your AI-powered compliance sidekick.
Subscribe to our newsletter for the latest updates on features and product releases.
By subscribing, you consent to our Privacy Policy and agree to receive updates.
Quick Links