Frequently Asked Questions

---

 § 170.1 (c) The CMMC Program is designed to ensure defense contractors are properly safeguarding FCI and CUI that is processed, stored, or transmitted on defense contractor information systems. FCI and CUI must be protected to meet evolving threats and safeguard nonpublic, unclassified information that supports and enables the warfighter. The CMMC Program provides a consistent methodology to assess a defense contractor’s implementation of required cybersecurity requirements.

The CMMC Program utilizes the security standards set forth in the 48 CFR 52.204–21; National Institute of Standards and Technology (NIST) Special Publication (SP) 800–171, Basic Safeguarding of Covered Contractor Information Systems, Revision 2, February 2020 (includes updates as of January 28, 2021) (NIST SP 800–171 R2); and selected requirements from the NIST SP 800–172, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800–171, February 2021 (NIST SP 800–172 Feb2021), as applicable…”

The CMMC Final Rule (32 CFR Part 170) was published in the Federal Register on October 15, 2024.  The Rule will become effective December 16, 2024.

§ 170.3 (a) (1) All DoD contract and subcontract awardees that will process, store, or transmit information, in performance of the DoD contract, that meets the standards for FCI or CUI on contractor information systems.

Implementation of CMMC Program requirements will occur over four (4) phases: 

(1) Phase 1. Begins on the effective date of the complementary 48 CFR part 204 CMMC Acquisition final rule. DoD intends to include the requirement for CMMC Statuses of Level 1 (Self) or Level 2 (Self) for all applicable DoD solicitations and contracts as a condition of contract award. DoD may, at its discretion, include the requirement for CMMC Status of Level 1 (Self) or Level 2 (Self) for applicable DoD solicitations and contracts as a condition to exercise an option period on a contract awarded prior to the effective date. DoD may also, at its discretion, include the requirement for CMMC Status of Level 2 (C3PAO) in place of the Level 2 (Self) CMMC Status for applicable DoD solicitations and contracts.

(2) Phase 2. Begins one calendar year following the start date of Phase 1. In addition to Phase 1 requirements, DoD intends to include the requirement for CMMC Status of Level 2 (C3PAO) for applicable DoD solicitations and contracts as a condition of contract award.  DoD may, at its discretion, delay the inclusion of requirement for CMMC Status of Level 2 (C3PAO) to an option period instead of as a condition of contract award. DoD may also, at its discretion, include the requirement for CMMC Status of Level 3 (DIBCAC) for applicable DoD solicitations and contracts. 

(3) Phase 3. Begins one calendar year following the start date of Phase 2. In addition to Phase 1 and 2 requirements, DoD intends to include the requirement for CMMC Status of Level 2 (C3PAO) for all applicable DoD solicitations and contracts as a condition of contract award and as a condition to exercise an option period on a contract awarded after the effective date. DoD intends to include the requirement for CMMC Status of Level 3 (DIBCAC) for all applicable DoD solicitations and contracts as a condition of contract award. DoD may, at its discretion, delay the inclusion of requirement for CMMC Status of Level 3 (DIBCAC) to an option period instead of as a condition of contract award.

(4) Phase 4, full implementation. Begins one calendar year following the start date of Phase 3. DoD will include CMMC Program requirements in all applicable DoD solicitations and contracts including option periods on contracts awarded prior to the beginning of Phase 4. (e) DoD is utilizing a phased approach for the inclusion of CMMC Program requirements in solicitations and contracts. 

The CMMC Model consists of three (3) levels, each  containing security requirements taken directly from existing regulations and guidelines. Firstly, § 170.14(2) defines CMMC Level 1 as the 15 security requirements listed in the FAR clause 52.204-21(b)(1). Secondly, § 170.14(3) defines CMMC Level 2 as the 110 security requirements from the NIST SP 800-171 R2. Lastly, § 170.14(4) defines CMMC Level 3 as 24 selected security requirements from the NIST SP 800-172 Feb2021.

According to the CMMC Final Rule, the CMMC program will be implemented as a pre-award requirement. When CMMC requirements are applied to a solicitation, Contracting Officers will not make award, exercise an option, or extend the period of performance on a contract, if the offeror or contractor does not have the passing results of a current certification assessment or self-assessment for the required CMMC level, and an affirmation of continuous compliance with the security requirements in the Supplier Performance Risk System (SPRS) for all information systems that process, store, or transmit FCI or CUI during contract performance.

DoD may "include CMMC requirements on contracts awarded prior to 48 CFR part 204  CMMC Acquisition rule becoming effective, but doing so will require bilateral contract modification after negotiations."

A described in § 170.3 the CMMC Program's assessment phase-in plan, does not preclude entities from immediately seeking a CMMC certification assessment prior to the 48 CFR part 204 CMMC Acquisition rule being finalized and the clause being added to new or existing DoD contracts.

Organizations Seeking Assessment (OSA) can shop for C3PAOs on the CMMC Accreditation Body (AB) Marketplace at https://cyberab.org.  CyberRx is 

Every authorized or accredited C3PAO will assess OSA's in accordance with the CMMC Program requirements and the requirements of the CMMC Accreditation Body (Cyber AB).  

However, C3PAOs may have various approaches to engaging OSAs. 

At CyberRx, our straightforward approach kicks off with an introductory call so we can get to know  you, understand your goals, timeline, and expectations.  Once CyberRx gathers a reasonable amount of information about your assessment scope, we will prepare and deliver a proposal with options for you to consider. Upon execution of an engagement agreement, a kick-off meeting will be scheduled to initiative assessment activities.

The time it takes for a Level 2 CMMC assessment can range from several days to a a few weeks depending on the size and complexity of the OSA's assessment scope.

Prior to the start of the assessment, OSAs should plan for 4-6 weeks (elapsed time) for pre-assessment activities with a C3PAO that include but are not limited to finalizing assessment scope, document sharing, scheduling and other logistics.

The Final Rule (Table 9) estimates that the cost for a small business OSA to conduct a triennial CMMC Level 2 assessment is $76,743 not including planning and preparing for the assessment, reporting assessment results, and submitting annual affirmations.  However, DoD recognizes that "Market forces of supply and demand will determine C3PAO pricing for CMMC Level 2 certification." 

The actual cost for a given assessment may be lower or higher based on the size and complexity of the OSA's assessment scope.

Companies may reference a CMMC Status as part of any number of proposals to various solicitations with that level of CMMC requirement if the same assessment scope is used.