Cybersecurity Maturity Model Certification (CMMC): Compliance Process & FAQs

This article was updated to reflect the finalized Cybersecurity Maturity Model Certification (CMMC) acquisition rule under 48 CFR Parts 204, 212, 217, and 252. The rule was published in the Federal Register on September 10, 2025, and will go into effect 60 days later on November 10, 2025.

As one of the largest and earliest Authorized CMMC Third-Party Assessment Organization (C3PAO) and a Registered Practitioner Organization (RPO), Cherry Bekaert helps clients prepare for CMMC certification assessments and assesses clients via the CMMC certification assessment process. Below, we provide information on the CMMC compliance process, as well as answers to frequently asked questions (FAQs).

What Is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is a unified cybersecurity standard for Department of Defense (DoD) acquisitions aimed at securing the Defense Industrial Base (DIB) supply chain. It is a DoD program established to verify contractors have implemented the required security measures necessary to safeguard federal contract information (FCI) and controlled unclassified information (CUI).

The CMMC Program is designed to provide increased assurance to the DoD that defense contractors and subcontractors are compliant with information protection requirements for FCI and CUI, and are protecting such information at a level commensurate with risk from cybersecurity threats, including Advanced Persistent Threats (APTs).

The CMMC Program will allow the DoD to confirm a defense contractor or subcontractor has implemented the security requirements for a specified CMMC level and is maintaining that status (meaning level and assessment type) across the contract period of performance. The goal of which is to secure the Defense Industrial Base (DIB) supply chain against evolving cybersecurity threats.

Why Do I Need To Be CMMC Certified?

Any organization that wishes to bid on DoD contracts must achieve a level of CMMC certification. This includes primary contractors and subcontractors who deal with Federal Contract Information (FCI) and/or Controlled Unclassified Information (CUI).

Who Does CMMC Apply To?

The CMMC Program requirements apply to all DoD contract and subcontract awardees that, in performance of the DoD contract, will process, store or transmit information that meets the standard for FCI and CUI on unclassified contractor information systems.

Further, the CMMC Program requirements may apply to private-sector businesses or other CMMC Assessment and Certification Ecosystem entities, including cloud service providers (CSPs) and external service providers (ESPs).

A CSP is an external company that provides services based on cloud computing as defined in NIST SP 800-145, Sept 2011. An ESP consists of external people, technology or facilities that an organization utilizes for the provision and management of IT and/or cybersecurity services on behalf of the organization. In the CMMC Program, CUI or security protection data must be processed, stored or transmitted on the ESP assets to be considered an ESP.

Additionally, the CMMC Program requirements will apply to new DoD solicitations and contracts and will flow down to subcontractors who process, store or transmit FCI and CUI in performance of the subcontract. See the table below for flow-down requirements.

CMMC Level Flow-Down Requirements

The requirements of the rule do not apply to federal information systems operated by contractors or subcontractors on behalf of the government. Additionally, in very limited circumstances and in accordance with all applicable policies, procedures, and requirements, a service acquisition executive or component acquisition executive in the DoD, or as delegated, may elect to waive the inclusion of CMMC Program requirements in a solicitation or contract. In such cases, contractors and subcontractors must comply with all applicable cybersecurity and information security requirements.

How And When Will CMMC Be Enforced?

The DoD published the CMMC acquisition rule under 48 CFR Parts 204, 212, 217, and 252 in the Federal Register on September 10, 2025, the rule will go into effect 60 days later on November 10, 2025.

Beginning November 10, DoD contracting officers will be authorized to include CMMC requirements in new solicitations and contracts. Certain DoD contractors handling FCI and CUI will be required to achieve a CMMC Status at the applicable level as a condition of contract award. CMMC requirements will be implemented using a four-phase implementation plan over a three-year period. The table below outlines DoD’s four implementation phases.

It is important to note that prime contractors can enforce CMMC requirements on their subcontractors ahead of the DoD’s implementation phases. Subcontractors should communicate with their prime contractors to determine when they need to be compliant with CMMC.

What Are The CMMC Requirements By Level?

The CMMC Model consists of three levels and can require an independent assessment by an authorized third-party assessment organization (C3PAO). The three levels include:

• CMMC Level 1 — Basic safeguarding of FCI. The security requirements are derived from FAR clause 52.204-21(b)(1)(i) – (b)(1)(xv).
• CMMC Level 2 — Protecting CUI. The security requirements are derived from NIST SP 800-171 r2.
• CMMC Level 3 — Protecting CUI and reducing risk of Advanced Persistent Threats (APT). The security requirements are derived from NIST SP 800-171 r2, selected from NIST SP 800-172, Feb2021, and where applicable, Organization-Defined Parameters (ODPs) are assigned. Table 1 to § 170.14(c)(4) of the rule identifies the selected requirements and applicable ODPs.

How Do I Know What Level My Organization Needs To Achieve?

DoD program managers or requiring activities are responsible for selecting the CMMC Status that will apply for a particular procurement or contract. Contractors who handle CUI categorized under the Defense Organizational Index Group, as outlined by the NARA CUI Archives, are expected to require Level 2 third-party assessments.

Selection of the applicable CMMC Status will be based on factors including but not limited to:

• Criticality of the associated mission capability
• Type of acquisition program or technology
• Threat of loss of the FCI and CUI to be shared or generated in relation to the effort
• Impacts from the exploitation of information security deficiencies
• Other relevant policies and factors, including Milestone Decision Authority (MDA) guidance

The required CMMC level and assessment type will be specified in the solicitation and resulting contract. Questions about the CMMC level required by the solicitation should be directed to the contracting officer. Once CMMC is effective through 48 CFR, 252.204-7021 on November 10, 2025, the rollout of the CMMC Program will occur. Contractors handling FCI or CUI will be required to meet the CMMC requirement specified in the contract.

• DoD contractors and subcontractors that handle FCI will be required to demonstrate CMMC Status of Final Level 1 (Self).
• DoD contractors and subcontractors that handle CUI will be required to meet CMMC Status of Final Level 2 (Self) or CMMC Status of Final Level 2 (C3PAO).
• DoD contractors and subcontractors managing CUI within DoD’s highest priority programs will be required to meet CMMC Status Level 3 (DIBCAC).

Additionally, the CMMC Program requirements will apply to new DoD solicitations and contracts and will flow down to subcontractors who process, store or transmit FCI and CUI in the performance of the subcontract.

Subscribe and stay on top of it all.

Join our mailing list and be the first to receive alerts, newsletters and webinar invitations by email.

Subscribe

How To Comply With the Applicable CMMC Level?

CMMC Level 1 Self-Assessment

To comply with CMMC Level 1 self-assessment requirements, the OSA must complete and achieve a MET result for all of the applicable security requirements to achieve the CMMC Status of Final Level 1 (Self). No Plan of Action and Milestones (POA&Ms) are permitted for CMMC Level 1. The OSA must conduct a self-assessment and submit assessment results to the Supplier Performance Risk System (SPRS).

To maintain compliance, the OSA must conduct a Level 1 self-assessment on an annual basis and submit the results in SPRS.

The self-assessment must be scored in accordance with the CMMC Scoring Methodology, must be performed in accordance with the CMMC Level 1 scope requirements and must be performed using the assessment objectives identified in the CMMC Level 1 Self-Assessment Guide.

CMMC Level 2 Self-Assessment

To comply with CMMC Level 2 self-assessment requirements, the OSA must complete and achieve a MET result for all security requirements specified in NIST SP 800-171 r2 to achieve the CMMC Status of Level 2 (Self). The OSA must conduct a self-assessment and submit assessment results in SPRS.

To maintain compliance, the OSA must conduct a Level 2 Self-Assessment every three years and submit the results in SPRS, within three years of the CMMC Status Date. Additionally, an Affirming Official at the OSA must submit an annual CMMC affirmation attesting to continuing compliance with all requirements of the CMMC Status Level 2 (Self).

The self-assessment must be scored in accordance with the CMMC Scoring Methodology, must be performed in accordance with the CMMC Level 2 scope requirements and must be performed using the assessment objectives identified the CMMC Level 2 Assessment Guide or NIST SP 800-171A, Jun 2018. Artifacts used as evidence for the assessment must be retained by the OSA for six years from the CMMC Status Date.

POA&M are allowed in a Level 2 self-assessment. A POA&M closeout assessment must be performed by the OSA when all NOT MET requirements have been remediated. The POA&M closeout self-assessment must be performed within 180 days of the Conditional CMMC Status Date.

CMMC Level 2 Certification Assessment

To comply with CMMC Level 2 certification assessment requirements, the organization seeking certification (OSC) must complete and achieve a MET result for all the requirements specified in NIST SP 800-181 r2 to achieve the CMMC Status of Level 2 (C3PAO). The OSC must obtain a Level 2 certification assessment from an authorized or accredited C3PAO following the procedures outlined in the CMMC Level 2 Assessment Guide or NIST SP 800-171A, Jun2018. The C3PAO must submit the Level 2 certification assessment results into the CMMC instantiation of eMASS, which then provides automated transmission to SPRS.

To maintain compliance with the requirements for a CMMC Status of Level 2 (C3PAO), the Level 2 certification assessment must be complete within three years of the CMMC Status Date associated with the Conditional Level 2 (C3PAO). Additionally, an Affirming Official at the OSC must submit an annual CMMC affirmation attesting to continuing compliance with all requirements of the CMMC Status Level 2 (C3PAO).

POA&Ms are allowed during a Level 2 certification assessment in accordance with the CMMC POA&M requirements. The OSC must remediate any requirements that are NOT MET and must undergo a POA&M closeout certification assessment from a C3PAO. The C3PAO must post compliance results into the CMMC instantiation of eMASS within 180 days of the CMMC Status Date associated with the Conditional Level 2 (C3PAO).

If the POA&M is not successfully closed out within the 180-day timeframe, the information system's Conditional Level 2 (C3PAO) CMMC Status will expire. The OSC has achieved the CMMC Status of Final Level 2 (C3PAO) if the Level 2 certification assessment results in a passing score based on the CMMC Scoring Methodology.

CMMC Level 3 Certification Assessment

To comply with CMMC Level 3 certification assessment requirements, the OSC must achieve a CMMC Status of Final Level 2 (C3PAO) based on the Level 3 CMMC Assessment Scope, prior to initiating a Level 3 certification assessment, which will be performed by DCMA DIBCAC on behalf of the DoD. The OSC initiates a Level 3 certification assessment by emailing a request to DCMA DIBCAC point of contact. The OSC must complete and achieve a MET result for all selected security requirements from NIST SP 800-172, Feb2021 to achieve the CMMC Status of Level 3 (DIBCAC).

To maintain compliance with the requirements for a CMMC Status of Level 3 (DIBCAC), the Level 3 certification must be performed every three years for all information systems within the Level 3 CMMC Assessment Scope. In addition, given that compliance with Level 2 requirements is a prerequisite for applying CMMC Level 3, a Level 2 (C3PAO) certification must also be conducted every three years to maintain CMMC Level 3 (DIBCAC) status. Level 3 certification must be completed within three years of the CMMC Status Date associated with the Final Level 3 (DIBCAC), or if there was a POA&M, within three years of the CMMC Status Date associated with the Conditional Level 3 (DIBCAC). Additionally, an Affirming Official at the OSC must submit an annual CMMC affirmation attesting to continuing compliance with all requirements of the CMMC Status 2 (C3PAO) and Level 3 (DIBCAC).

POA&Ms are allowed during a Level 3 certification assessment in accordance with the CMMC POA&M requirements. The OSC must remediate any requirements that are NOT MET and must undergo a POA&M closeout certification assessment from DCMA DIBCAC. The DCMA DIBCAC must post compliance results into the CMMC instantiation of eMASS within 180 days of the CMMC Status Date associated with the Conditional Level 3 (DIBCAC). The OSC has achieved the CMMC Status of Final Level 3 (DIBCAC) if the Level 3 certification assessment results in a passing score based on the CMMC Scoring Methodology.

What Are The Requirements For External Service Providers?

The use of the ESP, its relationship to the OSA, and the services provided must be documented in the OSA’s System Security Plan (SSP) and described in the ESP’s service description and customer responsibility matrix (CRM).

The ESP services used to meet OSA requirements are assessed within the scope of the OSA’s assessment against all applicable Level 2 and/or 3 security requirements. ESPs are able to obtain their own CMMC Level 2 or 3 certification assessment, which can be inherited by the OSA for the applicable requirements noted in the OSA’s CRM.

What Are The Requirements For Cloud Service Providers?

Under certain circumstances, an organization seeking assessment (OSA) may use a cloud environment to process, store or transmit CUI in performance of a contract or subcontract. DFARS 252.204-7012 states that if a contractor intends to use an external cloud service provider to store, process or transmit any covered defense information (CUI) in performance of a contract, the contractor shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline.

Additionally, the contractor must ensure that the cloud service provider complies with requirements in paragraphs (c) through (g) of the clause for cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for forensic analysis and cyber incident damage assessment.

The CMMC Program rule allows contractors and subcontractors to use CSPs under the following circumstances:

• The CSP product or service offering is FedRAMP Authorized at the FedRAMP Moderate (or higher) baseline, in accordance with the FedRAMP Marketplace
• The CSP product or service offering is not FedRAMP Authorized at the FedRAMP Moderate (or higher) baseline but meets security requirements equivalent to those established by the FedRAMP Moderate (or higher), in accordance with DoD Policy
• The OSA’s on-premises infrastructure connecting to the CSP’s product or service offering is part of the CMMC Assessment Scope

How Do I Prepare For CMMC Certification?

Companies should begin preparing for a CMMC assessment now by assessing their readiness to achieve the appropriate CMMC level. Given the rigorous requirements, CMMC may take longer than many companies realize, so readiness and preparation are key to success.

Cherry Bekaert is an RPO and an authorized C3PAO by the Cybersecurity Maturity Model Certification Accreditation Body, Inc. (The Cyber AB). As an RPO, we assist OSAs with CMMC readiness assessments for Levels 1, 2 and 3.

The main areas companies should focus on to prepare for a CMMC assessment include:

• Identifying the correct CMMC Level of certification required.
• Identifying where FCI and CUI data is stored, processed and transmitted within the contractor’s systems.
• Identifying and documenting the assessment scope based on the CMMC Level 1, 2 or 3 Scoping Guidance, defining:
• System boundaries
• CUI data flow
• Asset inventory external system connections, including ESPs and CSPs
• Asset categorization
• Data flow, including any out-of-scope assets
• Developing CMMC program documentation to support the contractor’s compliance program, including:
• System security plan
• Shared responsibility matrix
• Incident response plan
• Supporting policies, procedures and standards
• Completing a gap analysis against the applicable security requirements at the appropriate CMMC level to assess the current state of compliance and identify gaps that will need to be remediate prior to the assessment.
• Developing a roadmap to address gaps identified from the gap analysis.
• Conduct a self-assessment. Contractors are required to complete a self-assessment before undergoing the certification assessment conducted by an authorized C3PAO.

Businesses should approach CMMC preparation with effort and vigor, as many companies underestimate the time and resources the process requires. CMMC readiness is not a process where most organizations can bid on a contract and quickly prepare and obtain the necessary certification to be awarded the contract within 30 to 60 days.

Based on experience, the majority of companies should allow at least six months of preparation time. However, that timeframe will vary depending on the current state and complexity of the assessed environment.

How Do I Obtain A CMMC Level 2 Certification Assessment From A C3PAO?

To obtain a CMMC Level 2 certification assessment, you must engage a C3PAO that is listed on the Cyber AB Marketplace as authorized to perform certification assessments. Start by visiting the Cyber AB Marketplace and searching for C3PAOs that are currently authorized. Once you identify a firm, reach out directly to initiate the engagement process. This typically involves a scoping discussion, contract execution, and scheduling of the assessment.

Cherry Bekaert, an authorized C3PAO, is actively conducting CMMC Level 2 certification assessments. To begin, contact our Information Assurance and Cybersecurity team to schedule your assessment and discuss next steps.

How Long Does A CMMC Level 2 Certification Assessment Take?

The duration of a CMMC Level 2 assessment varies based on the size and complexity of your environment, but typically includes:

• Pre-assessment activities: 1–2 weeks
• Assessment Activities: 2-4 weeks
• Assessment Reporting: 1-2 weeks
• Certification: 1 week assuming no POA&Ms

On average, organizations should plan for a 6 to 8-week timeline from initial engagement to certification, assuming readiness. Early preparation and clear documentation can significantly streamline the process.

When Will Revision 3 of NIST SP 800-171 Be Required For CMMC?

As of now, CMMC Level 2 assessments will continue to be based on NIST SP 800-171 Revision 2. While Revision 3 was finalized on May 14, 2024, it has not yet been officially adopted into the CMMC framework.

For Revision 3 to be required, several steps must occur. The DoD must update its acquisition regulations to reference the new revision. The Cyber AB would then need to revise its assessor processes and documentation. Additionally, the DoD must define the Organizationally Defined Parameters (ODPs) introduced in Rev 3 to ensure consistent implementation across the Defense Industrial Base.

Although there is no formal timeline for Rev3 adoption, contractors are encouraged to begin familiarizing themselves with the new requirements and consider aligning their systems to ease future transitions.

Contact Us

If you have any questions regarding CMMC, Cherry Bekaert’s Information Assurance & Cybersecurity and Government Contracting advisors are available to discuss your situation with you.

Connect With Us

Related Insights

• Podcast: CMMC 48 CFR Deep Dive: Navigating the New Rule Rollout
• Article: DoD CMMC Requirements: A Guide for Defense Contractors
• Article: CMMC Programmatic Final Rule Status: What It Means for Defense Contractors
• Podcast: How Will NIST Special Publication (SP) 800-171, Revision 3 Impact CMMC?

References

• DoD CIO Memo: FedRAMP Moderate Equivalency for Cloud Service Provider’s Cloud Service Offerings
• CMMC Level 1 Scoping Guidance
• CMMC Level 1 Self-Assessment Guide
• CMMC Level 2 Scoping Guidance
• CMMC Level 2 Assessment Guide
• CMMC Level 3 Scoping Guidance
• CMMC Level 3 Assessment Guide
• NIST SP 800-172A: Assessing Enhanced Security Requirements for Controlled Unclassified Information
• CMMC Accreditation Body Website: CMMC Accreditation Body