- Resources
CMMC Knowledge Base for OSCs
Comprehensive guides, planning resources, and best practices to help your organization navigate the CMMC certification process with confidence.
The Cybersecurity Maturity Model Certification (CMMC) 2.0 is the Department of Defense's framework for ensuring that defense contractors protect sensitive government information. It replaced the original CMMC 1.0 in 2021 and became enforceable with the final rule effective December 16, 2024.
Three Levels of CMMC:
-
Level 1 (Foundational): 17 practices, annual self-attestation. For contractors handling Federal Contract Information (FCI).
-
Level 2 (Advanced): 110 practices from NIST SP 800-171. For contractors handling Controlled Unclassified Information (CUI). Level 2 self-assessments exist, but a C3PAO third-party certifying assessment is required for most DoD contracts and typically awards additional evaluation points when bidding on projects.
-
Level 3 (Expert): 130+ practices including NIST SP 800-172. Government-led DIBCAC assessment. For highest-priority programs.
Any organization in the Defense Industrial Base (DIB) that handles CUI or FCI as part of Defense contracts. This includes prime contractors and subcontractors throughout the supply chain.
Enforcement Timeline:
-
Phase 1 (Nov 2025): Level 1 self-attestation and Level 2 self-attestation requirements begin
-
Phase 2 (Nov 2026): Level 2 C3PAO assessment requirements begin for new contracts
-
Phase 3 (Nov 2027): Broader Level 2 and Level 3 requirements
-
Phase 4 (Nov 2028): Full implementation across all applicable contracts
Understanding what information you handle is the first step in determining your CMMC level requirement.
Federal Contract Information (FCI): Information provided by or generated for the Government under a contract to develop or deliver a product or service. FCI requires CMMC Level 1 compliance.
Controlled Unclassified Information (CUI): Information the Government creates or possesses that requires safeguarding per law, regulation, or Government-wide policy. CUI requires CMMC Level 2 compliance.
Examples include:
-
Technical data and engineering drawings
-
Export-controlled information (ITAR/EAR)
-
Privacy data (PII)
-
Law enforcement sensitive information
-
Critical infrastructure information
How to Identify CUI:
-
Review your contracts for DFARS clause 252.204-7012
-
Look for markings on documents provided by the Government
-
Consult the CUI Registry at archives.gov/cui
- Work with your Contracting Officer if uncertain
Why It Matters:
Misidentifying CUI can lead to either under-protecting sensitive information (security risk) or over-scoping your CMMC boundary (cost risk). Getting this right is foundational to your entire CMMC project.
Official Program Resources
Resources for CMMC Compliance
- CMMC Alignment to NIST Standards Breakout Session Presentation | February 2025
This presentation provides an overview of the Cybersecurity Maturity Model Certification (CMMC) Program, its alignment with NIST Special Publications (SP) 800-171 Revision 2 and 800-172, details on scoring methodologies including considerations for Multi-Factor Authentication (MFA) and Federal Information Processing Standards (FIPS), and discusses the transition to NIST SP 800-171 Revision 3. - FedRAMP Authorization and Equivalency | February 2025
This document outlines the requirements for cloud service providers (CSPs) within the Defense Industrial Base (DIB), focusing on the Federal Risk and Authorization Management Program (FedRAMP) authorization process, equivalency requirements set by the Department of War (DoW), and recommendations for CSPs to meet these standards. - Technical Application of CMMC Requirements: ESPs, Asset Categories, SPA/SPD, and VDI | February 2025
This document delves into the technical application of CMMC requirements, covering topics such as External Service Providers (ESPs), asset categories, Security Protection Assets (SPA) and Security Protection Data (SPD), and Virtual Desktop Infrastructure (VDI). It provides guidance on how these elements fit into the CMMC framework and their implications for organizations seeking compliance. - Supplier Performance Risk System (SPRS) Overview for DOW Cybersecurity & SAP IT Summit | February 12, 2025
This presentation offers an in-depth overview of the Supplier Performance Risk System (SPRS), detailing its role as the authoritative source for supplier and product performance information within the Department of War (DoW). It covers various aspects such as vendor performance metrics, cybersecurity assessments, and compliance requirements. The document also outlines the pathway for contractors to conduct and submit cybersecurity self-assessments, particularly focusing on NIST SP 800-171 and Cybersecurity Maturity Model Certification (CMMC) Level 1 and Level 2 assessments. - Introduction to the CMMC Enterprise Mission Assurance Support Service (eMASS) | February 12, 2025
This document introduces the CMMC Enterprise Mission Assurance Support Service (eMASS), a tailored version of DoW's eMASS designed to store, track, and report on CMMC Level 2 and Level 3 assessment data. It explains the system's functionalities, including its role as a data repository for CMMC assessments, tracking Plans of Actions and Milestones (POA&Ms), and managing appeals actions. The presentation also details the assessment data flow, user roles, and the process for conducting and reporting assessments within the eMASS framework. -
Pentagon Posts CMMC Presentation Slides on Alignment with NIST Standards, FedRAMP Equivalency | March 18, 2025
This article discusses the DoW's release of new presentation slides providing details on the Cybersecurity Maturity Model Certification (CMMC) program. The slides cover topics such as alignment with NIST Special Publication 800-171 Revision 2, scoring methodologies, transition plans to NIST 800-171 Revision 3, and guidance on FedRAMP authorization and equivalency for cloud service providers within the defense industrial base.
32 CFR (CMMC Program)
- Downloadable PDF of Federal Register text (this version has page numbers)
- Federal Register home page for CMMC and comments
- Docket Information (the rule agenda)
- Public comments posted regarding rule
- Regulatory Impact Analysis 32 CFR Part 170 (analysis of changes and cost)
- Initial Regulatory Flexibility Analysis 32 CFR (benefits and costs, impact to small business)
CMMC Guides
(Assessment guides, scoping, etc.)
- CMMC Guidance documents home and comments page
- Notice of Guidance for CMMC
- CMMC Model Overview
- Scoping Guide – CMMC Level 1
- Scoping Guide – CMMC Level 2
- Scoping Guide – CMMC Level 3
- Assessment Guide – CMMC Level 1
- Assessment Guide – CMMC Level 2
- Assessment Guide – CMMC Level 3
- Hashing Guide (used during assessments only)
Frequently Asked Questions
Answers to the questions we hear most often from Organizations Seeking Compliance.
CMMC FAQs
-
How long does CMMC Level 2 certification take?
Most organizations need 6–18 months to prepare for a CMMC Level 2 certifying assessment, depending on their current cybersecurity posture. Organizations with mature security programs may be ready in 6 months; those starting from scratch may need 18 months or more. The certifying assessment itself typically takes 3–5 business days.
-
What is the difference between a C3PAO and an RPO?
A C3PAO (CMMC Third-Party Assessment Organization) is authorized by the Cyber AB to conduct official CMMC Level 2 certifying assessments. An RPO (Registered Provider Organization) can help you prepare for CMMC compliance but cannot conduct the official certifying assessment. Real Compliance Platform's partners include four authorized C3PAOs.
-
Can the same C3PAO conduct my mock assessment and certifying assessment?
Yes — the same C3PAO can conduct both your mock assessment and your certifying assessment. This is common practice and does not create a conflict of interest. Real Compliance Platform can help you select the right C3PAO partner and coordinate both engagements through a single point of contact.
-
What happens if I don't pass my CMMC assessment?
If you have minor gaps, you may receive a 'Conditional' CMMC Level 2 status with a 180-day window to close out your POA&M items. If you have significant gaps, you will not receive certification and will need to remediate and schedule a new assessment. This is why mock assessments are so valuable — they identify gaps before they affect your official result.
-
Do I need CMMC if I'm a subcontractor?
Yes. CMMC requirements flow down through the supply chain. If your prime contractor's contract requires CMMC and you handle CUI as part of that work, you will also need CMMC certification. Review your contracts and subcontracts carefully, and consult with your prime contractor about their requirements.
-
What is a CMMC-compliant enclave?
A CMMC-compliant enclave is a dedicated, isolated IT environment designed specifically to handle CUI in a way that meets all CMMC Level 2 requirements. By isolating CUI work to a separate environment (such as Microsoft GCC High or Google Workspace for Government), organizations can reduce their assessment scope and inherit many security controls from the cloud provider. MNS Group specializes in building these enclaves.
-
How much does a CMMC Level 2 assessment cost?
Assessment costs vary based on your organization's size, scope, and complexity. Contact our sales team for quotes from our C3PAO partners — we can provide proposals from all four authorized C3PAOs so you can compare pricing and approach.