Plain answers to the questions DIB contractors actually ask.

What is the difference between CMMC Level 1, Level 2, and Level 3?

CMMC defines three certification levels in 32 CFR Part 170. Level 1 applies to contractors handling Federal Contract Information (FCI) and requires the 15 basic safeguarding practices from FAR 52.204-21(b)(1)(i)-(xv), demonstrated via annual self-assessment. Level 2 applies to contractors handling Controlled Unclassified Information (CUI) and requires the 110 security requirements that are identical to NIST SP 800-171 Revision 2; depending on the acquisition, Level 2 is met by either self-assessment or a C3PAO certification assessment. Level 3 applies to the most sensitive defense programs. Per 32 CFR §170.18, a Final Level 2 (C3PAO) certification on the Level 3 assessment scope is a prerequisite, and the OSC must additionally meet the selected NIST SP 800-172 Feb2021 enhanced security requirements listed in Table 1 to §170.14(c)(4). Level 3 is assessed by the DoD's DCMA DIBCAC rather than a commercial C3PAO, and must be recertified every three years (with a fresh Level 2 assessment in the same cycle). Most DIB contractors handling CUI fall in Level 2.

When does CMMC actually become a contract requirement?

The CMMC final rule (32 CFR Part 170) became effective December 16, 2024. The companion acquisition rule that adds CMMC requirements to specific contracts is the DFARS rule covering 252.204-7021, which is being phased in across DoD acquisitions on a published schedule. The requirement appears in new awards and renewals as the phase-in proceeds. A contract's specific CMMC level and assessment type (self-assessment or C3PAO certification) are stated in the solicitation.

How long does CMMC Level 2 readiness typically take?

It depends, and the range is wider than most contractors expect. The drivers that compress the timeline are a narrow CUI scope (fewer systems, users, and data flows in the assessment boundary), a small CUI-handling workforce, a dedicated internal champion who can own control implementation and evidence gathering, and a starting environment that is already on Microsoft 365 with most foundational controls in place. The drivers that extend the timeline are pervasive CUI exposure across the business, a large workforce, no internal champion, a weak starting posture, or a migration from commercial Microsoft 365 to GCC High before assessment.

A small contractor with a tight scope and a champion can be ready quickly. A mid-sized contractor with broad CUI exposure and a tenant migration ahead of them is a longer engagement. We don't quote a calendar without seeing the scope and the starting state. If you want a structured starting point, try the technical readiness self-survey and then bring the gap list to a discovery call.

What is the difference between a C3PAO and an RPO?

A C3PAO (CMMC Third-Party Assessment Organization) is authorized by the Cyber AB to conduct CMMC Level 2 certification assessments. An RPO (Registered Practitioner Organization) provides advisory and consulting services to organizations preparing for CMMC; an RPO does not perform certification assessments. Independence rules generally prevent the same organization from acting as both your advisor and your assessor on the same engagement, so most contractors work with an RPO for preparation and a separate C3PAO for the assessment.

Who can perform a CMMC Level 2 assessment?

For acquisitions designated for certification, the assessment is performed by a C3PAO authorized by the Cyber AB and listed in the Cyber AB Marketplace. The contractor selects and contracts directly with the C3PAO. For acquisitions designated for self-assessment, the contractor performs the assessment internally and submits the results to the DoD's Supplier Performance Risk System (SPRS). The acquisition documents specify which path applies; see how SPRS scoring works under NIST 800-171.

What is the Conditional CMMC Status Date?

CMMC Level 2 uses the SPRS scoring methodology defined in 32 CFR §170.24: a maximum score equal to the number of Level 2 requirements (110), with individual requirements valued at 5, 3, or 1 point. Per §170.21, a contractor achieves Conditional CMMC Status when the assessment score divided by the total number of Level 2 requirements is at least 0.8 (i.e., a score of at least 88 of 110) and all remaining unmet requirements are eligible for POA&M under the rule. The date that status is recorded is the Conditional CMMC Status Date, and it starts a 180-day clock. The contractor must remediate the open POA&M items, undergo a closeout assessment by an authorized C3PAO (or by DCMA DIBCAC for Level 3), and have the closeout recorded in CMMC eMASS before that clock expires. Missing the window expires the Conditional Status. Details in our walkthrough of the 180-day POA&M window.

What is the difference between FCI and CUI?

Federal Contract Information (FCI) is information provided by or generated for the federal government under a contract that is not intended for public release. It is governed by FAR 52.204-21 and triggers the 15 basic safeguarding practices that map to CMMC Level 1. Controlled Unclassified Information (CUI) is unclassified information requiring safeguarding under Executive Order 13556 and the rules in 32 CFR Part 2002. CUI categories are enumerated in the National Archives CUI Registry and include controlled technical information, export-controlled data, and several dozen others. CUI handling is governed by DFARS 252.204-7012 and triggers the higher protection requirements of NIST SP 800-171, which map to CMMC Level 2. A contract can include both FCI and CUI; when CUI is present, its higher controls govern.

What is the deemed export rule and why does it matter for CUI?

Under ITAR (22 CFR §120.54), releasing controlled technical data to a foreign person is treated as an export, even when the release happens entirely within the United States. This is known as the deemed export rule. For ITAR-controlled CUI specifically, any non-U.S.-person access to systems containing that data, including administrative access by IT support staff at a cloud provider, is a potential export. Commercial Microsoft 365 has global support and operations personnel that may not be U.S. persons, which is the principal reason ITAR-controlled CUI requires Microsoft 365 GCC High's U.S.-person operations baseline rather than commercial. See the GCC High decision framework for the broader cloud choice.

Do subcontractors need their own CMMC certification?

Yes, when CUI or FCI flows down to them. DFARS 252.204-7021 includes a flow-down clause: prime contractors must impose CMMC requirements on subcontractors whose work involves the same information. The required CMMC level for a subcontractor depends on what information that subcontractor actually receives. A subcontractor that sees only FCI may need only Level 1, even if the prime holds Level 2. Read the prime contract's flow-down provisions and the data-handling clauses end to end before scoping a subcontractor's CMMC obligations.

Can I use commercial Microsoft 365 for CUI?

Microsoft's published guidance directs DIB contractors handling CUI to Microsoft 365 GCC, GCC High, or DoD, not commercial. The Microsoft Product Placemat for CMMC 2.0 (Preview, September 2024) maps GCC and GCC High services to CMMC Level 2 controls; commercial Microsoft 365 is not in scope of that mapping. C3PAOs commonly treat CUI in commercial Microsoft 365 as an assessment finding even where a strict reading of DFARS 7012 might permit it, because commercial M365 has non-U.S.-person support personnel and operational practices that don't align with the defense industry's expectations. For most contractors, the practical answer is no, and the choice is between GCC and GCC High.

Do I need GCC High if I only handle FCI?

No. FCI's protection baseline is the 15 practices in FAR 52.204-21, which a well-configured commercial Microsoft 365 tenant can meet. GCC High is built for CUI workloads, ITAR-controlled data, and DoD Impact Level 4 or higher environments. Paying for GCC High when no CUI is in scope is overspending. Read every active contract and active proposal before deciding; if any of them include CUI handling obligations, FCI-only is the wrong assumption.

Is FedRAMP Moderate enough for DFARS 7012?

DFARS 252.204-7012(b)(2)(ii)(D) requires cloud service providers handling covered defense information to meet "security requirements equivalent to" the FedRAMP Moderate baseline. Commercial Microsoft 365 holds a FedRAMP Moderate authorization, so a strict reading of the clause would treat that as sufficient. In practice, Microsoft's own guidance, the Microsoft Product Placemat scope, the operational reality of non-U.S.-person admin access, and the assessor community's posture all push DIB contractors handling CUI toward GCC (FedRAMP High) or GCC High (FedRAMP High plus DoD Impact Level 4/5). See the GCC High decision framework for the full reasoning.

Do I need to migrate to GCC High before my CMMC assessment?

It depends on whether CUI is in scope, where that CUI currently lives, and what contracts you've signed or expect to sign. If CUI is in scope and currently resides in commercial Microsoft 365, expect a C3PAO to flag both the FedRAMP authorization mismatch and the non-U.S.-person operational concern. If CUI sits in GCC and you have no ITAR or DoD Impact Level 4+ obligations, GCC may be defensible. If ITAR or IL4+ is in your contract pipeline within the next two to three years, migrating directly to GCC High avoids a costly second migration later. Read the decision framework for the specific gating questions.

What is the CMMC implementation timeline from November 2025 forward?

DoD's CMMC requirements are added to its contracts on a three-year phased schedule that began with the effective date of the DFARS final rule (the 48 CFR companion rule to the CMMC program rule in 32 CFR Part 170), on November 10, 2025. The phases as DoD has published them:

• Phase 1 (Nov 10, 2025 through Nov 9, 2026). DoD includes CMMC Level 1 or Level 2 self-assessment requirements as a condition of contract award in applicable solicitations. At DoD's discretion, Level 2 C3PAO certification requirements may also be included in some solicitations during this phase.
• Phase 2 (Nov 10, 2026 through Nov 9, 2027). DoD adds Level 2 C3PAO certification requirements as a condition of award in applicable solicitations. Self-assessment requirements from Phase 1 continue.
• Phase 3 (Nov 10, 2027 through Nov 9, 2028). DoD adds Level 3 certification requirements as a condition of award in applicable solicitations and requires Level 2 certification as a condition for the exercise of contract options on existing awards.
• Phase 4 (Nov 10, 2028 onward). Full implementation. CMMC requirements appear as a condition of award and a condition for the exercise of options across all applicable solicitations and contracts.

Important caveat about prime-subcontractor relationships: The phased schedule above governs when DoD itself adds CMMC clauses to its own solicitations. It does not restrict what a prime contractor can require of its subcontractors at any point in time. A prime that has accepted a contract requiring CMMC Level 2 may flow CMMC Level 1, Level 2, or Level 3 requirements down to subs handling FCI or CUI, immediately and independent of the DoD's phase. Subcontractors should not assume the DoD's published phase tells them how much time they have; the binding question is what the prime contract requires of you, and that is determined by the prime-sub agreement. Read the data-handling clauses end to end.

Do I need a System Security Plan for CMMC Level 1?

CMMC Level 1 does not require a formal SSP, though documenting how the 15 basic safeguarding practices are implemented is still good practice and makes annual self-assessment easier. CMMC Level 2 does require an SSP, and that SSP is one of the first documents a C3PAO will ask to see. The Level 2 SSP describes the system boundary, the implementation of each of the 110 NIST 800-171 practices, and any inherited controls from cloud service providers. See our walkthrough of authoring an SSP for NIST 800-171.

What happens if I have items on my POA&M at assessment time?

32 CFR §170.21 places narrow limits on which Level 2 requirements may be on a POA&M at assessment time. The rule allows POA&M only when the score-to-total ratio is at least 0.8 (a score of 88 of 110 or higher), and only for requirements valued at 1 point under the SPRS scoring methodology, with one exception: SC.L2-3.13.11 (CUI Encryption) may be on a POA&M if encryption is employed but it is not FIPS-validated, even though it carries a 3-point value. Higher-value requirements (the 5-point set, and 3-point requirements other than SC.L2-3.13.11) cannot be on a POA&M and must be MET at the time of assessment.

Six specific 1-point requirements are also excluded from POA&M eligibility by name in §170.21(a)(2)(iii): AC.L2-3.1.20 (External Connections, CUI Data), AC.L2-3.1.22 (Control Public Information, CUI Data), CA.L2-3.12.4 (System Security Plan), PE.L2-3.10.3 (Escort Visitors, CUI Data), PE.L2-3.10.4 (Physical Access Logs, CUI Data), and PE.L2-3.10.5 (Manage Physical Access, CUI Data). When you add these to the 5-point and remaining 3-point requirements, a substantial slice of the 110 Level 2 requirements is non-POA&M-eligible regardless of score. If those requirements are NOT MET, the assessor cannot issue Conditional Status.

If the conditions for Conditional Status are met, the contractor has 180 days from the Conditional CMMC Status Date to remediate the open items and have a POA&M closeout assessment recorded in CMMC eMASS. Missing the window expires the Conditional Status. The 180-day window mechanics, in detail. POA&M management practices are covered separately.

What documents will a C3PAO ask to see?

A Level 2 assessment is evidence-based. The Cyber AB CMMC Assessment Process (CAP) and the DoD CIO Assessment Guide for Level 2 specify what assessors examine, interview, and test against each of the 110 practices. The typical document set includes the SSP, any active POA&M, written policies and procedures for each of the 14 control families, network and data flow diagrams that show the CUI boundary, evidence of control implementation (configuration screenshots, audit log samples, training records), the contractor's most recent SPRS score submission, and documentation of inherited controls from cloud service providers. Specific evidence per practice is enumerated in NIST SP 800-171A.

How does CMMC Level 2 scoring work, and which practices cannot be on a POA&M?

CMMC Level 2 uses the CMMC Scoring Methodology defined in 32 CFR §170.24 and described operationally in the Cyber AB CAP. The maximum score equals the number of Level 2 security requirements (110). Each requirement is valued at 1, 3, or 5 points based on the impact of failing to implement it. When an assessor finds a requirement NOT MET, the requirement's point value is subtracted from 110. Achieving Conditional CMMC Status requires a score-to-total ratio of at least 0.8 (a score of 88 of 110 or higher) per 32 CFR §170.21.

Assessment is performed at the objective level, but scoring is at the practice level. The CAP v5.6.1 states it directly: "CMMC Assessments will be scored at the objective level... Each practice with an objective(s) that is scored as NOT MET will inherently be scored as 'NOT MET' for the entire practice and, accordingly, the Assessor will ascribe a deduction for the practice." In plain terms: a single failed assessment objective inside a practice fails the entire practice and triggers the full point deduction for that practice. There is no partial credit at the practice level (with one narrow exception, SC.L2-3.13.11, where partial credit is allowed depending on whether encryption is employed and whether it is FIPS-validated).

The 5-point Derived Security Requirements (20 named in the CAP), which cannot be on a POA&M:

AC.L2-3.1.12, AC.L2-3.1.13, AC.L2-3.1.16, AC.L2-3.1.17, AC.L2-3.1.18, AU.L2-3.3.5, CM.L2-3.4.5, CM.L2-3.4.6, CM.L2-3.4.7, CM.L2-3.4.8, IA.L2-3.5.3, IA.L2-3.5.10, MA.L2-3.7.5, MP.L2-3.8.7, RA.L2-3.11.2, SC.L1-3.13.5, SC.L2-3.13.6, SC.L2-3.13.15, SI.L1-3.14.4, SI.L2-3.14.6

The 3-point Basic Security Requirements (7 named):

AU.L2-3.3.2, MA.L2-3.7.1, MP.L2-3.8.1, MP.L2-3.8.2, PS.L2-3.9.1, RA.L2-3.11.1, CA.L2-3.12.2

The 3-point Derived Security Requirements (7 named):

AC.L2-3.1.5, AC.L2-3.1.19, MA.L2-3.7.4, MP.L2-3.8.8, SC.L2-3.13.8, SI.L1-3.14.5, SI.L1-3.14.7

All other basic security requirements default to 5 points; all remaining derived security requirements default to 1 point. The special practice SC.L2-3.13.11 (FIPS-validated cryptography) is treated as 5 points if encryption is not employed and as 3 points if encryption is employed but not FIPS-validated; per §170.21 it is the only 3-point requirement that may be included on a POA&M, and only in the latter situation.

Per §170.21(a)(2)(iii), six specific 1-point requirements are also excluded from POA&M eligibility regardless of score: AC.L2-3.1.20, AC.L2-3.1.22, CA.L2-3.12.4, PE.L2-3.10.3, PE.L2-3.10.4, and PE.L2-3.10.5. When you add the 5-point set, the 3-point set (excluding SC.L2-3.13.11 in the FIPS-but-not-validated case), and these six named carve-outs together, roughly half of the 110 Level 2 requirements cannot be remediated via POA&M and must be MET at the time of assessment.