Frequently Asked Questions

Phase 1 (Currently in Effect): Since November 10, 2025, defense contracts have begun including CMMC requirements as a condition of award. For most contractors handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), this phase requires an annual self-assessment and a signed affirmation of compliance to be submitted to the Supplier Performance Risk System (SPRS).

Phase 2 (Deadline: November 10, 2026): This is the critical shift. Starting November 10, 2026, contracts involving CUI will begin requiring mandatory third-party certification by a Certified Third-Party Assessment Organization (C3PAO). You will no longer be able to rely solely on self-attestation for these contracts.

Budgeting for CMMC compliance is complex because costs vary significantly based on your organization's size, the amount of Controlled Unclassified Information you handle, and the current state of your cybersecurity maturity. There is no single correct number, but you should anticipate costs across three main categories, including assessment and consulting fees, third-party audit expenses, and technical remediation or tool investments. Consulting support for gap analysis and plan development can range from $ 5,000 to over $50,000, depending on network complexity, while formal audit fees from a certified organization typically cost between $30,000 and $80,000.

Technical remediation is often the largest line item, as you may need to invest in new software, secure cloud environments, or automated compliance platforms to meet specific NIST 800-171 controls. You can help manage these expenses by reducing the scope of your audit through an enclave approach, which isolates sensitive data to a smaller portion of your network, or by using standardized compliance toolkits to establish a baseline before engaging external experts. It is wise to view these expenses as an investment in infrastructure that secures your eligibility for future Department of Defense contracts rather than just a one-time compliance cost.

Your company may need a CMMC Level 2 assessment if you are a DoD contractor or subcontractor and your contract requires you to process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) on your systems. The required level should come from the solicitation, contract, or prime-contractor flowdown—not from guesswork. Under DFARS 252.204-7021, the contracting officer inserts the required CMMC level, and the contractor must maintain that level, or higher, for the systems used to handle FCI or CUI during contract performance. 

In general:

CMMC Level 1 applies when you handle FCI only and do not process, store, or transmit CUI. Level 1 is based on the 15 basic safeguarding requirements in FAR 52.204-21 and requires an annual self-assessment and annual affirmation. 

CMMC Level 2 applies when you handle CUI. Level 2 is based on the 110 security requirements in NIST SP 800-171 Revision 2. Depending on the contract, Level 2 may require either a self-assessment or an independent assessment by a C3PAO. 

CMMC Level 3 applies to a smaller set of higher-risk contracts involving CUI that requires protection against advanced persistent threats. Level 3 requires a Final Level 2 status first, then a government-led DIBCAC assessment against additional requirements from NIST SP 800-172. 

A practical way to determine your level is:

1. Check the solicitation, contract, or subcontract flowdown for the required CMMC level and applicable clauses. 
2. Identify what information you will receive, create, store, or transmit. If it is only FCI, Level 1 may apply. If it includes CUI, Level 2 is likely. 
3. Confirm with the prime contractor or contracting officer if the data is unclear, unmarked, inconsistently marked, or if the CMMC level is missing. 
4. Scope the systems that touch FCI or CUI, because CMMC applies to the contractor information systems used in performance of the contract.  

The honest answer is: you do not choose your CMMC level based on what feels appropriate; it is driven by the contract requirement and the type of government information your systems handle. If you do not handle CUI, DoD’s FAQ says you do not need an independent assessment; if you handle FCI only, a Level 1 self-assessment is required. 

 CUI is not simply “anything sensitive.” CUI is specific unclassified government information that requires safeguarding or dissemination controls under law, regulation, or government-wide policy. If information is marked CUI, listed in contract documents as CUI, or fits a category in the CUI Registry, it should be handled as CUI. If the status is unclear, ask the prime contractor or contracting officer for written clarification rather than guessing. 

A good rule of thumb is:

Regular business information is information your company owns or uses for normal operations, such as internal pricing strategy, general emails, marketing material, ordinary accounting records, or commercial product data that was not created for or received from the government.

CUI is unclassified information tied to a government requirement that must be protected, such as certain controlled technical information, export-controlled data, sensitive procurement information, certain privacy data, or other information that fits an approved CUI category in the CUI Registry. The CUI Registry is the government-wide source for CUI categories, markings, and policy guidance. 

To determine whether something is CUI, check these things:

1. Look at the contract, solicitation, SOW, DD Form 254 if applicable, CDRLs, data deliverables, and prime-contractor flowdowns. These should identify whether CUI will be provided, created, stored, or transmitted. 
2. Look for CUI markings or distribution statements. Properly marked CUI should include required CUI markings and a designation indicator. DoD marking guidance says unclassified documents containing CUI should be checked against the DoD CUI Registry and marked with “CUI” at the top and bottom of each page, along with a CUI designation indicator block.  
3. Compare the information to the CUI Registry. Agencies may use only approved CUI categories or subcategories published in the CUI Registry when designating information as CUI.  
4. Ask the prime contractor or contracting officer when the status is unclear. If the information is unmarked, inconsistently marked, or only described vaguely as “sensitive,” ask for clarification in writing. Do not rely on assumptions. 
5. Remember that missing markings do not always mean the information is not CUI. The regulation states that the lack of a CUI marking does not exempt an authorized holder from applicable handling requirements if the information actually qualifies as CUI.  

The practical answer for contractors is: treat CUI identification as a contract and data-governance issue, not just an IT issue. Your company should have a process for reviewing incoming documents, identifying CUI categories, confirming unclear data with the prime or government customer, and recording where CUI is stored, processed, transmitted, and shared.

 To fully prepare for a C3PAO assessment, you must move beyond simple policy statements and provide objective evidence that demonstrates your security controls are actively implemented and functioning as intended. Assessors typically require a combination of documentation, configuration snapshots, and observational records to verify compliance with NIST 800 171 requirements. This includes items such as your System Security Plan, written procedures for operational tasks, and evidence of periodic security awareness training. During the assessment, auditors will interview various members of your organization to ensure that all staff members are aware of, and consistently following, the specific policies and procedures meant to protect Controlled Unclassified Information.

You should also be prepared to share technical records that prove your controls are effectively managing risk in your live environment. This evidence often includes screenshots of system configuration settings, logs from your access management and antivirus software, incident response ticket histories, and documented vulnerability scan reports. Because the C3PAO needs to see that your security measures are consistently applied over time, maintaining a well organized repository of these artifacts ensures you can demonstrate a repeatable and defensible posture throughout the entire audit process.

A Registered Provider Organization, or RPO, is a company authorized to provide pre-assessment consulting and guidance to help contractors prepare for CMMC. They assist with gap analyses, policy development, and the implementation of security controls, but they are not permitted to perform official certification assessments. 

In contrast, a CMMC Third-Party Assessment Organization, or C3PAO, is an accredited firm authorized to conduct the actual, independent CMMC assessments and issue certification decisions. To maintain objectivity and prevent conflicts of interest, a single company cannot provide both advisory services and official certification assessments to the same client. 

An Organization Seeking Assessment, or OSA, is the formal term for any entity preparing to undergo a CMMC assessment. This term includes both organizations performing self-assessments for lower maturity levels and those seeking independent certification from a C3PAO. Essentially, if you are a defense contractor currently working toward CMMC compliance for your information systems, your business is considered an OSA. 

 CMMC assessors expect objective evidence that your security requirements are documented, implemented, and operating in your actual environment. For CMMC Level 2, that evidence is evaluated through examine, interview, and test methods. In practice, this means assessors will review your SSP, asset inventory, network and data-flow diagrams, policies, procedures, system configurations, logs, tickets, training records, access reviews, vulnerability scans, incident records, and other proof that your controls are working. Draft policies, generic templates, and undocumented “we just do it that way” processes are not enough. Evidence should be final, approved, current, mapped to each assessment objective, and consistent with what your staff can demonstrate during interviews and testing. 

 A CUI enclave is a physically or logically isolated segment of your network specifically designed to store, process, and transmit Controlled Unclassified Information. By restricting this sensitive data to a smaller, hardened portion of your infrastructure, you limit the scope of your CMMC assessment to only those systems that interact with CUI. This approach effectively reduces the cost and complexity of compliance because the vast majority of your enterprise network no longer requires the same stringent security controls as the enclave itself.

To build an enclave, you must first perform a data discovery exercise to identify where all your CUI resides and how it flows through your systems. You then implement strict network segmentation, such as using firewalls and access control lists, to cordon off the CUI environment from your general business network. Within this secure zone, you must fully implement all required NIST 800 171 security controls, including robust identity management, encryption, and continuous monitoring, while ensuring that only authorized personnel have access. 

Once the architecture is established, you must document the boundary and the security measures within your System Security Plan to prove to an assessor that the enclave is appropriately protected. 

Close the Gap Cyber Consulting provides tailored support primarily to defense contractors and organizations operating within the Defense Industrial Base. These businesses, ranging from small to medium-sized subcontractors to larger prime contractors, benefit significantly when they need to navigate complex regulatory requirements such as CMMC, NIST SP 800-171, and RMF compliance. 

Organizations that handle Controlled Unclassified Information or Federal Contract Information but lack the internal resources or specialized expertise to perform thorough gap analyses and remediation often find the most value in these services. By partnering with a consultant, these firms can systematically identify security deficiencies, develop robust System Security Plans, and create prioritized roadmaps to achieve the compliance standards necessary to compete for and maintain Department of Defense contracts.