CMMC LaunchPad

Menu

Frequently Asked Questions

Common questions about certification, compliance levels, and our process.

Getting CMMC 2.0 compliant typically takes most DoD contractors 6 to 18 months, depending on their starting security posture, with Level 1 being faster (weeks/months) and Level 2 often requiring a year or more to build out NIST SP 800-171 controls, train staff, and prepare for a C3PAO assessment, with larger companies potentially taking longer. 

It is possible to reduce this timeline based on your requirements pretty dramatically, down to weeks or months, however, everything depends on your scope and requirements. Ultimately, it’s best to get started early so that you understand your options.

Talk To An Expert

It depends on a number of factors. If your company has complied with DFARS 252.204-7012, then you should already implemented NIST SP 800-171—DFARS 252.204-7012 was first issued and became effective in 2016. In that case, the cost would likely be $20,000 to $50,000.

It all really depends on your organizations security maturity, scope, and preparedness. The following is a back of the envelope estimate based on company size. 

  • Small Defense Contractors (≤100 employees): $30,000-$150,000
  • Mid-sized Defense Contractors (101-999 employees): $100,000-$500,000
  • Large Enterprise Defense Contractors (1,000+ employees): $500,000-$2,000,000+

It should be noted that there are programs available to help subsidize the cost. Your company may be eligible. We’re happy to help you determine if your company is eligible.

Contact Us

You can’t indefinitely delay CMMC 2.0, as it’s being phased in, with requirements appearing in DoD contracts starting November 2025 and full enforcement by late 2028, meaning delaying risks losing contracts; start preparing now to avoid missing opportunities, as full compliance takes time. The final rule is in effect, and while Phase 1 (Nov ’25-Nov ’26) allows self-assessments for Level 1/2, you’ll need formal certification and won’t get far with delays.

Both the DFARS and CMMC frameworks center around data protection through security controls; however, they differ in their compliance assessments.

With DFARS 252.204-7012 (aka “DFARS Clause 7012”), organizations monitor their own systems without external inspection or verification of proper data generation, storage, and transmission.

CMMC 2.0 combines self-assessment and assessments by Third-Party Assessment Organizations (3PAOs) that determine an organization’s eligibility for a specific maturity level.

Another difference between DFARS and CMMC is the three levels included in CMMC. DFARS Clause 7012 contains only one tier, laying ground rules for handling CUI and increasing security in the DIB. CMMC differs from DFARS in that it institutes maturity levels to classify the extent of cybersecurity protective measures. The first CMMC 2.0 maturity level contains fewer requirements than NIST SP 800-171, which is the basis for DFARS Clause 7012. Level 2 is identical to NIST SP 800-171 Rev. 2 and nearly the same as DFARS Clause 7012, with the exception of additional assessments, while the final CMMC level, Level 3, requires more guardrails.

Although similar in some respects, DFARS Clause 252.204-7012 and CMMC are not interchangeable standards. Qualifying for one does not instantly precipitate qualification and compliance with the other.

ITAR compliance means following the International Traffic in Arms Regulations (ITAR) to control the import and export of defense-related items and services. The US government created ITAR to protect national security and foreign policy objectives and to prevent defense-related materials from being used for criminal or terrorist activities.

Approximately 13,000 members of the defense industrial base are required to comply with ITAR in conjunction with CMMC 2.0. Organizations that must be ITAR compliant include:

  • Manufacturers
  • Exporters
  • Brokers
  • Wholesalers
  • Contractors
  • Software, hardware, and technology vendors
  • Third-party suppliers
  • Research labs
  • Universities

ITAR compliance requires organizations to track, monitor, and audit technical data, and only to provide defense-related data to US citizens. The US State Department can grant special authorization to export defense-related materials or information to foreign individuals. Non-compliance with ITAR can result in fines and potential criminal prosecution.

CMMC (Cybersecurity Maturity Model Certification) is transitioning to NIST SP 800-171 Rev 3, which was released in May 2024, but the DoD is allowing a phased, deliberate rollout, with Rev 2 remaining the primary standard for DFARS 7012/CMMC for now, as CMMC Level 2 still relies on Rev 2, but Rev 3 will become the future benchmark as CMMC fully rolls out over the next few years (phases starting late 2025 into 2028).

NIST SP 800-171 Assessment Objectives are the specific, verifiable criteria used to determine whether a NIST SP 800-171 control is correctly implemented and operating as intended. They come from NIST SP 800-171A, the companion assessment guide.

A SPRS score is a numeric representation of an organization’s implementation of the NIST SP 800-171 security controls, calculated in accordance with the DoD NIST SP 800-171 Assessment Methodology and submitted to the Department of Defense’s Supplier Performance Risk System (SPRS) under DFARS 252.204-7012 and 252.204-7020. Using this methodology, organizations start with a maximum score of 110 and subtract weighted point values for each unmet assessment objective, reflecting the relative risk of missing controls. The resulting score is a self-attested snapshot of the organization’s cybersecurity posture and may include deficiencies tracked in a Plan of Action & Milestones (POA&M), as allowed by DFARS.

The SPRS score directly relates to CMMC 2.0 Level 2 because both rely on the same NIST SP 800-171 controls and assessment objectives, and both use the DoD Assessment Methodology as the basis for evaluating implementation. However, a SPRS score alone does not constitute CMMC compliance. Under CMMC 2.0 Level 2, organizations may be required to complete either annual self-assessments or independent assessments by a CMMC Third-Party Assessment Organization (3PAO), depending on contract requirements. While SPRS scoring fulfills a DFARS reporting obligation, CMMC Level 2 adds formal validation and accountability, making verified compliance—rather than self-attestation—a condition for contract eligibility.

A Plan of Action & Milestones (POA&M) is a formal document used to track known gaps in required cybersecurity controls, identify remediation actions, assign responsibility, and establish timelines for closure. In the context of NIST SP 800-171, DFARS, and CMMC 2.0, a POA&M is created when an organization has not fully met one or more assessment objectives but has identified and planned corrective actions. POA&Ms are commonly used in self-assessments and DoD assessments to demonstrate awareness of deficiencies and a structured path to remediation, though certain high-risk controls are not eligible to be deferred.

Conditional certification under CMMC 2.0 allows an organization to achieve a temporary certification status while limited, allowable deficiencies are remediated through a POA&M. If granted, the organization must close all POA&M items within a defined remediation window (currently 180 days) to achieve full certification. Only specific controls may be placed on a POA&M, and failure to remediate them within the timeframe results in loss of certification. In this way, the POA&M serves as the enforcement mechanism behind conditional certification—providing flexibility without eliminating accountability—while ensuring that full compliance is ultimately achieved and verified.

If you have met all in-scope controls and have no POA&Ms, your CMMC 2.0 certification is valid for three (3) years.

For CMMC Level 2 contracts that require a third-party assessment, achieving full compliance with all applicable NIST SP 800-171 controls and assessment objectives results in a three-year certification period. During that time, you remain eligible for applicable DoD contract awards without needing to re-certify, provided you continue to maintain compliance.

However, certification is not a “set it and forget it” status. Organizations are still expected to maintain the controls continuously, comply with DFARS obligations (such as incident reporting), and complete any required annual affirmations or self-assessments specified by contract. At the end of the three-year period, a new CMMC assessment is required to renew certification and remain eligible for covered contracts.

A CMMC Registered Practitioner Organization (RPO) is a company authorized by the CMMC Accreditation Body (Cyber AB) to provide advisory and support services related to CMMC compliance, but not to conduct certification assessments. A CMMC RPO employs one or more CMMC Registered Practitioners (RPs) who are trained on the CMMC model and ecosystem. RPOs help organizations understand CMMC requirements, interpret NIST SP 800-171 controls and assessment objectives, prepare documentation (such as SSPs and POA&Ms), and get ready for assessments. Importantly, RPOs are advisory only—they cannot certify, assess, or attest to compliance on behalf of a contractor.

In CMMC 2.0, RPOs support organizations before and between assessments by helping them build and maintain a compliant cybersecurity program. They often assist with readiness reviews, gap analyses, and remediation planning, but must remain independent from any C3PAO performing the formal assessment to avoid conflicts of interest. In short, an RPO helps organizations prepare for CMMC, while assessment and certification authority remains with DoD-approved assessors.

A C3PAO is a CMMC Third-Party Assessment Organization, an independent, DoD-authorized entity that conducts official cybersecurity assessments for organizations seeking CMMC certification. A C3PAO is accredited through the CMMC Accreditation Body (Cyber AB) and authorized by the Department of Defense to assess contractor environments against the applicable CMMC requirements. For CMMC 2.0 Level 2, this means evaluating an organization’s implementation of the NIST SP 800-171 controls and assessment objectives using the approved DoD assessment methodology. Unlike self-assessments, C3PAO assessments are independent and result in a formal certification decision.

Under CMMC 2.0, C3PAOs conduct assessments for Level 2 contracts that require third-party verification. They review documentation, interview personnel, and test technical controls to determine whether all in-scope requirements are met and whether any limited POA&Ms are allowed. If the organization meets the requirements, the C3PAO submits the assessment results to the CMMC system, leading to a three-year certification when full compliance is achieved. In short, a C3PAO provides the independent validation that turns CMMC compliance from self-attestation into an enforceable, auditable certification.

DIBCAC stands for the Defense Industrial Base Cybersecurity Assessment Center, a component of the Department of Defense that serves as the authoritative government assessment body for cybersecurity compliance within the Defense Industrial Base (DIB). DIBCAC is a specialized unit within DCMA responsible for conducting cybersecurity assessments of defense contractors. Prior to the finalization of the CMMC rule, DIBCAC primarily focused on validating NIST SP 800-171 implementation under DFARS clause 252.204-7012. However, with the formal establishment of the CMMC Program under 32 CFR Part 170, DIBCAC now has a dual function:

  • Performing Level 3 Certification Assessments: DIBCAC is the exclusive entity authorized to conduct CMMC Level 3 assessments. These assessments evaluate compliance with enhanced security requirements derived from NIST SP 800-172.
  • Validating CMMC Level 2 Certification Assessments: DIBCAC may also verify Level 2 certifications conducted by C3PAOs if necessary or requested by DoD Components.