CMMC Certification FAQs

Hi, thanks for joining me today.  My name is Nancy and our top ic today is on Cybersecurity Maturity Model Frequently Asked Questions. The Department of Defense will soon start requiring Defense Contractor to obtain a certification in order to bid on Defense contracts.  If your information systems have not been certified to the level required by the solicitation, then you cannot be awarded the contract.

The Department of Defense will soon start requiring Defense Contractor to obtain a certification in order to bid on Defense contracts.  If your information systems have not been certified to the level required by the solicitation, then you cannot be awarded the contract. PERIOD. In order to help answer your questions, we have compiled a list of CMMC FAQs otherwise known as Cybersecurity Maturity Model Certification Frequently Asked Questions.

Before, I go any further, I wanted to take a moment and ask for your help.  While reviewing my analysts I noticed that 95% of my viewers have not subscribed to the channel. Subscribing to the channel is FREE, and it would help me tremendously.  Once I obtain 1,000 subscribers, I have more options available to me.  So, what are you waiting for?  Hit, that subscribe button now.  For all my subscribers, I wanted to say thank you. 

These questions are not listed in any order. Next up are the questions.


Will the certification and the associated third-party assessments apply to classified systems and/ or classified environments within the Defense Industrial Base?

The certification applies to only a Defense Industrial Base (DIB) contractor’s unclassified networks that handle, process, and/or store Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).

My Organization does not handle Controlled Unclassified Information (CUI).  Do I have to be certified anyway?

The answer is…It depends.  If a company does not possess Controlled Unclassified Information but possesses Federal Contract Information (FCI), then yes you will need to obtain a CMMC Level 1 certification.  See FAR Clause 52.204-21.   Companies that solely produce Commercial-Off-The-Shelf (COTS) products do not require a CMMC certification.

How will I know what CMMC level is required for a contract?

The required security level will be specified in the Requests For Information (RFIs) and Requests for Proposals (RFPs). In other words, the level required will be posted in the solicitation.

I am a subcontractor on a DoD contract.  Does my organization need to be certified?

Yes, you company will be required to obtain a CMMC certification.  The only exception is if your produce solely COTS products.  Now the level of the CMMC certificate is dependent upon the type and nature of information flowed down from your prime contractor.

What if my business cannot afford to be certified?  Does that mean my organization can no longer work on DoD contracts?

According to DoD the cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive.  For contracts that require CMMC you may be disqualified from participating if your organization is not certified.

In reality, I don’t think DoD knows how much the certification will cost. The costs will be determined by the assessors and I am sure that they will be adjusted based upon market conditions. Hopefully, the assessors will be able to provide an estimated cost. Only when companies receive the certification can we expect to receive an estimated cost.

How often does my organization need to be reassessed?

Your CMMC certificate is valid for three years. However, if you have a security incident then you may need to be recertified.

Are the results of my assessment public?  Does the DoD see my results?

The assessors will not publicize any certification results. DoD will only receive the information it needs. For instance, the certification levels and company name.

         Will there be a self-certification?

No.  Companies are encouraged to complete a self-assessment prior to scheduling a CMMC assessment.

Who will perform the CMMC Assessments?

Only CMMC Third-Party Assessment Organizations (C3PAOs) and individual assessors that have been accredited by the CMMC AB will perform CMMC assessments

 How much will the CMMC certification cost?

The certification costs will depend on several factors.

  1. CMMC Level you are seeking.
  2. The complexity of your network
  3. Other market forces.

Unfortunately, costs can not be determined until such time as assessors perform their assessments. However, a DoD representative believes that a level 1 certification (the loweest level) would cost approximately $3,000.

How will CMMC be different from NIST SP 800-171?

Unlike NIST SP 800-171, the CMMC model has five levels.  Each level consists of practices and processes as well as those specified in lower levels.

In addition, to assessing a company’s implementation of cybersecurity practices, the CMMC will also assess the company’s institutionalization of cybersecurity processes

What is the relationship between NIST SP 800-171 rev.1 and CMMC?

CMMC levels 1-3 encompass the 110 security requirements specified in NIST SP 800-171 rev.1.  CMMC incorporates additional practices and processes from other standards, references, and/or sources such as NIST SP 800-53, Aerospace Industries Association (AIA), National Aerospace Standard (NAS) 9933 “Critical Security Controls for Effective Capability in Cyber Defense”, and Computer Emergency Response Team (CERT) Resilience Management Model (RMM) v. 1.2

 Will other Federal Non-DoD contracts use CMMC?

The initial implementation of the CMMC will only be within DoD. Now, this does not mean that other Federal Agencies will not adopt the certification. In fact, many federal agencies are watching this certification closely before they make an adoption decision.

  Why Did DoD Create the CMMC Certification?

DoD is planning to migrate to the new CMMC framework in order to assess and enhance the cybersecurity posture of the Defense Industrial Base.  The CMMC certification serves as a certification mechanism to ensure that appropriate levels of cybersecurity processes and practices are in place. As a result, Defense contractors can better protect controlled unclassified information that resides on the their networks.

What are the concerns regarding cybersecurity in the Defense Industrial Base?

The aggregate loss of controlled unclassified information (CUI) from the DIB sector increases the risk to national economic security and, in turn, national security. To reduce this risk, the DIB sector must enhance its protection of CUI in its networks.

The Council of Economic Advisers, an agency within the Executive Office of the President, estimates that malicious cyber activity cost the U.S. economy between $57 billion and $109 Billion in 2016 [Ref: “The Cost of Malicious Cyber Activity to the U.S. Economy, CEA” in February 2018].

Let’s face it. Cybersecurity incidents are at an all-time high. Because of this, you can expect the Government to try to protect itself. Requiring the certification is one way that they are doing so.

In Summary

Cybersecurity is here to stay.  If you want to be a government contractor then this is just the cost of doing business. You can absorb some of the costs when you receive a government contract but until then you will have to pay out of pocket. For more information on the certification go to

I release a new article every week. You can find my articles at please click here.