Helpful Excerpts:

A-Q1. When will Cybersecurity Maturity Model Certification (CMMC) assessments be required for Department contracts? A-A1.

The Department will begin to incorporate CMMC assessment requirements in applicable procurements on November 10, 2025, when the revised Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7021 becomes effective. The first 12 months of implementation will primarily focus on self-assessments. For further information on the Department’s phased implementation plan, please see 32 Code of Federal Regulations (CFR) 170.3(e).

B-Q3. The CMMC model uses NIST SP 800-171, Revision 2. Will the Department update the program to use NIST SP 800-171, Revision 3? B-A3. Yes, the Department will incorporate Revision 3 with future rulemaking. In the interim, the Department has issued a class deviation to DFARS clause 252.204-7012 to maintain Revision 2 as the standard against which DIB companies will be assessed until Revision 3 has been incorporated into the 32 CFR CMMC Program rule through rulemaking. You can find more information on that deviation here: https://www.defense.gov/News/Releases/Release/Article/3763953/department-of-defenseissues-class-deviation-on-cybersecurity-standards-for-cov/.

B-Q5. What is the relationship between National Institute of Standards and Technology (NIST) Special Publication (SP) 800-172 and CMMC?

B-A5. NIST SP 800-172 provides security requirements designed to address advanced persistent threats and forms the basis for CMMC Level 3 security requirements. Contractors must implement 24 requirements from NIST SP 800-172 in addition to the 110 requirements found in NIST SP 800-171 when the Department identifies CMMC Level 3 as a contract requirement.

B-Q6. Will CMMC requirements flow down to subcontractors?

B-A6. Yes, CMMC requirements will flow down to subcontractors as outlined in 32 CFR 170.23. The required CMMC level is based on the type of data—Federal Contract Information (FCI) or CUI—that will be processed, stored, or transmitted on a contractor’s information system during the performance of a DoW contract. Subcontractors handling FCI or CUI are subject to safeguarding requirements. Note that when the prime contract requires CMMC Level 3, the minimum flow-down requirement is CMMC Level 2 (C3PAO), unless the Government provides specific contractual guidance (e.g., a Security Classification Guide).

B-Q7. What is the difference between FCI and CUI?

B-A7. FCI and CUI are information that is ‘not intended for public release.’ However, CUI requires additional safeguarding and may also be subject to dissemination controls. FCI is defined in Federal Acquisition Regulation (FAR) clause 52.204-21, and CUI is defined in 32 CFR Part 2002. The Department’s CUI Quick Reference Guide at https://www.dodcui.mil/ includes additional information on the marking and handling of CUI. CMMC makes no changes to CUI definitions or safeguarding requirements.

B-Q8. Is encrypted CUI still considered to be CUI?

B-A8. In accordance with 32 CFR Part 2002, CUI remains controlled until it is formally decontrolled. As such, encrypted CUI data retains the control designation given to the plain text counterpart. While it is true that certain risks (e.g., transmission across unsecured, "common carrier" networks) are accepted for cipher text that would not be accepted for plain text, this does not mean the original, controlled information, nor the data (plain or cipher text) representing it, is considered decontrolled.

C-Q1. How frequently will assessments be required?

C-A1. Level 1 self-assessments will be required on an annual basis, and CMMC Levels 2 and 3 will be required every 3 years. An affirmation of continued compliance is required for all CMMC levels at the time of assessment and annually thereafter. Please reference 32 CFR 170.3(e) for details on the Department’s timeline for phased implementation of CMMC requirements in applicable procurements.

C-Q2. Will my organization need to be independently assessed if it does not handle CUI?

C-A2. No, if a DIB company does not process, store, or transmit CUI, it does not need an independent assessment. If the company handles FCI only, a CMMC Level 1 selfassessment is required.

C-Q7. What happens after a POA&M Closeout Assessment if one or more of the security requirements on the POA&M still aren’t met?

C-A7. During the 180-day period after achieving a Conditional CMMC Status, a POA&M Closeout Assessment can only be finalized in the CMMC Enterprise Mission Assurance Support System (eMASS) one time. In the case where one or more security requirements are still NOT MET, the Conditional CMMC Status will be terminated once the POA&M Closeout Assessment is finalized in CMMC eMASS, and the Organization Seeking Assessment will have to begin again with a new assessment to achieve a CMMC Status. If a POA&M Closeout Assessment is not finalized in CMMC eMASS within 180 days of the CMMC Status Date, the Conditional CMMC Status will automatically expire.

The Biggie:

C-Q10: Are CMMC assessments required for organizations that only handle hard-copy CUI?

C-A10. No. Organizations that only handle hard-copy CUI should not be required to complete a CMMC Assessment. CMMC assessment requirements address cybersecurity-related risk to CUI and apply only when the CUI is processed, stored, or transmitted on a contractor-owned information technology system. Nonetheless, contractors are required to protect the hardcopy CUI. Per DoDI 5200.48, paragraph 1.1(b), any contractor or subcontractor that receives CUI is required to safeguard that information with Government training and safeguarding requirements. Additionally, if a contractor who was only provided hardcopy CUI plans to place the hardcopy CUI on an information technology system (e.g., scanned, entered, photographed, uploaded, printed, emailed), then that information technology system is subject to the applicable CMMC assessment requirements prior to the CUI being placed on the system. For organizations that handle paper CUI in addition to processing, storing, or transmitting CUI in a contractor-owned information technology system, the necessary CMMC assessment will address both the paper CUI and the digital CUI, in accordance with the applicable NIST SP 800-171 security requirements. For further information about DoD policy regarding safeguarding CUI, refer to DoDI 5200.48 .

Back to Regularly Scheduled Programming:

C-Q12: Our enclave does not have a direct internet connection. Instead, it relies on enterprise networking components residing outside of the enclave. All CUI data is properly encrypted before leaving our enclave. Must the enterprise networking components be brought into our enclave’s CMMC Assessment Scope?

A-Q12: No. So long as the enclave is otherwise logically separated from the greater enterprise network, the transmission of properly encrypted CUI data does not incur an extension of the CMMC Assessment Scope to include the enterprise networking components

D-Q1. How will the DoD implement CMMC?

D-A1. Beginning November 10, 2025, the Department will implement CMMC requirements in 4 phases over a three-year period, as described in 32 CFR 170.3(e). The phased implementation plan is intended to address ramp-up issues, provide time to train the necessary number of assessors, and allow companies the time needed to understand and implement CMMC requirements. It will also minimize financial impacts to defense contractors, especially small businesses, and disruption to the existing defense supply chain. The first 12 months of implementation focus primarily on CMMC Level 1 and 2 selfassessments.

D-Q2. How can businesses best prepare for CMMC?

D-A2. Whether a company has previously been awarded a defense contract that includes DFARS clause 252.204-7012 or is brand new to defense contracting, the best way that company can prepare for CMMC is by carefully conducting a self-assessment of their contractor-owned information system(s) to make sure they have implemented the necessary cybersecurity measures to comply with each requirement of FAR clause 52.204-21 (for FCI) or DFARS clause 252.204-7012 (for CUI). If the self-assessment identifies any unmet requirements, companies should take corrective action to address those gaps and fully implement the necessary security measures before initiating a CMMC assessment.

Another Biggie:

E-Q3. An Organization Seeking Assessment (OSA) stores CUI in a system provided by a Managed Service Provider (MSP) that is not a cloud offering. Does the MSP require its own CMMC assessment?

E-A3. No. The MSP is not required to have its own CMMC assessment but may elect to perform its own self-assessment or undergo a certification assessment. If the MSP chooses to attain a CMMC certification to simplify the OSA’s assessment, the assessment level and type need to be the same, or above, as the level and type specified in the OSA’s contract with the Department and cover those assets that are in scope for the OSA’s assessment.

E-Q4. We separately outsource our IT support to an External Service Provider (ESP) (that is an MSP), and our security tools are managed by a different ESP (that is a Managed Security Service Provider). No CUI is sent to either vendor. Are they required to be assessed?

E-A4. Yes. In a scenario where IT support is handled by an MSP and where security protection data is handled by an MSSP, both the MSP and the MSSP qualify as ESPs and will be assessed as part of the OSA’s assessment against applicable security requirements. The ESPs do not require their own CMMC certification.

E-Q6. CUI is processed, stored, and transmitted in a Virtual Desktop Infrastructure (VDI). Are the endpoints used to access the VDI in scope as CUI assets?

E-A6. An endpoint hosting a VDI client is considered an Out-of-Scope Asset if it is configured to not allow any processing, storage, or transmission of CUI beyond the Keyboard/Video/Mouse sent to the VDI client. Proper configuration of the VDI client must be verified. If the configuration allows the endpoint to process, store, or transmit CUI, the endpoint will be considered a CUI Asset and is in scope of the assessment.

E-Q7: Is the endpoint used to access a VDI required to be "in scope" for NIST SP 800-171 when implementing its controls to protect CUI, or can the endpoint be considered "out of scope" if CUI remains entirely within the VDI instance?

E-A7: Yes, the endpoint could be considered "out of scope," but this depends on how the VDI and VDI server are implemented. Some VDI systems include features that cache data on the client device or allow the virtual desktop to connect to the local machine’s file system, printers, or other resources for user convenience. For NIST SP 800-171 compliance, these features must be disabled on the server side to ensure that unmanaged endpoints cannot mount drives, print files, or perform other actions that invoke system protocols (e.g., file handling, print spooling) beyond the basic VDI protocol (e.g., transmitting only video, keyboard, and mouse data). If the VDI is properly configured to prevent copying (including screenshots), saving, or printing CUI on the endpoint (except within a NIST SP 800-171-compliant system), and multifactor authentication is implemented for access to the VDI server, the endpoint would not be considered "in scope." To achieve this: • The virtual desktop server must be configured to block copy-paste, file transfers, or any other data exchange across the session. • The VDI should only transmit video, keyboard, and mouse data. • Users must log into the virtual desktop and handle CUI entirely within the session. • Multifactor authentication to the VDI server must be separate from the unmanaged client, such as using a hardware-based one-time password token or Public Key Infrastructure token with a password/PIN. • Only authorized users should be allowed to access the virtual desktop environment, and access should be restricted to allowable locations. By ensuring these configurations, the endpoint used to access the VDI can remain "out of scope" for NIST SP 800-171 and CMMC compliance.