Cybersecurity Maturity Model Certification (CMMC) is a hot topic in the federal government right now, especially since Phase 1 began in November 2025. Whether you are a defense contractor, are looking to work with the Department of Defense in the future, or are just wanting to learn more about federal government contracting, you may have some questions about CMMC. We put together a list of top CMMC FAQs that we’ve heard from our clients and industry—read on to learn more.
Who Does CMMC Apply To?
CMMC applies to contractors who work directly with the Department of Defense and process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). This is also referred to as contractors in the Defense Industrial Base (DIB). Specific CMMC requirements will be outlined future contracts/solicitations, so it’s not entirely unheard of for CMMC to appear in future civilian contracts as well.
What Are the Different Levels of CMMC?
CMMC Level 1 is the most basic, requiring companies to implement simple safeguards to protect FCI and CUI. Level 1 includes 15 requirements in Federal Acquisition Regulation (FAR) Clause 52.204-21, and includes a self-assessment.
Level 2 aligns with 110 NIST SP 800-171 requirements outlined in the Defense Acquisition Regulation (DFARS) 252.204-7012 to protect CUI, and is split into two parts—self-assessment and Certified Third Party Assessment (C3PAO).
Level 3 is the highest tier and is designed for contractors handling the most sensitive CUI, including 134 NIST SP 800-171 requirements outlined in DFARS 252.204-7012 and 24 requirements selected from NIST SP 800-172. This level requires accomplishment of Level 2 (C3PAO assessments) and an assessment by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
When Will CMMC Be Required?
Phase 1 of CMMC began on November 10, 2025. This phase covers Level 1 and Level 2 self-assessments. CMMC Level 2 third-party assessments are anticipated to occur in 12 months, and then Level 3 assessments are anticipated 12 months after that.
How Do You Determine Your CMMC Level?
CMMC requirements depend on factors such as what type of CUI and FCI you handle; more specifically the type of data you are storing, processing, transmitting or sharing. The level of CMMC will be determined and specified in each individual solicitation and the resulting contract.
What’s the Difference Between FCI and CUI?
Federal Contract Information (FCI) is information not intended for public release that is provided by or generated for the government under a contract to develop or deliver a product or service to the government.
Controlled Unclassified Information (CUI) is information the government creates or possesses, or that a contractor creates or possesses for or on behalf of the government, that a law, regulation, or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.
Both FCI and CUI are not intended for public release. However, CUI requires additional safeguarding and may be subject to dissemination controls, and FCI is more of a broader term for non-public information. All CUI is FCI, but not all FCI is CUI.
Does CMMC Apply to Subcontractors?
Yes, CMMC will flow down to subcontractors. Subcontractors handling FCI or CUI are subject to safeguarding requirements, depending on the level of information they process, store, or transmit. It’s important to note that when prime contractors require CMMC Level 3, the minimum flow-down requirement is CMMC Level 2.
Will CMMC Apply to Non DoD Contracts?
Right now, CMMC is meant for defense contracts that handle sensitive information. That being said, CMMC could be added to civilian contracts in the future if the nature of the work handles any form of CUI, or the awarding agency wants to ensure cybersecurity compliance.
What’s the Difference Between CMMC and FedRAMP?
CMMC and FedRAMP (Federal Risk and Authorization Management Program) are both federal cybersecurity frameworks, but they apply to very different environments. CMMC focuses on protecting CUI within the Defense Industrial Base, requiring contractors to meet specific cybersecurity practices and, depending on the level, undergo third-party assessments.
FedRAMP, on the other hand, governs how cloud service providers secure federal data and mandates a standardized authorization process before agencies can use their cloud solutions. To sum it up, CMMC is about securing contractors’ internal systems, while FedRAMP is about securing cloud platforms used by the government.
Are You Ready for CMMC?
If CMMC applies to you either now or in the future, it’s time to start prepping your company. To stay updated on Phase 1 and future CMMC phases, subscribe to our blog and monthly newsletter. If you need assistance figuring out how to meet these requirements, or you need support managing your GSA Schedule for future CMMC requirements, we can help.
