CMMC Compliance FAQ

CMMC (Cybersecurity Maturity Model Certification) is the Department of Defense framework for verifying that contractors adequately protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). Any company in the defense supply chain that handles CUI or FCI needs CMMC certification. Without it, you lose eligibility for DoD contracts. This applies to both prime contractors and subcontractors.

Level 1 covers 15 basic cyber hygiene practices and allows self-assessment. Level 2 requires implementation of all 110 NIST 800-171 controls. Depending on the contract, Level 2 may require either a self-assessment or a third-party assessment by a certified C3PAO (Certified Third-Party Assessment Organization). Level 2 applies to any contractor handling Controlled Unclassified Information. If your contracts reference DFARS 252.204-7012, you almost certainly need Level 2.

Phase 2 enforcement becomes mandatory November 2026. However, at least 13 active solicitations on SAM.gov already require CMMC Level 2 certification. The enforcement era has effectively begun. Contractors who wait until the formal deadline will face C3PAO scheduling bottlenecks and limited consultant availability. → Read our full CMMC Timeline Analysis

CMMC is the verification mechanism for NIST 800-171. The 110 security controls are identical. What CMMC adds is mandatory third-party verification — contractors can no longer self-attest to compliance. As we tell clients: the controls are not new; the enforcement is.

Start with a gap assessment against NIST 800-171 controls. This identifies what you already have in place, what's missing, and where to prioritize. CDS offers a free readiness assessment you can take in 5 minutes to get a baseline score and personalized recommendations.

CDS delivers your gap assessment, security plan, and remediation roadmap in 45–60 days. Full certification readiness — including your remediation and implementation — typically takes 6–12 months depending on your starting posture. Most contractors spend 12–18 months getting there; we compress that by front-loading the hardest work in the first 60 days. → Download our First 90 Days Action Plan

A System Security Plan is your written playbook for how your company protects sensitive data. It documents how your organization implements each of the 110 NIST 800-171 controls and describes your system boundaries, control implementations, and responsible parties. The SSP is one of the most critical artifacts in a C3PAO assessment — if your SSP is weak, the assessment will be painful regardless of your actual security posture. CDS develops assessment-ready SSPs as part of full certification engagements.

A POA&M is your to-do list for fixing security gaps — what needs fixing, who's responsible, and when it'll be done. More technically, a Plan of Action & Milestones (POA&M) is your documented roadmap for addressing identified security gaps. It specifies each deficiency, the planned remediation, responsible parties, and target completion dates. Under CMMC, your POA&M must demonstrate a credible, time-bound plan — assessors will scrutinize whether your milestones are realistic and well-resourced.

Level 1 allows self-assessment — you attest to your own compliance. Level 2 for critical programs requires a third-party assessment by a Certified Third-Party Assessment Organization (C3PAO). The C3PAO certifies; consultants like CDS prepare you. We are not assessors — we are the team that ensures you pass when the assessor arrives.

Principal-led execution. The consultant who scopes your engagement is the same person who executes it — no handoffs to junior analysts. Eight authorizations to operate with zero failed assessments. A structured methodology that delivers assessment-ready documentation in 45–60 days, with full certification readiness in 6–12 months. TS/SCI cleared. Marine Corps veteran. We don't bill for hours — we deliver outcomes.

CMMC compliance costs depend on your level and scope — Level 1 self-assessment support starts at $4K–$8K, while full Level 2 certification readiness ranges from $55K–$95K. Engagements are scoped during a confidential discovery call based on your environment, timeline, and compliance requirements. Every organization is different — a 30-person company handling basic CUI has different needs than a 300-person subcontractor with multiple enclaves. CDS provides tailored proposals after understanding your specific situation. Schedule a free discovery call to discuss your needs.

Defense contractors, primarily 50–500 employees. Based in Colorado Springs with proximity to Peterson SFB, Schriever SFB, and Cheyenne Mountain — but we serve contractors nationwide. Our ideal client is a mid-market defense contractor that needs CMMC Level 2 certification and doesn't want to spend a year and a quarter million dollars getting there. → Read: The Compliance Tax on Defense Contractors

Managed Service Providers manage your network. CDS manages your compliance. An MSP can keep your systems running — but ask them how many C3PAO assessments they've prepared for and supported. Compliance requires a different skill set: regulatory interpretation, evidence engineering, assessment strategy, and documentation that survives third-party scrutiny. We partner with your MSP; we don't replace them.

The 110 controls span 14 control families: Access Control, Awareness & Training, Audit & Accountability, Configuration Management, Identification & Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System & Communications Protection, and System & Information Integrity. Each maps to specific technical and administrative requirements that must be implemented and evidenced. → Read: The CMMC Automation Playbook — Which Controls Can Be Automated

CUI (Controlled Unclassified Information) requires Level 2 certification. FCI (Federal Contract Information) requires Level 1. Most defense contracting work involves CUI — technical drawings, performance specifications, contract requirements, test data, and similar materials that aren't classified but require protection. If you're unsure which applies to you, look at your DFARS clauses.

Think of it as a secure zone — a separate, locked-down area of your network where sensitive government data lives. If your entire network already meets NIST 800-171 requirements, a separate enclave isn't necessary. But most contractors handling CUI benefit significantly from a dedicated enclave. An enclave isolates CUI into a defined boundary with specific access controls and monitoring. The key advantage: fewer systems in scope means fewer controls to assess, simpler evidence collection, and a more efficient certification process. CDS designs compliant CUI enclave architectures as part of enterprise engagements, with client IT or MSP partners handling implementation. → Read: Zero Trust Architecture for Defense Contractors

DFARS 252.204-7012 already requires adequate security for CUI — this has been contractually required since 2017. CMMC doesn't change the requirement; it adds enforcement through third-party verification. If you have DoD contracts with CUI clauses, you should already be implementing these controls. The deadline is new. The obligation is not.

No. CMMC certification requires ongoing compliance: periodic reviews, annual self-assessments, policy updates, and recertification on a 3-year cycle. Your security posture the day after certification matters as much as the day of. CDS offers quarterly compliance review packages to ensure you stay certified — not just get certified. For continuous monitoring, CDS partners with managed security providers.