CMMC Knowledge Base

A new assessment is required if there are “significant” changes to the system architecture, though this term is loosely defined. Referencing NIST 800-37, changes like hardware upgrades, OS modifications, or altered data types may qualify. Organizations are advised to define "significant" internally and document that in their change management procedures.

The CMMC rule is expected between August and October 2025. While exact dates are uncertain due to regulatory processes, the next milestone is its submission to OIRA for review. Based on rulemaking trends, a fall publication is most likely.

If a conditional status expires without POAM items being remediated within 180 days, contractors may face contract remedies and be deemed ineligible for further awards. Conditional status should not be treated casually—address POAMs promptly.

No. A DIBCAC high assessment is an audit under DFARS clauses, not a CMMC certification. Only joint surveillance assessments conducted before December 2024 can be converted into CMMC Level 2 certification status.

Not necessarily. Although many hope for self-assessments, contracting officers retain discretion. Contracts involving specific CUI types may require full third-party assessments (C3PAO) even during Phase 1. Organizations should prepare for the possibility of certification-level requirements immediately.

Yes. Joint ventures can undergo CMMC assessments. If they share the same enclave or assessment boundary as the parent company, they may need a separate certification tied to their own CAGE code and contract context.

No. While NSA services offer cybersecurity help, they typically don’t map fully to the 800-171A assessment objectives used in CMMC. Organizations must vet NSA and other government services just as they would third-party providers, ensuring alignment with verification criteria.

Tools such as backup systems, EDR, RMM, spam filters, and SIEMs may be CUI assets if they store, process, or transmit CUI. These must meet compliance standards like FedRAMP Moderate if cloud-based. Vet each tool within the context of your system boundary.

Possibly. If the cropped portion still conveys sensitive, non-public defense-related technical information, it may retain its CUI designation. When in doubt, consult the contract’s CDRL or the data owner. Always err on the side of caution.

Possibly. DOD may issue guidance suggesting encrypted CUI remains in scope if within systems under your control. This could extend CUI boundaries dramatically, including to VPNs and home offices, raising concerns about scope expansion and compliance burden.

Yes. Even if the mobile device uses VDI or Horizon to isolate CUI, users must secure the environment around it. This includes enforcing device encryption, restricting iCloud/Google backups, and ensuring conversations aren’t audible to unauthorized individuals.

No. The COTS exemption applies to government procurement—not to your use of COTS tools. If your organization purchases and uses a COTS product that touches CUI, it is subject to all applicable CMMC requirements.

Yes. Free services from government entities may be subject to funding changes, political shifts, or government shutdowns. Organizations should not overly depend on these services for compliance.

Generally no. Fundamental research is explicitly excluded from the definition of CUI, meaning 800-171 and CMMC requirements typically don’t apply. However, some agencies have introduced confusing language around fundamental research that might become CUI, creating gray areas—especially in academia.

(Also relevant here for the interpretation of when data becomes or ceases to be CUI.)

(Also relevant here due to evolving interpretations.)

Yes, likely. Agencies like NASA, GSA, and NIH have already begun referencing NIST 800-171 in contracts. Broader CMMC adoption is expected across federal agencies as part of a unified push toward improving cybersecurity in the federal supply chain.

Tools such as backup systems, EDR, RMM, spam filters, and SIEMs may be CUI assets if they store, process, or transmit CUI. These must meet compliance standards like FedRAMP Moderate if cloud-based. Vet each tool within the context of your system boundary.

Yes. Even if the mobile device uses VDI or Horizon to isolate CUI, users must secure the environment around it. This includes enforcing device encryption, restricting iCloud/Google backups, and ensuring conversations aren’t audible to unauthorized individuals.

If a company achieves a perfect 110 score on its CMMC assessment and later drops to a much lower score—such as 2—it’s often due to organizational drift, lack of follow-up, and failure to enforce cybersecurity policies. This underscores that a "set it and forget it" approach to CMMC does not work.

When it comes to submitting your CMMC score to the SPRS, it should be a senior official in executive leadership with financial or legal responsibility.

No. You cannot submit a 110 SPRS score if any controls are unimplemented—even if you have open POA&Ms to address them.

There is no written requirement for a full reassessment, but any claimed remediations must be substantiated with documentation.

Assessment costs typically range from $40,000 to $80,000. Total compliance costs may exceed $300,000 depending on complexity.

You do not need certification to bid, but you must be certified before award. Timelines may be short, so proactive certification is advised.

No, but it is strongly recommended. Having an SSP helps document the 17 Level 1 controls and supports future advancement to Level 2.

CUI must be destroyed using crosscut shredders or approved methods. Outsourced shredding introduces risk if destruction is not immediate.

If supporting export-controlled or NOFORN CUI, then yes, U.S. citizenship is required. Even credential access may qualify as access under ITAR/EAR.

Yes, but it is difficult. Most foreign cloud providers are not FedRAMP authorized. U.S.-based GovCloud or GCC High are typically required.

Only if they store or process CUI. If not, FedRAMP is not required, though enterprise-grade tools and hardware 2FA are preferred.