1. What is CMMC, and why do I need it?
The Cybersecurity Maturity Model Certification (CMMC) is a DoD framework that ensures contractors implement adequate cybersecurity to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). If your company wants to bid on or retain DoD contracts, you may need to be CMMC compliant, Especially at Level 1 (for FCI) or Level 2 (for CUI).
2. How do I know what CMMC level my company needs?
Check the contract or solicitation. If your contract only involves FCI, you’ll need Level 1. If it involves CUI, you’ll need Level 2. Level 3 (classified info) is for highly sensitive work and not yet active. If you’re unsure, assume Level 2 and confirm with the contracting officer.
3. What is the difference between CMMC Levels 1 & 2?
Level 1 includes 17 basic cybersecurity practices from FAR 52.204-21.
Level 2 requires full NIST SP 800-171 compliance (110 controls), with self-assessment allowed for some contractors, and mandatory third-party assessments for “prioritized acquisitions.”
4. What is an OSC (Organization Seeking Certification)?
An OSC is any company aiming to become certified under CMMC to demonstrate they meet the DoD's cybersecurity standards. This typically applies to subcontractors, primes, MSPs, or any business handling FCI or CUI.
5. Do I need a C3PAO right away?
Not necessarily. Begin with a self-assessment or a gap analysis. You’ll need a C3PAO (Certified Third-Party Assessor Organization) only if your Level 2 contract requires formal certification (as indicated in the solicitation).
6. How long does it take to become compliant?
It depends on your starting point. A Level 2 readiness process—from gap analysis to full remediation—can take 3 to 12 months depending on IT maturity, internal staffing, and resourcing.
7. What’s the cost of becoming CMMC compliant?
Level 1: Minimal if you’re already using good IT hygiene (under $10k).
Level 2: Costs can range from $50k–$150k+ including consulting, tools, and assessment fees, depending on system complexity.
8. Do I need to use GCC High or a FedRAMP solution?
Only if you’re storing or processing CUI in the cloud and pursuing Level 2 certification. In that case, your cloud solution must be FedRAMP Moderate or High equivalent. GCC High is one such option.
9. What happens if I don’t comply?
You may be disqualified from DoD contracts that require CMMC. Over time, non-compliance could lead to missed contract renewals, subprime restrictions, or even False Claims Act liability if you misrepresent compliance.
10. Where should I start?
Identify what data you handle (FCI vs. CUI).
Determine your required level.
Conduct a gap assessment (use free tools like Project Spectrum or CyberGap).
Develop a System Security Plan (SSP) and Plan of Action and Milestones (POA&M).
Work within the Cyber-AB Ecosystem
Comments, Suggestions to gov@cybercomply.us
©2023 Armada Cyber Defense LLC (ACD), DBA CyberComply, ALL RIGHTS RESERVED. ACD is a for profit entity, not associated with the Small Business Development Center (SBDC), Apex Accelerators, Florida International University (FIU), the Small Business Administration (SBA), the Department of Defense, (DOD), or any of their stakeholders