1What are the 18 Domains?
  1. Access Control
  2. Asset Management
  3. Audit and Accountability                
  4. Awareness and Training
  5. Configuration Management
  6. Cybersecurity Governance
  7. Identification and Authentication  
  8. Incident Response                
  9. Maintenance 
  10. Media Protection
  11. Personal Security
  12. Physical Protection
  13. Recovery
  14. Risk Assessment
  15. Security Assessment 
  16. Situational Awareness
  17. System and Communications Protection               
  18. System and Information Integrity
2Am I able to build in the cost of becoming certified as a direct cost?


3I am a subcontractor on a DoD contract. Does my company need to be certified?

Yes! In some cases, Prime Contractors are asking their subcontractors to complete the CMMC as soon as possible to be able to work on the contract.

4Do I need to be CMMC Certified?

If you are planning on participating in a DoD Contract that contains the DFARS 252.204-7012 clause in it, then yes. The CMMC will be rolling out slowly until FY 2025, so once the DFARS clause is in your contract, you will need to receive the CMMC upon contract award.

5Can I do a self-certification for the CMMC?

No. This is when you will need a C3PAO to come complete the assessment to receive the certification. The provisional assessors who will be completing the assessment were trained directly by the CMMC-AB and have the power to take on this compliance.

6What are the levels of CMMC?

CMMC Level 1: 17 Controls                                                                                                     Basic Cyber Hygiene

CMMC Level 2: 72 Controls (includes Level 1 controls)                                                     Intermediate Cyber Hygiene                     

CMMC Level 3: 130 Controls (includes Level 2 controls)                                                  Good Cyber Hygiene

CMMC Level 4: 156 Controls (includes Level 3 controls)                                                  Proactive

CMMC Level 5: 171 Controls (includes Level 4 controls)                                                  Advanced/Progressive

7What is CUI/FCI, and how are they different?
  • FCI-“Federal Contract Information” is information not intended for public release. It is provided by or generated by for the Government under a contract to develop or deliver a product or service to the Government.  FCI does not include information generated for the public.


  • CUI- “Controlled Unclassified Information”is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.
8How much does CMMC cost?

This is a huge question that is being asked and the best answer is: it depends. There will be two different types of costs for the certification and it will be quite different for every organization going through it. The major breakdown will be:

  1. Cost based on maturity & level: The cost will begin with the maturity of your organization’s processes and what CMMC level you are looking to obtain. The higher the level, the more FCI/CUI will be present, and this will correlate to bigger costs.
  2. FCI/CUI Flow: Where does the CUI flow in the organization? This does not necessarily mean a big organization will always be costing more than a small company. This is dependent on who has access to CUI in the organization. A bigger web of CUI (how many people have access, computer access vs cell phone access, single site vs multi-site, etc.) will cost more than a tighter, smaller web of CUI (limited access to only certain people, groups, or locations, etc.).
  3. There is also a physical security component of the assessment that takes place so single site organizations vs. multi-site organizations will be different.


The cost of the actual assessment will be based upon which CMMC level you are going for, how big the web of CUI is and the number of locations that will need to be assessed. This is all based on the scope and scope is based on how to continuously protect FCI/CUI.

9Does the certification requirement apply to grants as well as contracts?

Currently the CMMC requirement will apply to anything related to DoD funding. If the 252.204-7021 clause is stated in the grant, they will be requiring the certification.

10What is the best way to prepare for certification?

The best way to prepare is look at the requirements, and begin by doing a baseline comparison with the controls and what you currently have in place. Sometimes, organizations prefer to use an outside professional who can help them walk through each step clearly and identify the information that will be needed for each control within the CMMC.

11What can I expect from the assessment?

To begin the assessment, you will first agree on the scope with the assessor (level, systems, etc.). Next, the assessor will be walking through each practice and process and looking for two pieces of objective evidence that show conformity. At level 3 and above, the assessor will be looking at maturity/institutionalization of the process and practice to make sure it is being continuously maintained and improved.

12How long does the process need to be in place to be institutionalized?

This depends on the process and activity. The process really needs to show that good cyber-hygiene activities are continuously done.

13When do I need the CMMC?

- If a contract you are bidding on has the DFARS 252.204-7021 clause in it, you will need to have the CMMC before the contract is officially awarded. Although you will be able to respond to solicitations without it, you will not be awarded one on the day of if you do not have the CMMC.

14What is the relationship between NIST SP 800-171 and CMMC and how are they different?

For NIST SP 800-171, an organization can complete the self-assessment and upload it within SPRS on their own. The Supplier Performance Risk System (SPRS) is the Department of Defense’s Database for contractors to upload their NIST SP 800 – 171 Self-Assessments.

15Who can perform the CMMC assessment?

As the CMMC begins to roll out and until training expands, only a C3PAO can perform the assessment. There are provisional assessors who have undergone official training from the CMMC-AB (including Reef Systems), but as of January 1st 2021, there are no authorized C3PAOs to provide assessments yet.

16Is the CMMC level for the entire company or for parts of that company?

The level will depend on the organization and what they want to do specifically. It is possible to certify parts of your company at a different level than other groups, but you must show the difference and maintain these parts separately to be compliant. As part of scoping your organization, you will determine which parts of the organization will be covered under each CMMC level.

Buy now