Do you have questions about the Cybersecurity Maturity Model Certification (CMMC)? Check out these frequently asked questions regarding the CMMC and the answers for additional information. 

What is CMMC?
What is the purpose of CMMC?
What are the CMMC levels?
How does a company know which certification level a contract requires?
What is CUI?
Do companies that don't handle CUI need certification?
What is a cybersecurity framework?
How is NIST related to CMMC?
Who conducts CMMC assessments? 
What is the CMMC-AB?
Does CMMC self-certifcation exist?
How long does CMMC certification last? 
What happens after the three year period?
How long is the CMMC rollout period?
Does CMMC encompass non-DoD contracts?

What is CMMC?

The U.S. Department of Defense (DoD) implemented the CMMC to serve as a training, certification and third-party assessment program for contractors seeking to do business with the agency.

What is the Purpose of CMMC?

The DoD created Cybersecurity Maturity Model Certification to verify that Defense Industry Base (DIB) companies implement appropriate cybersecurity measures.

What are the CMMC Levels?

The five CMMC maturity levels include the following:

  1. Performed
  2. Documented
  3. Managed
  4. Reviewed
  5. Optimizing

How Does a Company Know Which Certification Level a Contract Requires?

The DoD will list the appropriate certification level in the contract.

What is CUI?

Controlled Unclassified Information (CUI) is a category of U.S. federal government information requiring dissemination or safeguarding controls consistent with applicable regulations, laws and policies. 

Do Companies That Don't Handle CUI Need Certification?

All entities wishing to conduct business with the DoD must get certified.

What is a Cybersecurity Framework?

A cybersecurity framework is a collection of best practices that organizations can follow to identify areas of vulnerability and reduce their risk of cyberattacks. 

How is NIST Related to CMMC?

National Institute of Standards and Technology (NIST) 800-171is the previous government standard for determining a contractor's cybersecurity readiness. Companies that comply with the CMMC guidelines meet this NIST standard and additional processes and practices.

Who Conducts CMMC Assessments?

The DoD only permits an authorized and accredited certified third-party assessment organization (C3PAO) to conduct CMMC assessments.

What is the CMMC-AB?

The CMMC Accreditation Body (CMMC-AB) is an independent organization charged with authorizing and accrediting C3PAOs. 

Does CMMC Self-Certification Exist?

Self-certification is not permissible under the CMMC guidelines.

How Long Does CMMC Certification Last?

The certification is good for three years. During this time, organizations must uphold their cybersecurity policies and practices and continue to improve them to remain certified.

What Happens After the Three-Year Period?

An organization must undergo an assessment to attain recertification after three years.

How Long is the CMMC Rollout Period?

The DoD is overseeing a phased rollout ending in September 2025.

Does CMMC Encompass Non-DoD Contracts?

The initial CMMC implementation only applies within the DoD.

Get More Answers to CMMC FAQs

NQA is a global certification body that can help with your CMMC needs. Contact us to learn more about CMMC frequently asked questions.