Level 1:

• For organizations handling only Federal Contract Information (FCI)

• Applies to contracts without DFARS 252.204-7012

• Self-assessment allowed annually

• Best practice: Implement the 17 basic safeguarding requirements from FAR 52.204-21; document practices and conduct regular reviews.

Level 2: 

• Required for organizations handling Controlled Unclassified Information (CUI)

• Applies to most contracts with DFARS 252.204-7012

• Requires a C3PAO-led certification assessment

• Best practice:

  • Start with a readiness assessment or gap analysis

  • Build a System Security Plan (SSP) and POAM

  • Harden your CUI boundary and gather objective evidence

  • Use a secure enclave or segmented environment to streamline scope

• Timeline: ~6–12 months, depending on maturity and resources

Level 3: 

• Still undefined in full detail

• Will require a DIBCAC-led assessment

• Likely reserved for contractors working with high-value assets or critical programs

• Best practice:

  • Implement full NIST SP 800-172 enhanced controls

  • Engage a consulting partner with DIBCAC experience

  • Monitor DoD guidance as Level 3 evolves

• Timeline: Unknown, but expect 12+ months for full implementation once clarified

Your SSP should be treated like a living document.

At a minimum, review and update it during your annual risk assessment — but ideally, you should also update it regularly when changes happen throughout the year.

Anytime you make changes to policies, tools, or programs that affect your environment, those changes should eventually be reflected in the SSP (not instantly, but reasonably soon).

Minor updates that don’t impact your security posture can wait for your periodic review, but major changes (like those that impact security) should trigger an SSP update immediately.

Artifacts should be:

1. 1. Clearly labeled, including control numbers and relevant details.
   2. Clean and easy to review without unnecessary information.
   3. Relevant and consistent with organizational policies.

Avoid submitting unrelated or outdated evidence.

Great! Here are some tips:

Courses must be taken through Licensed Training Providers (LTPs) listed on the Cyber AB website.

CCP is a prerequisite for CCA certification.

Organizations should consider training at least one or two staff members in CCP for foundational CMMC knowledge

Suitability investigations (T3/T5) are currently a major bottleneck, with many applicants waiting 6+ months. This delay affects assessors trying to obtain their CCA and participate in assessments.

The CMMC community has urged the DoD to consider alternative options like third-party background checks, but no changes have been approved yet. In the meantime, contact the CAICO office for status updates or support.

Non-compliance means you can’t work! Just kidding, kind of. This is not just a future rule, NIST 800-171 has been required for years. The phased rollout means delays will only hurt your eligibility later. 

CMMC non-compliance can cost contractors big. You may be ineligible for DoD contracts, face termination of existing contracts, fines under the False Claims Act, and suffer reputational damage. Delaying compliance also risks missing deadlines and getting stuck in assessment backlogs. Most importantly, it leaves your organization more vulnerable to cyber threats.

Primes face challenges ensuring their subcontractors remain compliant. Some primes provide their subs access to CRT tools (e.g., Cyturus, FutureFeed) to monitor compliance. If a sub fails an assessment, it can jeopardize the prime’s contract.

As assessors, we prefer to have both the policy section and the full policy itself. The more context and documentation, the better!

There are many tools available! The first that comes to mind is Cyturus, a GRC tool backed by The Cyber AB. When choosing a tool, response time is key, setting it up can be challenging, so you’ll want something with fast support. If you’re using a tool for CMMC compliance, make sure it has features to help you manage compliance even after certification before committing.

88 controls must be met out of 110 for Level 2 certification. Exceptions include a few specific controls.

The three-year phased rollout is a DoD implementation timeline, but primes are not bound by it. Some primes are already requiring all their subcontractors to be Level 2 to strengthen their bids. If a prime requires it, you need to comply earlier than the official rollout.

There is no official “approved” solution stack. The only firm requirement is that CSPs must be FedRAMP authorized (or equivalent). If a provider claims they are on an “approved” list, they are not being truthful—there is no such list.

Basic research is usually exempt from DFARS 7012, and by extension, CMMC. But that’s only if the research is truly fundamental and not tied to specific DoD deliverables. The problem is when it starts as basic research and then morphs into something applied or specific—then you’re in scope. Always check with the KO or contracting office.

• Utilize cloud solutions for inherited security controls.
• Minimize the CUI scope to simplify management and ensure cost-effectiveness.
• Consider having internal staff trained in CCP to maintain long-term compliance

ERPs are an external connection. The best way to keep them out of scope is simple: don’t put CUI into them.
Make sure you fully understand what qualifies as CUI, so users don’t accidentally include sensitive data, like a non-public military part number, into the ERP.

You can do this through substitution (creating internal part numbers that aren’t CUI) or redaction (blocking sensitive parts before they enter the system).

Bills of materials should be kept as generic as possible. If needed, put more detailed information into a PLM system or SharePoint, something workers can access outside of ERP.

It can be done, but it’s tricky because humans are involved and mistakes can happen.

The CMMC Level 2 scoping guide from the DoD is a great starting point. Taking a CCP course can also be helpful, but if you’re getting started, focus on identifying what stores, processes, or transmits CUI within your organization. Map out the data flow of your CUI and consider the security protection assets in place within that scope. Also, think about ways to narrow your scope to simplify compliance.

Accessing Microsoft GCC High is considered remote — it’s a cloud service provider connection and should be marked as an external connection in your diagrams.For virtual enclaves with remote workers: If the Virtual Desktop Infrastructure (VDI) is locked down properly (no copy-paste, no USB access, no direct downloads), then you can exclude the physical endpoint (the laptop) from your boundary.

As for protecting office infrastructure: You must secure things like fiber lines, HVAC, generators, and even trash bins if they’re connected to the building.

It all depends on how physically accessible they are.

VPNs are highly recommended, especially when staff are traveling (airports, hotels). However, alternatives exist, like Virtual Desktop Infrastructures (VDIs), which can take laptops out of scope. If using any remote solution to protect CUI, it must have FIPS 140-2 validated encryption.

If you’re allowing the printing of CUI, it brings the physical domain into scope, which means your assessor will need to conduct an onsite visit. Many organizations are shifting toward secure printing solutions. One common approach is designating a specific group authorized to print, with a designated individual conducting nightly walkthroughs to ensure no CUI is left unattended. There are many ways to implement secure printing effectively. 

If you completely lock down your environment (disabling printing, USBs, and mobile devices) you can remove the physical domain from scope, eliminating the need for an onsite visit.

However, instead of marking requirements as “not applicable” (which requires CIO approval), document them as addressed by your controls. For example, if cell phones are blocked, state that they are blocked rather than marking them as “not applicable.”

For organizations operating entirely in the cloud, you can document that all operations occur within GCC High, with nothing maintained physically. However, if you allow printing or removable media, the physical domain comes back into scope.

When documenting, keep it simple, just answer the questions directly. No need to overcomplicate it!

…What if it contains bill of materials? What are the best practices to remove ERPs from scope, even if you handle ITAR?

Answer:

ERPs are an external connection. The best way to keep them out of scope is simple: don’t put CUI into them.
Make sure you fully understand what qualifies as CUI, so users don’t accidentally include sensitive data, like a non-public military part number, into the ERP.
You can do this through substitution (creating internal part numbers that aren’t CUI) or redaction (blocking sensitive parts before they enter the system).

Bills of materials should be kept as generic as possible.
If needed, put more detailed information into a PLM system or SharePoint, something workers can access outside of ERP.

It can be done, but it’s tricky because humans are involved and mistakes can happen.

Phone systems must comply with FIPS or NIST standards only if processing, storing, or transmitting CUI. Non-CUI systems may be exempt

For tools like Kaseya EDR, compliance depends on vendor-provided evidence (e.g., FedRAMP equivalency or documentation).

For CMMC Level 2 and handling CUI Basic, Azure GCC is acceptable.

If you’re dealing with CTI that has a no-foreign-national restriction, you’re in GCCH territory. For regular CUI, GCC is acceptable. 

If these systems store, process, or transmit CUI, they cannot remain in commercial Azure. They must be moved to GCC or GCC High, depending on data sensitivity.

If these systems store, process, or transmit CUI, they cannot remain in commercial Azure. They must be moved to GCC or GCC High, depending on data sensitivity.

Azure Gov is FedRAMP High, but that doesn’t automatically mean everything that runs inside of it is CMMC safe. Play it safe: don’t put CUI in OpenAI, even in Azure Gov.

Any cloud service that stores or transmits CUI must be FedRAMP authorized or equivalent.

Yes if that vulnerability data relates to systems that store, process, or transmit CUI.

Even if encrypted, FedRAMP is still required for storage/processing of CUI.

FedRAMP: Validates external service providers for secure DoD data handling. CMMC: Focuses on internal organizational security.

Your first step is to ask your contracting officer for clarification.

Until you get official guidance, if the information matches NARA CUI categories, you should treat and protect it as CUI.

The proposed 48 CFR CUI rule says the same thing: Protect until proven otherwise.

You’re not going to get dinged for compliance if your subs have an SPRS score and can show they’re working toward implementation. CMMC requires validation, yes, but 7012 was self-attestation. So if the subs have an SSP, a POA&M, and they’re tracking their progress, that’s aligned with DFARS expectations right now (March, 2025)

If a bolt is used in a DoD program, it becomes CUI when associated with that project. The same bolt used commercially is not CUI. It’s the context and use that determine whether it becomes CUI, not the part itself.

If you receive unexpected CUI, protect it immediately and notify the sender. Best practice: do not reply to the same email with CUI. Instead, send a separate message informing them they sent CUI. When 32 CFR is finalized, contracting officers will be required to specify what CUI is covered in a contract.

If PII is classified as CUI under your contract, then your HR software provider must also be compliant. If it is cloud-based, it must be FedRAMP authorized or equivalent.

Follow the NARA Marking Handbook or the DoD Marking & Labeling Guide. During assessments, assessors will check that documents containing CUI are marked properly. They typically do not review entire folder structures, but they will verify compliance when reviewing a sample document.

You can appeal the KO’s decision to the next level. Most contracts include a DFARS clause by default because CUI may be generated later, even if it is not present at contract award. Check the contract details and escalate if necessary.

The National Archives and Records Administration (NARA)  best defines CUI, this is a good place to start. When is CUI no longer considered CUI? That decision is up to the Executive Agent (which isn’t always the DoD) responsible for that specific CUI. It’s important to distinguish between designation and classification—CUI is designated by a contracting officer (KO), and its status depends on contractual obligations and security requirements. The standard form requirement in the proposed CUI rule will help clarify this.

Any change , like moving from NIST 800-171 Rev 2 to Rev. 3, requires going back through the federal rulemaking process.

This includes public comments, adjudication, and Office of Management and Budget (OMB) reviews. It’s a long, bureaucratic process that typically takes a year or more. It is not on the immediate horizon. Realistically, if anything happens, it would be toward the end of Phase 2 of CMMC rollout or the start of Phase 3, and would still involve a formal proposed rule and public review.

Non-U.S. citizens cannot handle ITAR data unless specifically authorized. Even if a lab is ITAR-restricted, your tech staff must be U.S. persons to support anything involving ITAR.

It all depends. If the newly proposed Federal CUI rule remains as written, the reporting timeframe will decrease from 72 hours to 8 hours (or one business day) from discovery to incident reporting. That’s a significant change. However, SPRS reporting requirements remain unchanged and continue to be an annual obligation.

The question is a little ambiguous. But from a scoring perspective, point values are available for each requirement. There are nuances from FIPS/MFA, but the scoring breakdown is available to everyone and we are happy to discuss them with you if needed.

Costs for cybersecurity should be included in your bid rates.

When DFARS 7012 first came out, DoD openly said they expected bid rates to rise because they were requiring new cybersecurity measures.

Unfortunately, many companies didn’t raise their rates to stay competitive.

If you have multiple contracts, the best way is to spread the cost across your contracts and cage codes over the 3-year certification period.

If you only have one contract, the cost will hit more directly.

Your proposal and contracts team should track these costs to avoid paying out of pocket.

(Also, keep your SPRS score updated  the DoD is paying attention to it, and it can help you be more marketable.)

Implementation costs were considered covered under DFARS 7012, but assessment costs can be factored into future contracts. The DoD expects some cost increases due to compliance, and primes will need to account for these expenses in their bids.

Certification costs depend on the complexity and scope of your company, including factors like onsite visits, whether your operations are on-premises or in the cloud, and more. One way to reduce costs is by leveraging a cloud environment or minimizing your CMMC footprint to a single environment.

Jeremy is happy to discuss a quote with you one-on-one!