CMMC FAQ — General Questions
How do I know if I need CMMC?
You likely need CMMC if any of the following apply:
- You hold or pursue Department of Defense (DoD) contracts
- You are a subcontractor to a DoD prime contractor
- Your contract includes DFARS cybersecurity clauses
- You store, process, or transmit Controlled Unclassified Information (CUI)
- A prime contractor has asked about your CMMC status
If CMMC applies, certification is tied directly to contract eligibility.
When in doubt, it’s better to confirm applicability early than discover it during contract award or renewal.
What level of CMMC do I need?
- CMMC Level 1 generally applies to organizations handling Federal Contract Information (FCI) only
- CMMC Level 2 applies to organizations handling Controlled Unclassified Information (CUI)
The required level is determined by your contract — not by preference.
How long does it take to prepare for a CMMC certification assessment?
For most organizations, 6–9 months is a realistic preparation timeframe.
That timeline typically includes:
- Scoping and boundary definition
- Gap analysis and remediation
- Documentation development (SSP, policies, procedures)
- Evidence collection and validation
- Internal readiness checks before assessment
Organizations with strong existing security programs may move faster; others may require additional time depending on complexity and maturity.
Can we prepare faster than 6 months?
Sometimes — but rushing preparation increases the risk of:
- Incorrect scoping
- Weak or incomplete documentation
- Failed assessment results
- Contract delays
CMMC is a pass/fail certification. Preparation quality matters more than speed.
CMMC Assessment Boundaries
(What Assessors Can and Cannot Do)
Can a CMMC assessor help us prepare for the assessment?
No.
Assessors working for a C3PAO are prohibited from consulting, advising, or preparing an organization for its assessment.
Can an assessor tell us why we failed or how to fix issues?
-
No.
Assessors document findings but cannot provide remediation guidance.
Can an assessor help us scope our environment?
No.
Scope decisions must be made before the assessment begins. Incorrect scoping is a common cause of failure.
Can an assessor review our SSP or policies in advance?
No.
Documentation is evaluated during the assessment. Pre-review or approval is not allowed.
Who can help us prepare?
Independent consultants who are not acting as your assessor and have no C3PAO conflict of interest.
Why does this distinction matter?
Preparation errors lead to:
- Failed assessments
- Re-assessment delays
- Disrupted contract timelines
- Revenue impact
Proper preparation must happen before an assessor is engaged.