CMMC Frequently Asked Questions and Answers

The definition of federal contract information is found in FAR 40.301 (Federal Acquisition Regulation), “Federal contract information means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as that on public Web sites) or simple transactional information, such as that necessary to process payments.”

Examples of FCI may include:

• Contract performance reports
• Organizational charts
• Process documentation
• E-mails about the contract or contracting process
• Project plans
• Deliverables List
• Timelines

CUI as defined in Title 32 CFR 2002.4(h) (Code of Federal Regulations), “information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.”

More information about CUI can be found at CUI Registry Guide by Category.

Documents will have a banner line with “CUI” at the top and a footer at the bottom of each page.

CUI documents should have a coversheet (SF 901). Not all but some CUI documents will have distribution statements. Containers with CUI inside should have labels. If a supplier receives documents that, in their opinion, they believe to be CUI, the suppliers should ask for validation of the protection requirements of the documents.

Reference: CUI Marking Handbook V1 2016 (PDF)

Most standard contract forms, RFQs, SAM.gov notices, and award documents are not CUI.

However, attachments associated with these contract documents may contain CUI. Each document should be marked appropriately.

Examples of contract documents that MAY contain CUI are research and engineering data, engineering drawings, technical reports, technical data packages, design analysis, specification, test reports, technical order, cybersecurity plans, IP addresses, nodes, links.

Proc. Notes L40, L41, and L42 may be included in solicitations that will eventually require a CMMC level associated with CUI.

Standard Text Objects may be included in solicitations requiring level 2 self-assessment or (C3PAO) certification levels.

Reference: DoW CUI Program Controlled Technical Information

Technical drawings may contain CUI. A list of examples of CUI is at the DoD CUI website.

Reference: DoW CUI Program Controlled Technical Information

COTS items are exempt from all CMMC levels. However, it is the Contracting Officer and Product Specialist that determines if an item is a COTS item.

Reference: DFARS 240.370-5

It is the Contracting Officer and Product Specialist that determines if an item is a COTS item. If you disagree with the determination, please contact the individual Contracting Officer working on the solicitation.

A level 2 Self-Assessment is conducted by the company on its own IT equipment.

A level 2 C3PAO is conducted by a third-party contractor on another company’s IT equipment.

You can find a list of third-party assessing companies at Cyber AB Catalog.

Companies with a self-assessment score of 88 to 109 will be given a CMMC L2 conditional self-assessment status.

Companies that have a L2 conditional self-assessment will require additional approvals within DLA’s pre-award process to receive new awards.

Having a conditional score will cause the Contracting Officer to complete a risk assessment and obtain concurrence from higher level officials within the organization.

In order to remain competitive in the acquisition process, it is recommended achieving the Level 2 final self-assessment status. This will require a score of 110.

Reference: CMMC Level 2 Self Quick Entry Guide (PDF)

Proc letter 26-01 & DLAD 4.7503: https://dodcio.defense.gov/cmmc/About/

Self-assessments that result in “Not Met” responses may or may not result in a conditional status. The supplier must meet the requirements of Title 32 Part 170.21 before a conditional status can be achieved.

If a conditional status is achieved, any missed controls will be put in a plan of action & milestones. All POA&Ms must be resolved within 180 days.

Reference Resources:

• DoW CIO CMMC Resources and Documentation
• DoW CMMC Assessment Guide Level 2 Sept 2024 (PDF)

DFARS provision 252.204-7025 and DFARS clause 252.204-7021 will convey what CMMC level is required for each specific solicitation.

If these provisions or clauses state a CMMC level is required, then the company must have the specific CMMC level to receive the award.

DLA may start implementing CMMC Level 2 (C3PAO) in contracts on about November 10, 2027.

DLA will not include CMMC Level 2 (C3PAO) in manual solicitations and contracts before November 10, 2027.

DLA may include CMMC Level 2 (C3PAO) in automated solicitations and contracts on November 10, 2028.

Reference: DFARS Part 240.371-3

Each solicitation will specify the CMMC level required. DFARS provision 252.204-7025 and DFARS clause 252.204-7021 will convey what CMMC level is required for each specific solicitation. Suppliers must meet the specified level to receive an award.

References:

• DLAD PGI 4.7503-90 (coming online soon)
• Title 32, Subtitle A, Chapter 1, Subchapter G, Part 170
• Title 48, Part 204.75

DLA buyers and Contracting Officers will check the company receiving the award to determine if the company meets the CMMC level required for the specific solicitation.

Being only a dealer/distributor is NOT an exception to this requirement. The dealer/distributor will need to meet CMMC requirements.

Reference: DLAD PGI 4.7503-90

Suppliers are required to comply with 252.204-7012 (m) and Title 32, Part 170.23. This clause requires the contractor to flow down CMMC clauses for any subcontract or similar contractual instrument that involves covered defense information.

The prime contractor is responsible for determining if the information retains its identity as covered defense information and will require protection.

Reference: DFARS clause 252.204-7012

The Department appreciates the financial considerations of our industry partners, though it is important to note that the foundational requirements to protect CUI have been in place for nearly a decade under the DFARS 252.204-7012 clause. CMMC primarily serves as a verification mechanism for NIST SP 800-171 controls, rather than introducing entirely new technical baselines. This ten-year rollout period was intended to provide suppliers of all sizes the runway needed to incrementally plan, budget for, and absorb these necessary infrastructure updates over time. As a result, maintaining secure IT systems and completing assessments are generally considered essential business investments for operating within the Defense Industrial Base, rather than costs directly subsidized by the Government.

There are some programs at the state level that offer financial assistance for companies seeking to achieve CMMC compliance. Some of the known state level programs are:

• Connecticut Center for Advanced Technology
• Michigan Defense CyberSmart
• Mayland Defense Cybersecurity Assistance Program
• Virginia’s DEFENDCUI program

Project Spectrum has several (approximately 57) templated documents for suppliers to reference for developing your own system security plan. These resources are free for DLA suppliers.

The DLA small business website provides information about CMMC requirements, see DLA Small Business Cybersecurity Resources page.

There are several free NIST publications available at NIST Computer Security Resource Center.

The DoW CIO has several resources available at DoW CIO CMMC Resources and Documentation.

Waivers are possible. However, waivers for CMMC requirements are extremely limited. Contact the Contracting Officer or buyer you work with to request a waiver.

Source: Proc. Letter 26-01, DLAD PGI 4.7503-90 (b), Memo from OSW dated January 15, 2025, Subject: Implementing the Cybersecurity Maturity Model Certification (CMMC) Program: Guidance for Determining Appropriate CMMC Compliance Assessment Levels and Process for Waiving CMMC Assessment Requirements