FREQUENTLY ASKED QUESTIONS
We’re here to help! Below you’ll find answers to the questions we get asked the most about our CMMC assessment and certification process.
Have another question? Ask us today!
Frequently Asked Questions
The cost of a CMMC assessment varies based on several factors, including the size of your organization, the scope of the environment being assessed, and your overall readiness.
Following an initial engagement call, DTC provides a preliminary cost estimate based on a high-level understanding of your environment. Final pricing is informed by key artifacts such as your System Security Plan (SSP), network architecture, and CUI/data flow diagrams to ensure the assessment scope is accurate and appropriate.
Yes and No! The Federal CUI Rule (32 CFR Part 2002) is also undergoing the rulemaking process and it will apply protection requirements for ALL federal contracts will be required to safeguard Controlled Unclassified Information. The framework for compliance with the FAR CUI rule is the same NIST 800-171/172 requirements that the DoD’s CMMC program will use.
During a CMMC assessment, a Certified Assessment team evaluates both your information systems and organizational cybersecurity practices against the CMMC level required by your contract.
The assessment includes a review of policies and procedures, technical configurations, and objective evidence demonstrating that required controls are implemented and effective. This may involve examining documentation, interviewing personnel, and observing system configurations.
Assessors also verify that cybersecurity practices are institutionalized, meaning they are consistently followed, documented, and maintained across the organization.
Assessors validate implementation and effectiveness but do not provide implementation guidance or remediation recommendations during the assessment.
The required CMMC level will be specified in the solicitation or contract documents. It is determined by the type of information your organization handles or processes and the associated risk. You can also consult with the contracting officer or the requiring activity for clarification. (Ref DFARS Section 204.7501)
A CMMC certification will be valid for three years. Contractors must maintain a current certificate at the required level throughout the life of the contract and for any option periods or extensions. (Ref DFARS 204.7501)
Yes, if your managed service provider (MSP) or external service provider (ESP) is responsible for systems or services that process, store, or transmit FCI or CUI, they may be considered in scope for the assessment.
In these cases, assessors may need to evaluate shared responsibilities, supporting documentation, and evidence related to the services provided. Organizations remain responsible for ensuring that all applicable CMMC requirements are met, even when IT services are outsourced.
If an organization does not meet all CMMC assessment requirements, it may be eligible to receive a Conditional CMMC Status, depending on the assessment type and contract requirements.
In these cases, certain unmet requirements may be documented in a Plan of Action and Milestones (POA&M). All POA&M items must be remediated within the required timeframe and validated through a follow-on assessment to achieve a Final CMMC Status.
Organizations that do not achieve certification may be unable to bid on or be awarded DoD contracts that require CMMC until compliance is demonstrated.
Yes, but it depends on your contract requirements. Organizations are expected to conduct internal self-assessments to evaluate readiness and maintain compliance.
However, when a third-party assessment is required by contract, a self-assessment does not result in CMMC certification. In those cases, organizations must be assessed by an authorized CMMC Third Party Assessment Organization (C3PAO) to achieve certification.
Yes. CMMC requirements can apply to subcontractors and lower-tier subcontractors if they handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) in support of a DoD contract. Prime contractors are responsible for flowing down applicable CMMC requirements through the supply chain based on the type of information being shared.
All organizations in the supply chain must meet the CMMC level required for the information they handle, regardless of company size or contract tier.
32 CFR specifically part 170 establishes the CMMC Program itself, including CMMC levels, assessment requirements, and the roles and responsibilities of assessment organizations.
48 CFR specifically parts 204, 212, 217, and 252 governs how CMMC requirements are implemented in Department of Defense contracts, including when CMMC requirements apply and how they are flowed down to subcontractors.
Together, these regulations define both the structure of the CMMC program and how CMMC requirements are enforced through DoD contracting.
The total timeline from kickoff to certification typically ranges from 1–3 months, depending on an organization’s readiness and the quality of available evidence.
The assessment execution itself is usually completed within 4–5 business days. Additional time is often required before and after the assessment to finalize scope, review evidence, address any gaps, and complete reporting activities.
Organizations that are well-prepared and have complete documentation may move through the process more quickly, while those requiring remediation may take longer.
Generally, no. Organizations that only handle hard-copy CUI and do not process, store, or transmit CUI on contractor-owned information systems are not required to undergo a CMMC assessment.
However, the determination depends on how CUI is received, processed, and handled in practice. If CUI is received electronically (such as by email) or placed on an information system—for example, by scanning, photographing, uploading, or entering it into a system—that system becomes subject to applicable CMMC requirements.
Organizations that handle both paper and digital CUI must meet CMMC requirements for the full scope of their environment.
Organizations can best prepare for CMMC by understanding their required CMMC level, clearly defining the scope of systems that handle FCI or CUI, and ensuring required security controls and documentation are in place.
Many businesses work with external service providers, such as managed service providers (MSPs) or cybersecurity consultants, to help implement controls and address gaps prior to an assessment. Conducting internal readiness reviews or mock assessments can also help organizations prepare.
As a C3PAO, DTC does not provide implementation services but can offer general recommendations for third-party providers that support CMMC preparation.
In limited cases, organizations may receive a Conditional CMMC Status with specific requirements documented in a POA&M. Only certain requirements are eligible for inclusion in a POA&M.
All POA&M items must be remediated within the allowed timeframe and validated through a follow-on assessment before a Final CMMC Status can be achieved.
Many small businesses choose to outsource IT services or engage third-party providers to support CMMC preparation. This approach can help organizations address resource and expertise gaps; however, organizations remain responsible for compliance and must ensure that outsourced services align with CMMC requirements.
Careful due diligence is important, particularly when evaluating tools or services advertised as “one-click” or “fully compliant” solutions.
Have more questions about CMMC?
Additional guidance is available in the Department of Defense’s official CMMC Frequently Asked Questions.
If you have questions specific to your organization or would like to discuss assessment requirements, you can also schedule an initial engagement call with our team.