CMMC Assessments

Frequently Asked Questions


Regular cybersecurity assessments of contractors provide the Department increased assurance that sensitive information shared with the defense industrial base (DIB) is adequately protected. The Cybersecurity Maturity Model Certification (CMMC) 2.0 program simplifies and increases accountability in the cybersecurity assessment process.

Overview of Assessments

CMMC 2.0 implements tiered assessment requirements based on the sensitivity of the information shared with a contractor. Upon implementation of CMMC 2.0:

  • Contractors who do not handle information deemed critical to national security (Level 1 and a subset of Level 2) will be required to perform annual self-assessments against clearly articulated cybersecurity standards.
  • Contractors managing information critical to national security will be required to undergo CMMC Level 2 third-party assessments.
  • The highest priority, most critical defense programs (Level 3) will require government-led assessments.

Self- Assessments

The Department views Level 1 as an opportunity to engage its contractors in developing and strengthening their approach to cybersecurity. Self-assessments will suffice to meet CMMC Level 1 requirements.

Likewise, a subset of programs with Level 2 requirements do not involve information critical to national security, and associated contractors will be permitted to meet the requirement through self-assessments.

Contractors will be required to conduct self-assessment on an annual basis, accompanied by an annual affirmation from a senior company official that the company is meeting requirements. The Department intends to require companies to register self-assessments and affirmations in the Supplier Performance Risk System (SPRS).

Third-Party Assessments

Once CMMC 2.0 is implemented, contractors will be required to obtain a third-party CMMC Level 2 assessment for a subset of acquisitions that involve information critical to national security.

The CMMC Accreditation Body (The Cyber AB) will accredit CMMC Third Party Assessment Organizations (C3PAOs) and the CMMC Assessors and Instructors Certification Organization (CAICO). Accredited C3PAOs will be listed on The Cyber AB Marketplace. The DIB company will be fully responsible for obtaining the needed assessment and certification, to include coordinating and planning the CMMC assessment. After the completion of the CMMC assessment, the C3PAO will upload the assessment report into CMMC EMASS, which DoD can access.

As part of the CMMC 2.0 implementation, the DoD will approve all Cyber AB conflict of interest related policies that apply to the CMMC ecosystem. Additionally, The Cyber AB must achieve compliance with the ISO/IEC 17011 standard prior to accrediting C3PAOs and a CAICO. Separately, C3PAOs will be required to comply with ISO/IEC 17020 and the CAICO will be required to comply with ISO/IEC 17024 requirements.

Government Assessments

The Department intends for Level 3 cybersecurity requirements to be assessed by government officials. Assessment requirements are currently under development.

Key Changes Incorporated Under the CMMC 2.0 Framework

Assessments CMMC 1.0 CMMC 2.0
  • Required all DoD contractors to undergo third-party assessments for CMMC compliance
  • Allows the majority of contractors, associated with Level 1 and a subset of Level 2 CMMC requirements, to perform annual self-assessments
  • Some CMMC Level 2 requirements must be met via triennial third-party assessments
  • Level 3 programs will require triennial assessments conducted by government officials

Oversight of Assessment Ecosystem CMMC 1.0 CMMC 2.0
  • DoD reviewed Cyber AB Conflict of Interest policies
  • DoD will approve The Cyber AB’s Conflict of Interest policies