CMMC Implementation

Frequently Asked Questions


Cybersecurity Maturity Model Certification (CMMC) program requirements will be implemented through the acquisition and contracting process. With limited exceptions, the Department intends to require compliance with CMMC as a condition of contract award.

Overview of Implementation

Once CMMC 2.0 is implemented, the required CMMC level for contractors and sub-contractors will be specified in the solicitation and in Requests for Information (RFIs), if utilized.

Five Steps to Make Your Company More Cyber Secure

1. Educate people on cyber threats Most cyber incidents start because of user error. Educate people about the importance of setting strong passwords, recognizing malicious links, and installing the latest security patches. Helpful materials and training videos are available through Project Spectrum.

2. Implement access controls Limit information systems access to authorized users and the specific actions that they need to perform.

3. Authenticate users Use multi-factor authentication tools to verify the identities of users, processes and devices.

4. Monitor your physical space Escort visitors and monitor visitor activity, maintain audit logs, and manage physical devices like USB keys.

5. Update security protections Make sure to download the latest security patches when new releases are available. Always double check to make sure they are coming from a trusted source.

Plan of Actions and Milestones (POA&MS)

With the implementation of CMMC 2.0, the Department intends to allow companies to receive contract awards with a limited time Plan of Actions and Milestones (POA&M) in place to complete CMMC requirements. The Department’s intent is to specify a baseline number of requirements that must be achieved prior to contract award, in order to allow a remaining subset to be addressed in a POA&M within a clearly defined timeline. The Department also intends to specify a small subset of requirements that cannot be on a POA&M in support of achieving a CMMC certification.


Under CMMC 2.0, the Department intends to allow a limited waiver process to exclude CMMC requirements from acquisitions for select mission-critical requirements. DoD policies for Program Managers seeking CMMC waivers will require senior DoD leadership approval and will limit waiver duration.

Key Changes Incorporated Under the CMMC 2.0 Framework

Plan of Actions and Milestones (POA&Ms) CMMC 1.0 CMMC 2.0
  • No allowance for POA&Ms
  • Allows the use of POA&Ms
  • Highest weighted requirements cannot be on POA&M list
  • DoD will establish a minimum score requirement to support certification with POA&Ms

Waivers CMMC 1.0 CMMC 2.0
  • No allowance for waivers
  • Applied to entire CMMC requirement, not individual cybersecurity practices
  • Allowed on a very limited basis in select mission critical instances, upon senior leadership approval
  • DoD program office submits a justification package that includes specified timeline and associated risk mitigation plan
  • Timelines imposed on a case-by-case basis to achieve CMMC compliance