Need help with your CMMC assessment scope?
Download Sentar’s latest whitepaper, “Tips on Establishing Your Assessment Scoping Boundary from a C3PAO”
CMMC Frequently Asked Questions
Sentar has helped Defense in Base (DIB) contractors meet their DOD compliance requirements starting with DFARS 252.204-7012 in 2015, NIST SP 800-171 in 2016, and now with CMMC. Sentar is itself a DOD Contractor that is required to meet CMMC LV2 upon the final rule(s) publication. Along with being a FedRAMP 3PAO (Cloud Application security assessor), Sentar is uniquely positioned to help any DOD contractor walk-the-compliance-path that we have already trekked. We hope you find this FAQ page helpful.
What is the Cybersecurity Maturity Model Certification (CMMC)?
CMMC is a requirement the DOD created that requires DIB Contractors handling Controlled Unclassified Information (CUI) to hire a third party authorized assessor to validate their compliance on a set of controls defined in NIST SP 800-171 (“NIST-171”). DOD contractors have been required to meet NIST-171 since Jan 1, 2018.
Sentar is an accredited CMMC Third Party Assessment Organization (C3PAO) that contractors can use now to obtain an early-bird verification of compliance using the Joint Surveillance Voluntary (JSV) assessment method to get ahead of the 71,000+ Level 2 CUI handling DIB Contractors that must get certified once the CFR 32 Part 170.14 proposed rule is in effect. This rule requires the majority of contractors receiving, creating, and handling CUI to pass a third-party assessment from a C3PAO prior to receiving new contract awards with the CMMC requirement, based on a phased rollout defined in the rule. Contractors that only handle, create, or process Federal Contractor Information (FCI), along with a tiny subset of contractors dealing with CUI that is not considered of National Security importance, can self-assess to their Maturity Level 1 or Maturity Level 2 compliance.
What is Controlled Unclassified Information (CUI)?
CUI is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies. In layman’s terms, it is important data that should be marked with unique headers identifying it as such. While not Secret or Top Secret information, mishandling of CUI can harm our nation and should be tightly controlled.
There is a CUI Registry you can access for further research here.
If you are unclear as to whether your contract involves CUI, our experts can help determine if your organization will be required to obtain a CMMC Certificate in the near future.
Click here to contact Sentar and request a free consultation session.
Why should my Organization care about the CMMC?
CMMC is a mandatory requirement. By the beginning of FY2026, your organization will not be awarded nor be allowed to work on a DOD contract with this requirement without achieving the correct certification level. It is anticipated that by Oct 1, 2025, ALL DOD Contracts will require a contractor to be certified at CMMC Level 1-3, depending on the contract requirement. Again, without this certification, contractors will NOT be allowed to be awarded new contracts. Additionally, with the changes implemented in CMMC 2.0 and the upcoming rule changes to DFARS, existing contracts will have the CMMC requirement flowed down to them, thus jeopardizing existing contracts at that time.
What are the challenges of obtaining CMMC accreditation?
The challenge for most organizations required to comply with these requirements is mostly the risk associated with incorrectly interpreting or implementing practices, which cause the contractor to fail their assessment. There is an increasingly difficult level of practices and processes in each higher tier of the CMMC:
- CMMC Level 1: 17 Practices
- CMMC Level 2: 110 Practices (includes Level 1 practices)
- CMMC Level 3: 110+ Practices (includes Levels 1-2 practices)
The following chart shows the original V1.0 five level model that was reduced to three levels in V2.0:
When might my organization be required to obtain a CMMC Certification?
What are my DOD Compliance requirements today?
No vendor is required to obtain a CMMC Certificate at this time. However, it is estimated that ~76,000 DOD contractors receive, create, or handle Controlled Unclassified Information (CUI) and therefore must be compliant on DFARS-252.204 Subparts 7012, 7019, 7020, and 7021. Furthermore, subpart 7019 requires these same DIB contractors to assess their NIST SP 800-171 implementation status and turn in a score reflecting that posture with the Supplier Performance Risk System (SPRS). Failure to do so NOW can prevent award of a new contract. These same contractors will be required to obtain a CMMC LV2 Certificate upon final rule(s) publication.
When will CMMC compliance show up on DOD contracts?
New contracts could start requiring a CMMC LV2 certification as early as June 2025.
Will all DOD Contracts require CMMC Certification?
YES. Eventually, all DOD contracts will require almost all contractors to obtain a CMMC Certification. However, only DOD Contractors handling, receiving, or creating CUI will be required to pay a C3PAO to certify their compliance.
When will all DOD Contracts require CMMC Certification?
The CFR 32 Part 170.14 proposed rule defines an escalating rollout of contracts requiring CMMC Certification of contractors over 30 months (2.5 years) once the rule is in effect. NOTE: All new contracts could have the CMMC requirement within SIX MONTHS of the rule being in effect. (See section 170.3 Applicability in the CFR 32 Part 170.14 located here.
For more information, please contact:
Chandler Hall
chandler.hall@sentar.com
(256) 836-7853
We’re Hiring
Join the fastest-growing team in cyber