CMMC 2.0 UPDATES:

Our Frequently Asked Questions have been updated to reflect the most recent information provided by the CMMC-AB and the Department of Defense.

Cybersecurity Maturity Model Certification

On March 18, 2020, the Department of Defense (DoD) released Version 1.02 of the Cybersecurity Maturity Model Certification (CMMC) document, as a replacement for Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012. Since that time, federal contracting companies have been inquiring about CMMC, and asking questions about this topic. To help contractors, clients, and potential prospects, Edwards Performance Solutions has provided a list of the most frequently asked questions (FAQ) and DoD-related questions below.

 

CMMC 2.0

Now that CMMC 2.0 is published, will companies be required to comply with CMMC 1.0?
No. According to The Cyber AB, CMMC 1.0 has been “OBE” (overcome by events). Most requirements of CMMC 1.0 are carried into CMMC 2.0. The interim DFARS rule established a five-year phase-in period, during which CMMC compliance was only required in select pilot contracts. Once CMMC 2.0 is codified through rulemaking, companies must comply with the revised framework.

When will CMMC 2.0 be required for DoD contracts?
CMMC 2.0 will not be a contractual requirement until the Department completes rulemaking to implement the program. The rulemaking process can take 9–24 months. Once completed, CMMC 2.0 will become a contract requirement.

Why did the Department make these changes?
The Department received over 850 public comments on CMMC 1.0. Key themes:

  • Reduce costs, especially for small businesses
  • Increase trust in the assessment ecosystem
  • Clarify and align requirements with other federal standards

CMMC 2.0 was designed to meet these goals while enhancing cybersecurity in the defense industrial base.

How much will it cost to implement CMMC 2.0?
The Department will publish a cost analysis during rulemaking. Costs are projected to be lower than CMMC 1.0 because requirements are streamlined, some organizations can self-assess at Level 1 and certain Level 2 contracts, and oversight of the third-party ecosystem will increase.

How will my organization know what CMMC level is required for a contract?
The required level will be stated in the solicitation and in any RFIs, if used.

What is the relationship between NIST SP 800-171 and CMMC?
CMMC Level 2 is equivalent to NIST SP 800-171 Rev 2. Level 3 will be based on a subset of NIST SP 800-172.

How frequently will assessments be required?

  • Level 1 and some Level 2: annual self-assessment
  • Some Level 2 and all Level 3: third-party or government-led assessments every 3 years

Who will perform third-party CMMC assessments?
Only authorized C3PAOs, using Certified CMMC Assessors (CCAs).

Will my organization need to be certified if it does not handle CUI?
Yes. If your company handles FCI but not CUI, you must perform a Level 1 self-assessment and submit results annually into SPRS.

Will CMMC certifications apply to classified systems?
No. CMMC only applies to unclassified networks processing FCI or CUI.

Will the results of my assessment be public? Will DoD see my results?
Results will not be public. DoD will have access to self-assessments (stored in SPRS) and third-party assessments (stored in eMASS). Certificates are automatically posted to SPRS, but detailed results remain private.

How much will CMMC certification cost?
Costs depend on CMMC level, network complexity, and market forces. DoD will publish updated estimates with CMMC 2.0 rulemaking.

What is the difference between a CMMC self-assessment and a Basic Assessment (DFARS 252.204-7020)?

  • CMMC self-assessment: uses the CMMC Assessment Guide, includes annual attestation by a senior company official.
  • Basic Assessment: NIST SP 800-171 DoD methodology, produces a “Low” confidence score.

How will CMMC apply to non-U.S. companies?
Any company working with DoD must comply. U.S. allies may adopt similar standards, with reciprocity agreements likely.

Will CMMC align with other cybersecurity standards?
The DoD is exploring acceptance standards between CMMC Level 2 and the NIST SP 800-171 DoD Assessment Methodology, FedRAMP for cloud services, and potential international agreements.

 

CMMC 101

Where can I get the latest information about CMMC?
The Cyber AB website and newsletter, plus Edwards’ dedicated CMMC page.

What is the current version of the CMMC Model?
The CMMC Model, the Assessment Guide, and NIST SP 800-171 Rev 2 framework.

What is an APP?
Approved Partner Publisher — develops official training materials for ATPs.

What is an ATP?
Approved Training Provider — delivers CMMC training through Certified Instructors.

What is a C3PAO?
CMMC Third-Party Assessment Organization — conducts official assessments with Certified Assessors.

How can I find APP organizations?
The Cyber AB Marketplace lists all APPs. Edwards is an APP and publishes exam prep guides and training materials.

Why should an OSA/OSC engage an RPO?
RPOs employ Registered Practitioners to guide companies through preparation and certification. Edwards is an RPO, listed on the Marketplace.

Is there a list of C3PAOs?
Yes, on the Cyber AB Marketplace. Edwards is a candidate C3PAO.

Does Edwards provide CMMC training?
Yes. Edwards offers Cyber AB–approved CCP training.

What is CUI?
Controlled Unclassified Information — requires at least Level 2.

What is FCI?
Federal Contract Information — requires at least Level 1.

What are the differences between CMMC Levels?

  • Level 1: FCI
  • Level 2: CUI
  • Level 3: critical programs, NIST SP 800-172 subset

When can I get certified?
After final rule is published (now expected 2025).

What is the CMMC certification process?
Work with an RPO for readiness, then schedule assessment with a C3PAO. Certifications valid 3 years.

What is the difference between RPO and C3PAO?

  • RPO: advisory services, Registered Practitioners on staff
  • C3PAO: performs official CMMC assessments

 

Consulting & Audits

Is there a list of assessors who receive Cyber AB training?
Yes, CCPs and CCAs are listed on the Marketplace.

How can I get assessed?
Contract with an RPO for readiness and a C3PAO for official assessment. Same provider cannot perform both.

How can I become an assessor?
Take training from APPs and ATPs for CCP and CCA.

When can I get assessed?
Formal assessments begin once the final rule is in effect (Nov 2025).

How do I choose a C3PAO?
The Marketplace lists C3PAOs with background information.

How to prepare for an audit?
Work with RPOs or C3PAOs for readiness. Edwards can help.

Who am I able to work with?
You may engage RPOs for prep and C3PAOs for assessment, but not the same provider for both.

Are there tools to prepare for certification?
Yes. The official CMMC Assessment Guides (Level 1 and Level 2) are on the DoD A&S site.

 

 

Education & Training

When will Cyber AB assessment courses be created?
See current list on the Edwards website.

How long is the course?
Standard CCP and CCA courses = 5 days. Options: virtual, in-person, hybrid, and guided learning.

What do I get for training?
Live courses include exam prep guide, editable workbooks, and additional resources.

Do I need to take training in a specific order?
Yes. CCP is required before CCA.

Will course information stay up to date?
Yes. Edwards updates courses continuously.

Is there a list of CCAs?
The Cyber AB will release a list once CCAs are certified.

This website uses cookies to support site functionality and improve user experience. By selecting Accept, you consent to the use of cookies in accordance with our Terms & Conditions and Privacy Policy. © Edwards Performance Solutions 2026

Accept & Close
Accept Only Essential