FAQ

This section answers common questions about the CMMC program, the CMMC model and its relationship to NIST standards, assessment requirements and scoring, implementation timelines, the role of external service providers and FedRAMP, how the AWS Shared Responsibility Model applies to control inheritance, and how to prepare for a C3PAO assessment on AWS.

About CMMC

When will CMMC assessments be required for Department of Defense contracts?

The DoD began incorporating CMMC assessment requirements in applicable procurements on November 10, 2025, when the revised DFARS clause 252.204-7021 became effective. The first 12 months of implementation primarily focus on self-assessments. For further information on the DoD's phased implementation plan, see 32 CFR 170.3(e).

How much will it cost to achieve CMMC compliance?

Costs incurred to implement existing contract requirements for safeguarding information (for example, DFARS 252.204-7012) are not considered part of the CMMC compliance cost. The cost of achieving CMMC compliance (self-assessment or certification) depends on various factors, including the CMMC level required, the complexity of the DIB company's unclassified network, the existing cybersecurity posture of the organization, and market forces of supply and demand.

What resources are available to assist companies in complying with DoD cybersecurity requirements?

The DoD provides several resources to help businesses reach cybersecurity compliance:

In addition, AWS provides resources to support your compliance journey, including the AWS CMMC Compliance page, the AWS NIST SP 800-171 / CMMC 2.0 Level 2 CRM, and AWS Artifact for on-demand access to AWS compliance reports.

Who is the point of contact for general inquiries regarding the CMMC Program?

CMMC model

How will my organization know what CMMC level is required for a contract?

The DoD specifies the required CMMC level in the solicitation and the resulting contract. The level is determined by the type and sensitivity of the information the contractor will handle:

What is the relationship between NIST SP 800-171 and CMMC?

NIST SP 800-171 is the federal safeguarding standard for CUI required by 32 CFR Part 2002, which the DoD implemented contractually through DFARS clause 252.204-7012. Beginning November 10, 2025, applicable contractors are required to undergo a Level 2 self-assessment or a CMMC third-party assessment to verify compliance with NIST SP 800-171 Revision 2 requirements.

Will the DoD update CMMC to use NIST SP 800-171 Revision 3?

Yes. The DoD will incorporate Revision 3 through future rulemaking. In the interim, the DoD has issued a class deviation to DFARS clause 252.204-7012 to maintain Revision 2 as the assessment standard until Revision 3 has been incorporated into the 32 CFR CMMC Program rule.

Can DoD contractors implement NIST SP 800-171 Revision 3 now?

Yes. Companies can implement Revision 3 but must use the DoD's ODPs defined in the April 2025 memorandum. Because CMMC assessments will be conducted against Revision 2 until the class deviation is withdrawn or superseded, DIB companies must ensure any identified gaps between Revision 2 and Revision 3 are addressed.

What is the relationship between NIST SP 800-172 and CMMC?

NIST SP 800-172 provides security requirements designed to address advanced persistent threats and forms the basis for CMMC Level 3. Contractors must implement 24 requirements from NIST SP 800-172 in addition to the 110 requirements from NIST SP 800-171 when the DoD identifies Level 3 as a contract requirement.

Will CMMC requirements flow down to subcontractors?

Yes. Per 32 CFR 170.23, CMMC requirements flow down to subcontractors based on the type of data (FCI or CUI) that will be processed, stored, or transmitted on the subcontractor's information system:

What is the difference between FCI and CUI?

Both FCI and CUI are information that is "not intended for public release." However, CUI requires additional safeguarding and may also be subject to dissemination controls.

CMMC makes no changes to CUI definitions or safeguarding requirements. If your contract involves CUI, you need Level 2. If it involves only FCI, Level 1 applies.

Is encrypted CUI still considered to be CUI?

Yes. Per 32 CFR Part 2002, CUI remains controlled until it is formally decontrolled. Encrypted CUI data retains the control designation given to the plain text counterpart. While certain risks (for example, transmission across unsecured networks) are accepted for cipher text that would not be accepted for plain text, this does not mean the original controlled information is considered decontrolled.

This has direct implications for cloud deployments: even if CUI is encrypted at rest in a CSP environment, the CSP must still meet FedRAMP Moderate baseline requirements per DFARS 252.204-7012.

Assessments

How frequently will assessments be required?

Level 1 self-assessments are required annually. CMMC Levels 2 and 3 assessments are required every three years. An affirmation of continued compliance is required for all CMMC levels at the time of assessment and annually thereafter. See 32 CFR 170.3(e) for the phased implementation timeline.

Will my organization need to be independently assessed if it does not handle CUI?

No. If a DIB company does not process, store, or transmit CUI, it does not need an independent (C3PAO) assessment. If the company handles FCI only, a CMMC Level 1 self-assessment is required.

Will CMMC assessments be required for classified systems or classified environments?

No. CMMC only applies to DIB contractors' nonfederal unclassified information systems that process, store, or transmit FCI or CUI.

Will assessment results be made public?

The public will not have access to a listing of DIB companies that have completed CMMC self-assessments or received certificates. Such information is available to DoD officers leading procurement activities.

A company can view its own scores and status in SPRS. Suppliers may print verification of their status from SPRS to share with primes. Subcontractors may voluntarily share their CMMC Status, assessment scores, or certificates to facilitate business teaming arrangements.

Does my company need a specific CAGE code for each location to comply with CMMC?

No. Another existing Commercial and Government Entity (CAGE) code in the company's hierarchy may be used to submit the appropriate assessment identified by the CMMC Unique Identifier (UID). The CMMC UID must contain the scope that covers the assessment. CAGE codes (including the Highest-Level Owner) are used for metrics purposes, to enforce authorized access to data in SPRS, and to perform annual affirmations.

Which requirements are not allowed on a Plan of Action and Milestones?

The 26 POA&M-ineligible requirements are identified in 32 CFR 170.21. These are primarily Basic security requirements that must be MET at the time of assessment. If any POA&M-ineligible requirement is NOT MET, the organization cannot achieve even Conditional CMMC Status regardless of overall score.

The POA&M-ineligible requirements are:

On AWS, many of these map to foundational services such as IAM, CloudTrail, AWS Config, and Amazon VPC. Organizations should prioritize these requirements first in any remediation effort.

What happens after a POA&M Closeout Assessment if requirements are still not met?

During the 180-day period after achieving Conditional CMMC Status, a POA&M Closeout Assessment can only be finalized in the CMMC Enterprise Mission Assurance Support System (eMASS) one time. If one or more security requirements are still NOT MET, the Conditional CMMC Status will be terminated once the POA&M Closeout Assessment is finalized, and the Organization Seeking Assessment (OSA) will have to begin again with a new assessment. If a POA&M Closeout Assessment is not finalized in CMMC eMASS within 180 days of the CMMC Status Date, the Conditional CMMC Status will automatically expire.

What is the difference between an Operational Plan of Action and a POA&M?

Operational Plans of Action (OPAs) are measures implemented to manage risks or vulnerabilities that arise after the initial implementation of security requirements, such as applying patches, addressing temporary deficiencies, or performing routine system maintenance. OPAs are not tied to a specific timeline for completion.

POA&Ms are formal plans that identify cybersecurity gaps the OSA must address to achieve CMMC compliance. These gaps must be resolved within 180 days, as outlined in 32 CFR 170.21.

When a significant change occurs in an information system that affects the satisfaction of NIST SP 800-171 security requirements:

For detailed definitions, see 32 CFR 170.4.

I entered my CMMC self-assessment into SPRS and received "No CMMC Status" or "No CMMC Score." How do I fix this?

No Score: You marked "Not Met" for security requirement CA.L2-3.12.4 (System Security Plan). The absence of an up-to-date SSP at the time of assessment results in a finding that an assessment could not be completed due to incomplete information and noncompliance with DFARS clause 252.204-7012. See 32 CFR 170.24 for the scoring methodology.

No Status: One or more of these conditions exist:

Are CMMC assessments required for organizations that only handle hard-copy CUI?

No. CMMC assessment requirements address cybersecurity-related risk to CUI and apply only when CUI is processed, stored, or transmitted on a contractor-owned information technology system. Organizations that only handle hard-copy CUI should not be required to complete a CMMC assessment. However, contractors are still required to protect hard-copy CUI per DoDI 5200.48.

If a contractor who was only provided hard-copy CUI plans to place it on an information technology system (for example, scanned, entered, photographed, uploaded, printed, emailed), that system is subject to the applicable CMMC assessment requirements before the CUI is placed on it.

For organizations that handle paper CUI in addition to digital CUI, the CMMC assessment will address both, in accordance with the applicable NIST SP 800-171 security requirements.

Can encryption alone create logical separation for a network within a CMMC Assessment Scope?

No. Logical separation occurs when data transfer between physically connected assets (wired or wireless) is prevented by non-physical means such as software or network assets (for example, firewalls, routers, VPNs, VLANs). While properly implemented encryption provides necessary confidentiality protection, it does not, by itself, prevent data transfer or enforce the security boundary of a network.

On AWS logical separation is typically achieved through Amazon VPC configurations (subnets, security groups, network access control lists), AWS Transit Gateway routing policies, and AWS PrivateLink for private connectivity, in combination with encryption provided by AWS KMS.

If our enclave relies on enterprise networking components outside the enclave, and all CUI data is encrypted before leaving the enclave, must the enterprise networking components be in scope?

No. So long as the enclave is otherwise logically separated from the greater enterprise network, the transmission of properly encrypted CUI data does not incur an extension of the CMMC Assessment Scope to include the enterprise networking components.

This principle applies to AWS architectures where a CUI-processing Amazon VPC transmits encrypted data through shared networking infrastructure (for example, AWS Transit Gateway or AWS Direct Connect) to reach other enclaves or on-premises systems. The shared networking components do not need to be in the CMMC Assessment Scope, provided the CUI enclave is logically separated and CUI is encrypted in transit.

Implementation

How will the DoD implement CMMC?

Beginning November 10, 2025, the DoD is implementing CMMC requirements in four phases over a three-year period, as described in 32 CFR 170.3(e):

The phased approach is intended to address ramp-up issues, provide time to train assessors, allow companies time to implement requirements, and minimize financial impacts to defense contractors (especially small businesses) and disruption to the defense supply chain.

How can businesses best prepare for CMMC?

Whether a company has previously been awarded a defense contract with DFARS clause 252.204-7012 or is new to defense contracting, the best preparation is to carefully conduct a self-assessment of contractor-owned information systems to verify implementation of the necessary cybersecurity measures for FAR clause 52.204-21 (for FCI) or DFARS clause 252.204-7012 (for CUI). If the self-assessment identifies unmet requirements, companies should take corrective action to address those gaps and fully implement the necessary security measures before initiating a CMMC assessment.

For organizations building on AWS, this includes reviewing the AWS CRM to understand which of the 110 requirements are fully inheritable from AWS, which are shared, and which are solely the customer's responsibility.

Will CMMC apply to non-U.S. companies?

Yes. When CMMC requirements are identified in DoD solicitations, they apply to all companies performing under the resulting contract, whether domestic or international.

Can non-U.S. citizens or organizations be part of the CMMC Ecosystem?

Yes. Individuals and organizations that meet all requirements established under 32 CFR Part 170 are eligible to apply to be members of the CMMC Ecosystem, regardless of nationality or country of origin.

During Phase 1, does DoD policy require Program Managers to include CMMC Level 2 (C3PAO) in a solicitation if the contractor will handle CUI from the Defense Organizational Index Grouping?

No. During Phase 1, the DoD's intent is that all solicitations focus on including the right CMMC self-assessment requirement: Level 1 when only FCI will be processed, stored, or transmitted, and Level 2 (Self) when any CUI will be processed, stored, or transmitted in contractor-owned information systems.

While 32 CFR Part 170 provides Program Managers some discretion to include Level 2 (C3PAO) requirements during Phase 1, it is not required. The DoD anticipates that during Phase 1, some solicitations will only include a Level 2 (Self) assessment requirement, even when the CUI comes from the Defense Organizational Index Group.

Program Managers may also discuss with their Contracting Officer the possibility of including the CMMC clause with a Level 2 (Self) requirement at the time of award but specifying that Level 2 (C3PAO) will be required at the time of any option period exercise. Program Managers should only use the discretion to include Level 2 (C3PAO) during Phase 1 when, informed by adequate market research, there is reason to believe enough qualified offerors exist to provide adequate competition.

External service providers, cloud, and FedRAMP

Must my CSP meet FedRAMP Moderate baseline requirements if it processes, stores, or transmits CUI?

Yes. Per DFARS 252.204-7012, if the contractor intends to use a CSP to store, process, or transmit CUI in the performance of a contract, the contractor shall require and ensure that the CSP meets security requirements equivalent to those established by the government for the FedRAMP Moderate baseline. This can be met by:

AWS GovCloud (US) is FedRAMP High authorized (exceeds the Moderate requirement). AWS US East/West commercial regions are FedRAMP Moderate authorized (meets the requirement when properly configured).

Can a non-FedRAMP Moderate cloud service offering store encrypted CUI data?

No. If a contractor intends to use an external CSP in the performance of a DoD contract to store encrypted CUI data, the contractor shall require and ensure that the CSP meets security requirements equivalent to those established for the FedRAMP Moderate baseline. Encryption alone does not remove the FedRAMP requirement.

An OSA stores CUI in a system provided by a Managed Service Provider that is not a cloud offering. Does the MSP require its own CMMC assessment?

No. The MSP is not required to have its own CMMC assessment but may elect to perform its own self-assessment or undergo a certification assessment. If the MSP chooses to attain a CMMC certification to simplify the OSA's assessment, the assessment level and type need to be the same, or above, as the level and type specified in the OSA's contract with the DoD and cover those assets that are in scope for the OSA's assessment.

The MSP's services are assessed as part of the OSA's assessment. A CRM documenting the division of responsibilities between the OSA and the MSP is required and will be evaluated by the C3PAO Assessment Team.

We outsource IT support to one ESP (an MSP) and security tools to another ESP (a Managed Security Service Provider, or MSSP). No CUI is sent to either vendor. Are they required to be assessed?

Yes. Both the MSP and the MSSP qualify as ESPs and will be assessed as part of the OSA's assessment against applicable security requirements. The ESPs do not require their own CMMC certification, but a CRM is required for each.

On AWS, this scenario commonly arises when an organization uses a third-party MSP to administer their AWS environment and a separate MSSP to manage Security Hub CSPM, GuardDuty, or other security tooling. Even though CUI is not sent to these providers, they handle SPD (log files, configuration data, vulnerability data, credentials) and are in scope.

We store CUI in the cloud and our MSP administers the environment. Is the MSP a CSP?

It depends on the relationships between the CSP, the MSP, and the OSA:

For example, if your organization holds the AWS account directly and the MSP administers it on your behalf, the MSP is an ESP (not a CSP), and AWS remains the CSP. If the MSP operates its own platform built on AWS and provides that platform to you as a service, the MSP may itself be a CSP.

CUI is processed, stored, and transmitted in a Virtual Desktop Infrastructure. Are the endpoints used to access the VDI in scope as CUI assets?

An endpoint hosting a Virtual Desktop Infrastructure (VDI) client is considered an Out-of-Scope Asset if it is configured to not allow any processing, storage, or transmission of CUI beyond the keyboard, video, and mouse data sent to the VDI client. Proper configuration of the VDI client must be verified. If the configuration allows the endpoint to process, store, or transmit CUI, the endpoint will be considered a CUI Asset and is in scope.

On AWS, Amazon WorkSpaces or Amazon AppStream 2.0 can serve as VDI solutions. The scoping determination depends on the client configuration, not the AWS service itself.

Can the endpoint used to access a VDI be considered "out of scope" if CUI remains entirely within the VDI instance?

Yes, the endpoint could be considered out of scope, but this depends on how the VDI and VDI server are implemented. To achieve out-of-scope status, these conditions must be met:

VDI systems may include features that cache data on the client device or allow the virtual desktop to connect to the local machine's file system, printers, or other resources, depending on the implementation. To support NIST SP 800-171 compliance and out-of-scope endpoint determinations, any such features should be disabled on the server side to help prevent unmanaged endpoints from mounting drives, printing files, or performing other actions that invoke system protocols beyond the basic VDI protocol. Verify the specific configuration options available in your VDI platform.

For Amazon WorkSpaces, this means configuring the WorkSpaces directory settings to disable clipboard redirection, drive redirection, and printing redirection, and enforcing MFA through the WorkSpaces client authentication settings.

AWS shared responsibility and inheritance

How does the AWS Shared Responsibility Model apply to CMMC Level 2?

Under the AWS Shared Responsibility Model, AWS is responsible for security "of" the cloud (physical infrastructure, hypervisor, managed services), and the customer is responsible for security "in" the cloud (data, identity management, application configuration, network controls, encryption). For CMMC Level 2, the AWS CRM maps all 110 requirements as follows:

Which controls are fully inheritable from AWS?

The 21 fully inheritable controls are primarily in the Physical Protection, Media Protection, and Maintenance families:

For each fully inheritable control, the customer must document the inheritance relationship in their SSP and reference the CRM. The C3PAO accepts the FedRAMP authorization as evidence for these controls.

What are the 10 customer-only controls that AWS cannot address?

These controls require organizational policies, endpoint management, or non-AWS technology:

Which AWS services are most relevant to CMMC Level 2?

See the AWS CRM for the complete service-to-control mapping.

Preparing for assessment on AWS

What should I do first to prepare for CMMC Level 2 on AWS?

What SPRS score do I need?

The SPRS scoring model for Level 2:

Can AWS help me achieve CMMC compliance?

AWS provides services, resources, and programs designed to support your CMMC compliance journey:

AWS helps support your compliance requirements, but achieving CMMC certification is the customer's responsibility under the Shared Responsibility Model.