Skip to content
LEVEL 2Compliance Solutions

FAQ

CMMC questions, answered plainly.

The questions defense contractors ask us most — about scope, levels, timelines, and what certification actually involves. Still unsure where you stand? Book a discovery call.

Do I need CMMC if I'm a subcontractor or sub-tier supplier?
Usually yes. CMMC requirements flow down through the supply chain: if you receive, store, or generate Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) under a DoD contract, the requirement applies regardless of your tier. The level you need depends on the data you handle, not your size.
What's the difference between CMMC Level 1 and Level 2?
Level 1 covers basic safeguarding of FCI — 15 requirements, met with an annual self-assessment. Level 2 protects CUI and maps to the 110 security requirements in NIST SP 800-171; most Level 2 contractors need a third-party assessment by an authorized C3PAO every three years.
What is CUI, and how do I know if I handle it?
Controlled Unclassified Information is government data that requires safeguarding but isn't classified. The clearest signals are contract markings, a DFARS 252.204-7012 clause in your agreement, and CUI banners on documents you receive. If you're unsure, a scoping conversation is the fastest way to find out — and it's the first thing we do.
GCC High, commercial cloud, or an on-prem enclave — which do I need?
It depends on the data. ITAR-controlled data and certain CUI typically push you toward Microsoft GCC High; other CUI can be handled in a properly configured commercial-cloud or on-prem enclave. There's no one-size answer — we scope to the smallest footprint that holds your CUI, then match you to the right environment.
How long does it take to get CMMC ready?
A gap assessment takes about 2–4 weeks. Remediation depends on how far the gaps run — weeks for a tight environment, a few months for a larger or less mature one. We run a readiness (mock) assessment roughly 30–60 days before your C3PAO audit so there are no surprises.
Do I need to be certified before I can bid?
Under the phased rollout, CMMC requirements appear as a condition of award in solicitations over time — and many primes already require it through flow-down today. Because readiness takes months, the contractors who start early are the ones who stay eligible.
What's a C3PAO, and is that who certifies me?
A C3PAO is a Certified Third-Party Assessment Organization authorized to conduct the official CMMC Level 2 assessment. They certify; they can't also prepare you. That's our role — we get you audit-ready, then bring in a C3PAO from our network for the formal assessment.
Can we use our existing IT team or MSP?
Yes. Many of our clients run lean or rely on a managed service provider. We work directly with whoever holds the keys — internal staff, an MSP, or a mix — and coordinate the compliance work around your existing setup.
How often is CMMC reassessed?
A Level 2 certification is valid for three years, with an annual affirmation in between confirming you're maintaining your controls. The program is built around continuous compliance, which is why we offer an ongoing GRC program rather than a one-time project.
What does a CMMC engagement cost?
It varies with your size, environment, and the gap between where you are and Level 2. Rather than quote a number that wouldn't fit, we give you a clear scope and range after a short discovery call — no obligation.

Still have a question?

Book a Discovery Call