CMMC FAQs - Section B: CMMC Model // Echelon Risk + Cyber

As a trusted Registered Provider Organization (RPO) for CMMC 2.0, Echelon is committed to simplifying compliance and protecting your DoD contracts. With the CMMC requirements now rolling out in phases from 2025 through 2028, defense contractors need clear, authoritative answers to remain eligible for future opportunities.

To support your journey from readiness to certification, we have structured the official guidance from the DoD CIO's CMMC Frequently Asked Questions into this essential five-part series.

We will break down the most critical rules, timelines, and requirements across the following sections: About CMMC, The CMMC Model, Assessments, Implementation, and External Service Providers (ESPs), helping you align with NIST 800-171 and achieve a smooth certification with our C3PAO partners.

B-Q1. How will my organization know what CMMC level is required for a contract

B-A1. Once CMMC is implemented contractually, the Department will specify the required CMMC level in the solicitation and the resulting contract.

B-Q2. What is the relationship between National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 and CMMC?

B-A2. NIST SP 800-171 is the federal safeguarding standard for controlled unclassified information (CUI) required by 32 CFR Part 2002, which the Department implemented contractually through inclusion of DFARS clause 252.204-7012 in applicable contracts.

Beginning November 10, 2025, and following the phased implementation plan outlined in 32 CFR 170.3(e), applicable contractors will be required to undergo a Level 2 self-assessment or a CMMC third-party assessment to verify compliance with those NIST SP 800-171 Revision 2 requirements.

B-Q3. The CMMC model uses NIST SP 800-171, Revision 2. Will the Department update the program to use NIST SP 800-171, Revision 3?

B-A3. Yes, the Department will incorporate Revision 3 with future rulemaking. In the interim, the Department has issued a class deviation to DFARS clause 252.204-7012 to maintain Revision 2 as the standard against which DIB companies will be assessed until Revision 3 has been incorporated into the 32 CFR CMMC Program rule through rulemaking. You can find more information on that deviation here: https://www.defense.gov/News/Releases/Release/Article/3763953/department-of-defenseissues-class-deviation-on-cybersecurity-standards-for-cov/

B-Q4. Can Department contractors implement NIST SP 800-171 Revision 3?

B-A4. Yes. Companies can implement Revision 3 but must use the Department’s Organization-Defined Parameters (ODPs) defined in the April 2025 memorandum, “Department of Defense Organization-Defined Parameters for National Institute of Standards and Technology Special Publication 800-171 Revision 3” found here: https://dodcio.defense.gov/Portals/0/Documents/CMMC/OrgDefinedParmsNISTSP800- 171.pdf.

Because CMMC Assessments will be conducted against Revision 2 until the class deviation memo (Q3 of this section) is withdrawn or otherwise superseded, DIB companies must ensure any identified gaps between Revision 2 and Revision 3 are addressed.

B-Q5. What is the relationship between National Institute of Standards and Technology (NIST) Special Publication (SP) 800-172 and CMMC?

B-A5. NIST SP 800-172 provides security requirements designed to address advanced persistent threats and forms the basis for CMMC Level 3 security requirements. Contractors must implement 24 requirements from NIST SP 800-172 in addition to the 110 requirements found in NIST SP 800-171 when the Department identifies CMMC Level 3 as a contract requirement.

B-Q6. Will CMMC requirements flow down to subcontractors?

B-A6. Yes, CMMC requirements will flow down to subcontractors as outlined in 32 CFR 170.23. The required CMMC level is based on the type of data—Federal Contract Information (FCI) or CUI—that will be processed, stored, or transmitted on a contractor’s information system during the performance of a DoW contract. Subcontractors handling FCI or CUI are subject to safeguarding requirements. Note that when the prime contract requires CMMC Level 3, the minimum flow-down requirement is CMMC Level 2 (C3PAO), unless the Government provides specific contractual guidance (e.g., a Security Classification Guide).

B-Q7. What is the difference between FCI and CUI?

B-A7. FCI and CUI are information that is ‘not intended for public release.’ However, CUI requires additional safeguarding and may also be subject to dissemination controls. FCI is defined in Federal Acquisition Regulation (FAR) clause 52.204-21, and CUI is defined in 32 CFR Part 2002. The Department’s CUI Quick Reference Guide at https://www.dodcui.mil/ includes additional information on the marking and handling of CUI. CMMC makes no changes to CUI definitions or safeguarding requirements.

B-Q8. Is encrypted CUI still considered to be CUI?

B-A8. In accordance with 32 CFR Part 2002, CUI remains controlled until it is formally decontrolled. As such, encrypted CUI data retains the control designation given to the plain text counterpart. While it is true that certain risks (e.g., transmission across unsecured, "common carrier" networks) may be accepted for cipher text that would not be accepted for plain text, this does not mean the original, controlled information, nor the data (plain or cipher text) representing it, is considered decontrolled.

This information is sourced from the official Cybersecurity Maturity Model Certification Program Frequently Asked Questions, Revision 2.1 (November 2025), published by the Department of War (DoW) CIO. You can access the full document here.

Section B: CMMC Model