Section C: Assessments

C-Q1.  How frequently will assessments be required? 

C-A1. Level 1 self-assessments will be required on an annual basis, and CMMC Levels 2 and 3 will be required every 3 years. An affirmation of continued compliance is required for all CMMC levels at the time of assessment and annually thereafter. Please reference 32 CFR 170.3(e) for details on the Department’s timeline for phased implementation of CMMC requirements in applicable procurements. 

C-Q2.  Will my organization need to be independently assessed if it does not handle CUI? 

C-A2. No, if a DIB company does not process, store, or transmit CUI, it does not need an independent assessment. If the company handles FCI only, a CMMC Level 1 self-assessment is required. 

C-Q3.  Will CMMC independent assessments be required for classified systems and / or classified environments within the DIB? 

C-A3. No, CMMC only applies to DIB contractors’ nonfederal unclassified information systems that process, store, or transmit FCI or CUI.

C-Q4.  Will the results of a DIB company’s assessment be made public? Will the Department be able to see assessment results? 

C-A4. The public will not have access to a listing of DIB companies that have completed their CMMC self-assessments or received CMMC certificates. Such information is available to the Department officers leading procurement activities. 

A company can view their own scores and status in the Supplier Performance Risk System (SPRS). Suppliers may print verification of their status from SPRS to share with their Primes. Subcontractors may voluntarily share their CMMC Status, assessment scores, or certificates to facilitate business teaming arrangements. The Department expects that defense contractors will share information about CMMC status with other DIB members to facilitate effective teaming arrangements when bidding for Department contracts.

C-Q5.  Does my company’s administrative office or manufacturing facility require a specific Commercial and Government Entity (CAGE) code for that location to submit and comply with CMMC? 

C-A5. No. Another existing CAGE in the company’s hierarchy may be used to submit the appropriate assessment identified by the CMMC Unique Identifier (UID). The CMMC UID must contain the scope that covers the assessment. CAGE codes (including the HighestLevel Owner) are only for metrics purposes; to enforce authorized access to the data in SPRS; and to perform annual affirmations.

C-Q6.  Which requirements are considered "critical" and are not allowed in a Plan of Actions and Milestone (POA&M)? 

C-A6. Critical requirements are identified in 32 CFR 170.21

C-Q7.  What happens after a POA&M Closeout Assessment if one or more of the security requirements on the POA&M still aren’t met? 

C-A7. During the 180-day period after achieving a Conditional CMMC Status, a POA&M Closeout Assessment can only be finalized in the CMMC Enterprise Mission Assurance Support System (eMASS) one time. In the case where one or more security requirements are still NOT MET, the Conditional CMMC Status will be terminated once the POA&M Closeout Assessment is finalized in CMMC eMASS, and the Organization Seeking Assessment will have to begin again with a new assessment to achieve a CMMC Status. If a POA&M Closeout Assessment is not finalized in CMMC eMASS within 180 days of the CMMC Status Date, the Conditional CMMC Status will automatically expire.

C-Q8.  What is the difference between an Operational Plan of Action (OPA) and a POA&M? 

C-A8. Operational Plans of Action (OPAs) are measures implemented to manage risks or vulnerabilities, such as applying patches, addressing temporary deficiencies, or performing routine system maintenance. OPAs are not tied to a specific timeline for completion and are typically used to address vulnerabilities or deficiencies that arise after the initial implementation of security requirements. 

Under the CMMC framework, POA&Ms are formal plans that identify cybersecurity gaps the Organization Seeking Assessment must address to achieve CMMC compliance. These gaps must be resolved within 180 days, as outlined in 32 CFR 170.21. 

When a significant change occurs in an information system that affects the satisfaction of NIST SP 800-171 security requirements, the appropriate course of action - whether to create a POA&M or an OPA - depends on the nature and timing of the change. If the significant change introduces a temporary deficiency or vulnerability after the system was initially compliant, an OPA may be created to document the remediation plan. However, if the significant change is identified during a CMMC assessment and results in a security requirement being assessed as "NOT MET," a POA&M must be created to address the gap within the 180-day remediation window. For more information, please reference FAQ C-Q7. 

For detailed definitions, refer to 32 CFR 170.4

C-Q9.  I have entered my company’s CMMC self-assessment into SPRS and have received the following error(s) for ‘CMMC Status Type’: No CMMC Status or No CMMC Score. How can I fix this? 

C-A9. There are a few reasons you may be getting the “No CMMC Score” or “No CMMC Status” landing page after attempting to submit your assessment results into the SPRS platform. 
 

No Score: 

 - You have received a “No Score” because you marked “Not Met” for security requirement CA.L2-3.12.4 – SYSTEM SECURITY PLAN. 

The absence of an up-to-date system security plan at the time of the assessment will result in a finding that ‘an assessment could not be completed due to incomplete information and noncompliance with DFARS clause 252.204–7012.’ (Please see 32 CFR 170.24 for more details on the CMMC Level 2 scoring methodology, with reference to 170.24I(2)(i)(B)(5)).

 

No Status: 

- The assessment score divided by the total number of CMMC Level 2 security requirements is less than 0.8. 

- You have security requirements that, in accordance with 32 CFR 170.21, are not permitted on a POA&M for the purposes of achieving a certification. 

• Please carefully review each security requirement for which you have provided a POA&M to ensure each of those requirements are not one of the (6) prohibited in accordance with 32 CFR 170.21(a)(2)(iii).
• You may reference the 32 CFR 170.24 CMMC Scoring Methodology for further detail regarding the security requirements of your assessment.
   

C-Q10: Are CMMC assessments required for organizations that only handle hard-copy CUI? 

C-A10. No. Organizations that only handle hard-copy CUI should not be required to complete a CMMC Assessment. CMMC assessment requirements address cybersecurity-related risk to CUI and apply only when the CUI is processed, stored, or transmitted on a contractor-owned information technology system. Nonetheless, contractors are required to protect the hardcopy CUI. Per DoDI 5200.48, paragraph 1.1(b), any contractor or subcontractor that receives CUI is required to safeguard that information with Government training and safeguarding requirements. 

Additionally, if a contractor who was only provided hardcopy CUI plans to place the hardcopy CUI on an information technology system (e.g., scanned, entered, photographed, uploaded, printed, emailed), then that information technology system is subject to the applicable CMMC assessment requirements prior to the CUI being placed on the system. 

For organizations that handle paper CUI in addition to processing, storing, or transmitting CUI in a contractor-owned information technology system, the necessary CMMC assessment will address both the paper CUI and the digital CUI, in accordance with the applicable NIST SP 800-171 security requirements. For further information about DoD policy regarding safeguarding CUI, refer to DoDI 5200.48 [www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/520048p.PDF?ver=2020- 03-06-100640-800].

C-Q11:  Can encryption alone create logical separation for a network within a CMMC Assessment Scope?

A-Q11. No. Logical separation occurs when data transfer between physically connected assets (wired or wireless) is prevented by non-physical means such as software or network assets (e.g., firewall, routers, VPNs, VLANs). While properly implemented encryption provides necessary confidentiality protection, it does not, by itself, prevent data transfer or enforce the security boundary of a network. 

C-Q12: Our enclave does not have a direct internet connection. Instead, it relies on enterprise networking components residing outside of the enclave. All CUI data is properly encrypted before leaving our enclave. Must the enterprise networking components be brought into our enclave’s CMMC Assessment Scope?

A-Q12: No. So long as the enclave is otherwise logically separated from the greater enterprise network, the transmission of properly encrypted CUI data does not incur an extension of the CMMC Assessment Scope to include the enterprise networking components.

This information is sourced from the official Cybersecurity Maturity Model Certification Program Frequently Asked Questions, Revision 2.2. January 2026, published by the Department of War (DoW) CIO. You can access the full document here.