1. What is CMMC 2.0?
CMMC 2.0 (Cybersecurity Maturity Model Certification) is the Department of Defense’s updated framework for ensuring cybersecurity across the Defense Industrial Base. It aligns with NIST SP 800‑171 and introduces three levels of certification.
2. When did the DFARS 48 CFR final rule take effect?
The DFARS 48 CFR final rule became effective on November 10, 2025, officially enforcing CMMC 2.0 requirements.
3. What is the timeline for CMMC 2.0 implementation?
The rollout is phased through November 2028:
- Phase 1 (Nov 2025–Nov 2026): Level 1 and Level 2 self-assessments required.
- Phase 2 (Nov 2026–Nov 2027): Third-party assessments begin for Level 2.
- Phase 3 (Nov 2027–Nov 2028): Level 2 third-party certification mandatory.
- Phase 4 (Nov 2028 onward): Full enforcement for all applicable contracts.
4. Who needs CMMC certification?
Any contractor or subcontractor in the DoD supply chain that handles Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) must comply.
5. What is CUI, and why is it important?
CUI (Controlled Unclassified Information) includes sensitive defense-related data such as technical specifications, test results, and export-controlled materials. Protecting CUI is critical to national security.
6. What level of CMMC is required for handling CUI?
Organizations handling CUI must achieve CMMC Level 2, which requires implementing all 110 controls from NIST SP 800‑171.
7. What are the 110 NIST SP 800‑171 controls?
These controls cover areas like access control, encryption, incident response, configuration management, and security awareness training to safeguard CUI.
8. What is the difference between self-assessment and third-party assessment?
- Self-assessment: Contractors evaluate their own compliance and submit results to the Supplier Performance Risk System (SPRS).
- Third-party assessment: Conducted by a certified C3PAO (Cybersecurity Third-Party Assessment Organization) for independent verification.
9. When will third-party assessments be required?
Third-party assessments for Level 2 begin in Phase 2 (Nov 2026) and become mandatory for most contracts by Phase 3 (Nov 2027).
10. How long is CMMC certification valid?
Third-party certifications are valid for three years, while self-assessments must be reaffirmed annually.
11. What happens if my organization is not compliant?
Non-compliance will disqualify your organization from bidding on or maintaining DoD contracts that involve FCI or CUI.
12. Where can I get help with CMMC compliance?
Mainstream Technologies specializes in guiding defense suppliers through NIST 800‑171 implementation and CMMC certification.
Contact us today → to ensure your organization is ready for current and future requirements.