Master CMMC FAQ for 2026: the answers defense contractors actually need

CMMC is the DoD program for assessing whether contractors and subcontractors are implementing the required cybersecurity standards to protect federal contract information (FCI) and controlled unclassified information (CUI) on contractor systems.

CMMC can apply to prime contractors and subcontractors at all tiers when they will process, store, or transmit FCI or CUI on contractor information systems in performance of a DoD contract or subcontract. The solicitation or contract controls the level and assessment type that applies.

FCI is information provided by or generated for the Government under contract that is not intended for public release. CUI is unclassified information that the Government creates or owns, or that a law, regulation, or Government-wide policy requires to be safeguarded or dissemination controlled. CUI is not the same as classified information.

No. Level 1 is tied to FCI. Level 2 is tied to CUI. Level 3 is reserved for a smaller set of high-priority programs. A company should not assume it needs Level 2 unless the contract, subcontract, or actual information flow puts it there.

DoD began incorporating CMMC assessment requirements into applicable procurements on November 10, 2025, when the revised DFARS clause 252.204-7021 became effective.

As of March 15, 2026, the program is in Phase 1. Phase 1 runs from November 10, 2025 through November 9, 2026 and focuses primarily on Level 1 and Level 2 self-assessments.

The government does not publish one official timeline because the real timeline depends on scope, current maturity, documentation quality, remediation needs, cloud design, and how much CUI is actually in play. Companies that start with scoping and a serious readiness assessment move faster than companies that jump straight into tools.

The government does not publish a single standard price. Cost depends on the number of in-scope assets, the size of the boundary, the condition of your current controls, the amount of documentation that must be built, whether you use a cloud or enclave strategy, and the cost of external assessment if one is required.

Level 1 requires an annual self-assessment. Levels 2 and 3 require an assessment every three years, plus an annual affirmation of continued compliance.

A Level 2 self-assessment is performed by the organization seeking assessment. A Level 2 certification assessment is performed by an authorized or accredited C3PAO. Which one you need depends on the solicitation or contract requirement.

No. DoD's January 2026 FAQ says Rev. 3 has not yet been incorporated as the assessment standard for CMMC Level 2. For now, the assessment baseline remains NIST SP 800-171 Rev. 2, with future incorporation of Rev. 3 to happen through later rulemaking.

Level 1 cannot use a POA&M. Levels 2 and 3 may use a POA&M only under the conditions in 32 CFR 170.21, and any conditional status must be closed out within 180 days.

If the annual affirmation is not submitted, the CMMC assessment lapses. A company may still have done a technical assessment, but it would not have a current status for contracting purposes.

Not unless that CUI is placed onto an IT system. The official FAQ says an organization handling only hard-copy CUI does not need a CMMC assessment unless the hard-copy CUI is put onto its IT system.

No. DoD's FAQ says encryption alone does not create logical separation, and encrypted CUI remains CUI until it is formally decontrolled.

They can be out of scope only if they are configured so they do not process, store, or transmit CUI beyond keyboard, video, and mouse functions, and other restrictions are in place such as blocking copy-paste, printing, and file transfer workflows.

No. The government does not impose a blanket rule that every contractor needs GCC High. The real requirement is that cloud services used to store, process, or transmit CUI meet the FedRAMP Moderate baseline or equivalent, and that the company's architecture and scoping decisions support compliant handling of CUI.

No. DoD's January 2026 FAQ says a non-FedRAMP Moderate cloud service offering may not store encrypted CUI unless it meets FedRAMP Moderate equivalency.

If the MSP is not itself a cloud offering, it does not need its own CMMC assessment or certification just to support you, although it may elect to obtain one. If it provides security protection capabilities or otherwise acts as an external service provider, its services are assessed within the scope of your assessment.

DoD's FAQ recommends starting with a self-assessment against the applicable requirements, correcting gaps, and then pursuing the required assessment path. In practice, that means confirming scope, documenting assets and data flows, tightening technical controls, and organizing evidence before you schedule anything formal.