Home

FAQs

The Cybersecurity Maturity Model Certification (CMMC) is a framework developed by the U.S. Department of Defense (DoD) to enhance the cybersecurity posture of contractors handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

Why Do You Need to Do CMMC?

  1. Required for DoD Contracts – Any organization that wants to bid on DoD contracts must meet the documented CMMC requirements.
  2. Protect Sensitive Information – Ensure that you follow best cybersecurity practices to safeguard FCI and CUI data from cyber threats.
  3. Competitive Advantage – Companies with the appropriate, and higher, CMMC certification level can access more contracts and demonstrate cybersecurity maturity to partners and customers.
  4. Regulatory Compliance – CMMC aligns with existing regulations like NIST 800-171, helping you meet or exceed broader cybersecurity obligations.
  5. Risk Reduction – Reduces your risk of cyber incidents that could lead to financial loss, reputational damage, or national security threats.

Which CMMC level is right for you?

Federal Contract Information (FCI) is information provided by or generated for the U.S. government under a contract that is not intended for public release. It includes data related to contract performance but does not include publicly available information.

Why Is FCI Important?

  1. CMMC Compliance – If your company is limited to FCI, you must comply with CMMC Level 1 security requirements.
  2. Basic Cybersecurity Protections – Organizations must implement 17 basic cybersecurity practices, as defined by FAR 52.204-21, to safeguard FCI from unauthorized access.
  3. Entry Requirement for DoD Contractors – If your company currently contracts with the DoD, you must secure Level One certification in 2025 to maintain existing contracts or bid on new DoD opportunities.

Controlled Unclassified Information (CUI) is government-created or owned information that requires safeguarding or dissemination controls under federal regulations but is not classified.

Why Is CUI Important?

  1. Regulatory Requirement – Organizations handling CUI must comply with security standards like NIST 800-171 and require CMMC Level 2.
  2. National Security & IP Protection – CUI includes sensitive data  and financial records that would potentially pose national security risks, if exposed.
  3. DoD Contracting Requirement – If your company contracts with the  US DoD or is planning to do so,. protecting CUI is mandatory to qualify for contracts.

Examples of CUI

  • Technical drawings and schematics
  • Export-controlled research (ITAR, EAR)
  • Law enforcement reports
  • Critical infrastructure details

What are the requirements of each level?

CMMC 2.0 Levels & Requirements

🔹 Level 1: Foundational

  • Who Needs It? DoD Contractors that handle Federal Contract Information (FCI) but dot not have visibility to Controlled Unclassified Information (CUI).
  • Requirements:
  • 17 security practices from FAR 52.204-21
  • Includes basic cybersecurity hygiene (e.g., using strong passwords, antmalware, and limiting access to contractor systems)
  • Self-assessment and submission required annually

Level 2: Advanced (Aligned with NIST 800-171)

  • Who Needs It? Contractors with access to  Controlled Unclassified Information (CUI)
  • Requirements:
  • 110 security practices from NIST SP 800-171
  • Includes access controls, encryption, multi-factor authentication (MFA), and incident response
  • Third-party certification required every 3 years for prioritized contracts
  • Self-assessment required annually for non-prioritized contracts

🔹 Level 3: Expert (Aligned with NIST 800-172)

  • Who Needs It? Contractors with access to to CUI critical to national security
  • Requirements:
  • 110+ security practices from NIST SP 800-171 + additional NIST 800-172 controls
  • Focuses on advanced threat detection, zero trust, and resilience against nation-state threats
  • DoD-led government assessment every 3 years

Why Is CMMC Certification Important?

  • Mandatory for DoD Contracts – Determines if a company is capable of bidding and fulfilling contracts.
  • Protects National Security – Enhances cybersecurity resilience in the DoD supply chain.
  • Competitive Advantage – Timely Certification strengthens reputation within the prime contractors and government agency ecosystem[RP1] .

What does AuditIQ offer?

A CMMC SaaS based Compliance Platform designed to help DoD contractors achieve CMMC Level 1 compliance and prepare for Level 2 certification.