Every week, we get dozens of defense organizations reaching out to our compliance team asking questions about scoping CMMC, documentation, assessments and more.
Here are the most common questions asked and answered by our compliance experts.
Questions on Scoping & Boundaries
Q: For organizations with multiple locations, does CMMC apply company-wide or can it be limited to specific locations?
CMMC compliance can be limited to specific locations. The most effective approach is to create an “enclave” that isolates CUI-handling systems and locations from the rest of your organization. Your SSP can explicitly document which locations and systems are in scope for certification, while listing other company locations as out of scope. This focused approach both simplifies compliance and reduces costs by applying security controls only where needed.
Q: Can we have CUI and non-CUI on the same endpoint?
CUI and non-CUI can exist on the same endpoint. However, they must be either logically or physically separated.
For endpoints to have logical separation, they must restrict data transfer between connected assets (wired or wireless) using software or network controls. For example, access controls, encryption, or network segmentation can prevent unauthorized data flow.
In order for endpoints to achieve physical separation, assets can have no direct connection (wired or wireless). Data can only be transferred manually, such as via a USB drive.
Schedule 15 minutes with our compliance team to learn more.
Q: What happens if a customer sends CUI to our commercial MS365 mailbox?
If CUI is mistakenly sent to a non-compliant MS365 mailbox, standard CUI spillage procedures should be followed:
- Remove the CUI from the non-compliant mailbox and transfer it to a compliant environment, such as PreVeil.
- Delete the CUI from the non-compliant environment to prevent further exposure.
- Notify the sender of the mistake and ensure they understand the correct procedures for securely exchanging CUI in the future.
If you have purchased PreVeil’s Compliance Accelerator, you already have a fully fleshed out process describing how to manage this process.
Q: What happens if a customer downloads CUI to MS365 OneDrive?
If an employee mistakenly downloads CUI to a non-compliant MS365 OneDrive, they should follow standard CUI spillage procedures:
- Remove the CUI from OneDrive and transfer it to a compliant environment, such as PreVeil.
- Delete the file from the non-compliant environment to prevent unauthorized access.
- Notify the employee of the mistake and ensure they understand the correct procedures for handling and storing CUI securely.
If you have purchased PreVeil’s Compliance Accelerator, you already have a fully fleshed out process describing how to manage this process.
Q: If an employee only has View Only access, can their device be out of scope?
No, their device is typically still in scope. Even with View Only access, data is still processed on the endpoint, making it subject to CMMC compliance requirements. The only way to ensure an endpoint with View Only access is out of scope is by using a Virtual Desktop Infrastructure (VDI) environment, where no data is locally stored, processed or transmitted.
Q: Are NIST rules different for remote employees?
No, remote employees handling CUI must comply with the same 110 controls outlined in NIST SP 800-171 as their in-office colleagues. If an employee that handles CUI works from home, all endpoints which they use —such as printers, routers, and firewalls—must also meet compliance requirements.
The easiest way to address these challenges is by using a Virtual Private Network, which allows employees to operate within the corporate network rather than a home network, reducing security risks and simplifying compliance.
Q: Do I need to block access to my printer if I handle CUI?
If you wish to keep your printers out of scope then you need to block access to it. If however you allow printers to access CUI, they will be in scope.To protect the printer which can access CUI, you will need to:
- Control who has access to the printer
- Ensure the security of the printer and the network it is connected to by maintaining current firmware updates .
- Control access to the CUI that is printed from the machine and its life cycle eg how is the CUI destroyed when it is no longer needed
- Document all these items in your SSP
Questions on CUI Identification & Handling
Q: Do we need to keep suppliers from forwarding CUI that we’ve shared with them?
Suppliers can share CUI within their supply chain if there is a valid business need. However, organizations that share CUI must ensure that cybersecurity requirements are properly flowed down to subcontractors in compliance with:
- DFARS 7012 – Requires subcontractors to comply with NIST SP 800-171 and adhere to cybersecurity requirements outlined in DFARS 7012(c)-(g), including incident reporting and forensic cooperation.
- DFARS 7020 – Requires subcontractors to grant DoD access to their facilities, systems, and personnel for assessments and mandates that they maintain an up-to-date SPRS score.
- DFARS 7021 – Requires subcontractors to hold a CMMC certification at the appropriate level based on the CUI being shared.
Ensuring these requirements are properly flowed down helps maintain compliance and security across the supply chain.
Q: What do I do if CUI is not clearly identified and we cannot get answers from our customers?
If you’re uncertain about CUI identification, your first step should be consulting your contracting officer or Prime- they have the responsibility to properly identify CUI. You are not responsible for marking information received from others as CUI. However, note that you do have an obligation to mark any CUI you create as a derivative of existing CUI.
Questions on Compliance Requirements & Documentation
Q: What are the CMMC Level 2 requirements that are not allowed on a POAM?
For CMMC Level 2 certification, you must meet a minimum threshold of 88 controls during your initial assessment. Critically, you must meet:
- All CMMC Level 1 controls
- All 3 or 5 point controls (except SC.L2-3.13.11, if it is partially met—encryption is employed but is not FIPS validated—reducing a SPRS score by 3 points instead of 5.
- The following 1 point controls:
- AC.L2-3.1.20 – External Connections (CUI Data)
- AC.L2-3.1.22 – Control Public Information (CUI Data)
- PE.L2-3.10.3 – Escort Visitors (CUI Data)
- PE.L2-3.10.4 – Physical Access Logs (CUI Data)
- PE.L2-3.10.5 – Manage Physical Access (CUI Data)
If you don’t meet these requirements in your first assessment, you’ll need to start the entire assessment process over – including paying for a new assessment. This is why many organizations opt for a readiness assessment first to ensure they meet these minimum requirements. Read more in the Final Register.
Questions on Prime Contractor Relationships
Q: What DFARs clauses should I be looking for to see my flow-down requirements?
The key DFARS clauses for CMMC flow-down requirements are 252.204-7012, 7019, 7020, and 7021. Of particular importance is 7021, which addresses CMMC requirements and flow-down to subcontractors. Read more here.
Q: The CMMC requirement is needed at time of order, not when quoting, correct?
Correct- While CMMC certification is officially required at time of contract award rather than during the bidding process, Prime contractors are increasingly making certification a prerequisite for consideration.
Here’s what JR Williamson, CISO at Leidos said at our CMMC summit:
We do run the risk that we may have a really great supplier that has a perfect solution that fits excellently into our offering to the customer but they are not certified and not going to be certified for another 12-14 months. As a result, we just cannot use them and they’re off the team because we run the risk of not winning if they cannot be certified at the time the award is given.
Q: What are the consequences for my ongoing work for a Prime if I’m not compliant after CMMC goes live?
The consequences of non-compliance can be severe, potentially resulting in contract termination and exclusion from future opportunities. Prime contractors have made it clear that they cannot risk working with non-compliant suppliers once CMMC requirements take effect. This could mean losing both current contracts and future business opportunities within the defense industrial base. See JR’s stance above.
Questions on Assessment & Costs
Q: Do we need to replace our existing firewall or routers to become compliant?
It depends on how you scope your compliant environment. However, best practice, according to multiple C3PAOs we’ve interviewed, is to ensure that your firewalls and routers operate in FIPS mode to avoid potential compliance issues due to varying interpretations by different assessors.
If your current firewall or router does not support FIPS mode, you should upgrade to components that do to ensure compliance.
Q: Do you have to do a readiness assessment before you can go for certification?
No, but you must complete a self-assessment. We do highly recommend readiness assessments as well because failing your official CMMC assessment means starting over, and paying for a new one. A readiness assessment helps identify and address gaps before committing to the formal certification process, potentially saving significant time and money by ensuring you’re fully prepared.
Q: What’s the cost for CMMC Level 2 Audit? Are there resources to help?
CMMC Level 2 certification costs vary based on organization size, complexity, and current security posture. The DoD estimates the cost of preparing for, conducting, and reporting a level 2 assessment at $100,000, but note this doesn’t include documentation, tools, and potential remediation. We’ve identified several ways organizations can optimize their spending and reduce overall certification costs – these strategies are detailed in our CMMC cost-saving guide.
Q: Are there samples available of a responsibility matrix & what information is required from an MSP, ESP, or CSP?
Responsibility matrices are essential for clearly defining security control ownership between your organization and service providers. These documents outline which party is responsible for implementing and maintaining specific controls. PreVeil offers assessment-ready, pre-filled documentation, including Service Provider Responsibility Matrices (SRM)’s. Talk to our sales team for more information.
Q: How do I know if I have met the requirements for a particular control?
To evaluate compliance with a specific control, use the self-assessment methodology outlined in NIST SP 800-171A. This guide provides testing objectives and assessment procedures to help you determine how well you meet each of the 110 NIST 800-171 controls. Conducting a self-assessment will allow you to identify gaps, assign a score, and gauge overall compliance readiness.
Still have questions?