Straight answers to the questions defense contractors ask us most about CMMC, NIST 800-171, and CUI.
What is CMMC Level 2?
CMMC Level 2 is the Department of Defense certification tier for contractors that handle Controlled Unclassified Information (CUI). It requires implementing all 110 controls of NIST SP 800-171 and, for most companies, passing an assessment by an authorized third party (a C3PAO).
Who needs to be CMMC certified?
Any organization in the DoD supply chain that stores, processes, or transmits FCI or CUI, including subcontractors. The requirement flows down the supply chain, so even small suppliers several tiers below a prime can be in scope.
When is the CMMC deadline?
The requirement is phasing into contracts now. The pivotal date is November 10, 2026, when third-party CMMC Level 2 certification becomes required for applicable CUI contracts and self-attestation no longer satisfies them.
What is the difference between FCI and CUI?
FCI (Federal Contract Information) is non-public information provided or generated under a contract and triggers CMMC Level 1. CUI (Controlled Unclassified Information) is sensitive government information requiring specific safeguarding and triggers CMMC Level 2.
Is Davidson Cyber Defense a C3PAO?
No. A C3PAO is the accredited organization that performs the official assessment. Davidson Cyber Defense is a readiness firm — we prepare you to pass and do not issue certifications. Certification is determined by an authorized C3PAO and the DoD, and a firm cannot both prepare and assess the same client.
What are an SSP and a POA&M?
A System Security Plan (SSP) documents how your organization implements each required control. A Plan of Action and Milestones (POA&M) lists any gaps, how you will fix them, and by when. Both are required artifacts for a CMMC Level 2 assessment.
What is an SPRS score?
It is your NIST 800-171 self-assessment score, posted in the DoD Supplier Performance Risk System. You start at 110 and subtract weighted points (5, 3, or 1) for each unmet control. Contracting officers use it to judge your cybersecurity posture.
How long does it take to get ready?
A gap assessment takes days to a couple of weeks depending on your size. Closing the gaps to become assessment-ready typically takes three to nine months, because it can involve remediation, documentation, and sometimes a secure-cloud migration.
How much does CMMC compliance cost?
It varies with company size and how many gaps you have. Readiness assessments commonly run from a few thousand to the mid-five figures; full remediation and the separate C3PAO assessment add to that. Preparation typically costs several times the assessment fee itself.
Can I still self-assess?
For Level 1 and some lower-risk situations, yes. But for the CUI contracts that require Level 2 under the phased rollout, self-attestation will no longer be sufficient once third-party certification is required.
Still have questions?
Book a no-pressure intake call and we will walk your specific situation.