CMMC touches more of a business than most people expect going in. It’s part regulation, part information classification (figuring out whether you’re dealing with FCI or CUI usually comes first), and part tiered certification that gets stricter as the data gets more sensitive. And it doesn’t stop at your front door — subcontractors, your IT vendors, your cloud provider, even the AI tools your team uses can all fall inside the compliance boundary depending on what they touch.
Below you’ll find FAQs covering the full range of what comes up during a typical compliance journey: the three CMMC levels and 14 control domains, the regulatory history behind the program, how to scope an assessment and set up a CUI enclave, technical and device security requirements, documentation like your SSP and POA&Ms, staff training, incident reporting, SPRS scoring, ongoing compliance obligations, how CMMC relates to frameworks like NIST CSF or ISO 27001, and realistic cost expectations.
If you’re still trying to figure out whether CMMC applies to you, or you’re already deep into a Level 2 assessment, these are meant to be answers you can dip into as needed rather than read start to finish. And if you’d rather just talk to someone directly, our team is happy to walk through your specific situation. Schedule a free consultation for a customised solution for your organization.
Table of Contents
CMMC Compliance FAQ Pages
CMMC Fundamentals
If you’re new to CMMC, start here. The Cybersecurity Maturity Model Certification is the Department of Defense’s answer to a problem it had tolerated for years: contractors self-reporting cybersecurity compliance that didn’t always match reality. Today, CMMC replaces that honor system with independently verified proof, tiered across three levels, and tied directly to whether a company can win or keep a DoD contract. This FAQ page walks you through what CMMC actually is, why it exists, who it applies to, and what’s at stake if a business falls out of compliance mid-contract. Learn more
What is CUI and FCI?
Two acronyms sit at the center of almost every CMMC conversation: FCI and CUI. Federal Contract Information is the baseline, everyday contract data not meant for public release. Controlled Unclassified Information is a step up: sensitive, government-designated data like technical drawings or export-controlled research that triggers much stricter security obligations. Knowing which one (or both) your systems touch determines your entire compliance path, from the level you need to how you must mark, store, and transmit information. This FAQ page breaks down the difference, how CUI gets identified and labeled, and what to do if it ends up somewhere it shouldn’t. Learn more
What Are the Three Levels of CMMC?
CMMC isn’t one-size-fits-all. It scales protection to risk. Level 1 covers basic safeguarding for FCI with a simple annual self-assessment. Level 2 is where most contractors handling CUI land, requiring all 110 NIST SP 800-171 controls and, in most cases, a third-party audit. Level 3 is reserved for the most sensitive defense programs and adds a layer of protection against advanced, persistent threats. This FAQ page unpacks what each level actually demands, how assessments differ between them, and how to figure out which one applies to your contracts. Learn more
The 14 CMMC Control Domains
Underneath CMMC Level 2’s 110 requirements are 14 organized domains. Think of them as the major subject areas of your security program, covering everything from access control and incident response to media protection and system integrity. Rather than treating compliance as one giant checklist, breaking it into domains makes it easier to assign ownership, track progress, and understand where your organization’s gaps actually live. This FAQ page walks you through each domain and what it’s really asking you to do. Learn more
Regulatory Background for CMMC
CMMC didn’t appear out of nowhere, it’s the product of a regulatory chain that stretches back years, through DFARS clauses, FAR requirements, and a program rule finalized in late 2024. Understanding that lineage matters, because it explains why certain requirements exist, how enforcement actually works, and why deadlines and phase-in dates carry real legal weight. This FAQ page traces the regulatory framework behind CMMC so you can see the full picture instead of just the certification checklist. Learn more
CMMC Technical Security Controls
Policies and paperwork only get a contractor so far, CMMC also demands specific technical safeguards on the systems that actually touch FCI and CUI. That means things like multi-factor authentication, encryption for data at rest and in transit, network segmentation, and boundary protection aren’t optional extras; they’re assessed line by line. This FAQ page digs into the technical side of compliance, translating control language into the kind of infrastructure decisions your IT team will actually need to make. Learn more
Incident Response and Reporting Under CMMC
When something goes wrong, CMMC doesn’t just expect you to fix it quietly, it expects you to have a documented response plan and, in many cases, to report qualifying cyber incidents to the DoD within a tight window. Getting this wrong doesn’t just create security risk; it creates legal and contractual risk. This FAQ page covers what counts as a reportable incident, how the reporting process works, and what a compliant incident response program actually needs to include. Learn more
CMMC Assessment Scoping and CUI Enclaves
One of the smartest moves a contractor can make is shrinking the size of their own assessment. By carefully scoping which systems actually touch CUI, and isolating that data into a dedicated enclave, organizations can often avoid dragging their entire IT environment into audit territory. This FAQ explains how scoping decisions get made, what counts as an enclave, and how getting this step right early can save significant time and cost down the line. Learn more
CUI and Commercial Cloud Services
Most contractors don’t run their own data centers anymore, they run on Microsoft 365, AWS, or similar platforms. But not every version of those services meets CMMC’s bar for handling CUI. This FAQ page explains what “FedRAMP equivalent” really means, why government-community cloud offerings matter, and how to evaluate whether your current cloud setup is actually compliant or just convenient. Learn more
MSPs, MSSPs, and ESPs Under CMMC
If you outsource IT or security to a managed service provider, that provider doesn’t get to sit outside your compliance boundary, CMMC treats external service providers as part of the assessed environment whenever they touch FCI or CUI. This FAQ page explains what that means in practice, what your MSP or MSSP needs to document and prove, and why choosing the wrong vendor can quietly sink an otherwise solid compliance program. Learn more
CMMC Subcontractor Obligations
CMMC compliance doesn’t stop at the prime contractor; it flows down through every tier of the supply chain that touches FCI or CUI. That means subcontractors, even small ones several layers removed from the DoD, may need their own certification before work can even start. This FAQ page walks you through how flow-down requirements work, who’s responsible for verifying subcontractor status, and what happens when a link in that chain isn’t compliant. Learn more
CMMC Device Security Requirements
Every laptop, phone, and endpoint that touches FCI or CUI is part of your assessment boundary, which means device-level security isn’t an afterthought, it’s core to passing. This FAQ page covers what CMMC expects for endpoint protection, mobile device management, and handling employee-owned or remote devices, especially in the hybrid work environments most contractors operate in today. Learn more
CMMC Training Requirements
Technology alone won’t get you certified, CMMC requires proof that your people know how to handle sensitive information responsibly, from recognizing phishing attempts to properly marking CUI. This FAQ page breaks down what security awareness training actually needs to cover, how often it needs to happen, and how to document it in a way that satisfies an assessor. Learn more
CMMC Documentation Requirements
An assessor can’t verify what isn’t written down. System Security Plans, Plans of Action and Milestones, policies, and evidence logs form the paper trail that proves your controls aren’t just theoretical. This FAQ page explains which documents CMMC actually requires, how detailed they need to be, and why incomplete documentation is one of the most common reasons contractors fail an assessment. Learn more
CMMC and SPRS Scores
Before CMMC ever mentions certification, it starts with a number: your Supplier Performance Risk System score, calculated against the 110 NIST SP 800-171 controls. That score isn’t just a formality, it can determine contract eligibility and sets the baseline an assessor will check against later. This FAQ page explains how SPRS scoring works, what a “good” score looks like, and how it connects to your broader certification path. Learn more
CMMC and Continuous Compliance
Passing an assessment isn’t the finish line, CMMC expects contractors to maintain their security posture continuously, with annual affirmations and re-certification cycles that catch backsliding before it becomes a bigger problem. This FAQ page covers what ongoing compliance actually looks like day to day, and why treating certification as a one-time event is one of the most common (and costly) mistakes contractors make. Learn more
CMMC and Related Frameworks
CMMC doesn’t exist in isolation, it overlaps significantly with frameworks like NIST CSF, ISO 27001, and SOC 2, which many contractors already have in place for other reasons. Understanding where these frameworks align, and where they diverge, can save real time and money by letting existing controls do double duty. This FAQ page maps out those relationships so you’re not rebuilding a security program from scratch if you’ve already invested in another standard. Learn more
The Cost of CMMC Compliance
Cost is usually the first question and the hardest one to answer, because it depends heavily on your current security maturity, the level you need, and whether you’re bringing in outside help. This FAQ page breaks down the real cost drivers, from technical remediation to assessment fees to ongoing maintenance, so you can budget realistically instead of guessing. Learn more
AI Tools and CMMC Compliance
As AI tools work their way into everyday business workflows, contractors are asking a new question: can we use them around CUI at all? The answer depends heavily on where the data goes, how the tool is hosted, and whether it meets the same safeguarding standards as any other system in your environment. This FAQ page looks at how AI tools intersect with CMMC requirements and what to watch for before plugging one into a CUI-touching process. Learn more
Explore Blogs, Webinars and other Resources
Trusted by Reputed Companies
What Our Clients Say
We used databrackets (formerly EHR 2.0) in our small medical practice for our risk analysis assessment to be in compliance with meaningful use. Their response was fast, the final report is detailed but simple and easy to follow. They were always available to answer our questions.
E. Compres
Pulmonary and Sleep Center of the Valley
I never miss the opportunity to learn something new …that’s why I am always registering to all free seminars offered on the web. databrackets (formerly EHR 2.0) happened to be the friendliest, comprehensive and up-to- date source of HIPAA Privacy and Security updates.
Alexandra V.
Community Healthcare Network
Today’s presentation was great! Thank you for sending the slides. My only feedback is that it would be fabulous to have the slides ahead of time so I could print them and take notes on the slides.Thanks for your time and knowledge today!
T.B., PM
Community Health Network
Particularly interesting was the flow chart on Administrative Simplification. I utilize all of the Security subcategories you list under the Security tile and appreciate knowing that I am hitting all of the relevant topics during my employee training.
Jessica B.
JD, CHC
I have re-worked our original risk assessment….We are using databrackets' (formerly EHR 2.0) Meaningful Use Security Risk Analysis Toolkit and it meets our needs. It was easy to use and I believe that it very beneficial to our meeting meaningful use.
Bill Curtis
Neurosurgical Associates Of Texarkana, TX
Information (webinars) presented by databrackets (formerly EHR 2.0) highlights some of today’s most demanding healthcare topics. The webinars help to direct those operating in today’s rapidly changing environment in the right direction.
Candace M.
Privacy and Security Officer, Springhill Medical Center
Our Growing List of Credentials
0
+
Assessments
0
+
Clients
0
+
Assessment Libraries
0
+
Years of Experience
0
+
No. of Staff Trained
0
+
HIPAA
0
+
SOC 2 Readiness
0
+
Pen Testing
0
+
ISO 27001 Certifications
0
+
Dollars Saved in Compliance Penalties