Question 1

What is the difference between CMMC Level 1 and Level 2?

Accepted Answer

CMMC Level 1 covers 15 basic safeguarding practices from FAR 52.204-21 and requires annual self-assessment. Level 2 maps to all 110 security requirements in NIST SP 800-171 and requires third-party assessment by a C3PAO for contracts involving CUI. Most defense contractors handling CUI will need Level 2 certification.

Question 2

How long does it take to prepare for a CMMC Level 2 assessment?

Accepted Answer

For most organizations, preparation takes 6 to 12 months depending on your current security posture. Companies with an existing NIST 800-171 implementation and documented SSP are closer to ready. Organizations starting from scratch should plan for the longer end of that range. We conduct a gap assessment first to give you a realistic timeline and prioritized remediation plan.

Question 3

Do subcontractors need CMMC certification too?

Accepted Answer

Yes. CMMC requirements flow down to subcontractors who handle CUI. If a prime contractor's contract requires CMMC Level 2, any subcontractor that processes, stores, or transmits CUI on that contract must also achieve Level 2 certification. We help both primes and subs understand their flow-down obligations and prepare accordingly.

Question 4

Can we use a cloud environment like Microsoft GCC High for CMMC compliance?

Accepted Answer

Yes, and many contractors do. Microsoft 365 GCC High and Azure Government are FedRAMP High authorized and designed to meet DFARS and CMMC requirements for CUI. However, moving to GCC High does not automatically make you compliant. You still need to configure the environment correctly, implement all 110 controls, and maintain proper CUI handling procedures. We help you architect and validate the entire enclave.

الدفاع ومقاولو الحكومة

تحديات القطاع

أطر العمل ذات الصلة

كيف نساعدك

CMMC

Compliance as a Service

Penetration Testing

Audit & Assurance

vCISO

اختبار الاختراق لقطاع الدفاع ومقاولو الحكومة

الأسئلة الشائعة

مستعد للبدء؟