What is CMMC? CMMC Update Archives CMMC Links
Consulting Employee Training Security Awareness Training Public Speaking Expert Witness
White Papers Newsletters CMMC Update Articles Videos Interviews
CMMC Update by Glenda R. Snodgrass for The Net Effect
[ View this email in your web browser ] [ Visit our archives ] [ Sign Up for this Newsletter ]

October 7, 2025

DoD/DoW CIO releases new CMMC FAQ

Last week the DoD/DoW CIO released a new CMMC FAQ with some interesting tidbits:

Timeline: The Department will begin to incorporate CMMC assessment requirements in applicable procurements on November 10, 2025, when the revised Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7021 becomes effective. The first 12 months of implementation will primarily focus on self-assessments.

Let's hope so!

Cost: Costs incurred to implement existing contract requirements for safeguarding information (e.g., DFARS 252.204-7012) are not considered part of the CMMC compliance cost.

Because DoD/DoW assumes you have already implemented all of 7012, years ago.

Rev 2 vs Rev 3: Yes, the Department will incorporate Revision 3 with future rulemaking. In the interim, the Department has issued a class deviation to DFARS clause 252.204-7012 to maintain Revision 2 as the standard against which DIB companies will be assessed until Revision 3 has been incorporated into the 32 CFR CMMC Program rule through rulemaking.

This is an important reminder, as I've seen several individuals go astray recently when they were working off Rev 3. It's confusing, because NIST deprecated Rev 2 last year. To be safe, you should be working off the CMMC Assessment Guides and CMMC Scoping Guides. Standard scoping for 800-171 will not pass a CMMC L2 assessment. (Note: you still need to have Rev 3 on your radar screen, as it will take effect for CMMC at some point in the next couple of years.)

Flowdown: CMMC requirements will flow down to subcontractors as outlined in 32 CFR 170.23. The required CMMC level is based on the type of data—Federal Contract Information (FCI) or CUI—that will be processed, stored, or transmitted on a contractor’s information system during the performance of a DoW contract. Subcontractors handling FCI or CUI are subject to safeguarding requirements.

Remember, being careful not to send CUI to your suppliers is the best way to reduce your burden in this regard.

Frequency: Level 1 self-assessments will be required on an annual basis, and CMMC Levels 2 and 3 will be required every 3 years. An affirmation of continued compliance is required for all CMMC levels at the time of assessment and annually thereafter

Don't forget that annual affirmation of continued compliance! Someone in authority in your organization must personally affirm that you will continue to maintain the compliance level you have just attested to.

POAMs: If a POA&M Closeout Assessment is not finalized in CMMC eMASS within 180 days of the CMMC Status Date, the Conditional CMMC Status will automatically expire.

Note that this is for self-assessment as well as official assessment, so don't do that until you are ready!

Self vs. C3PAO: PMs should only make use of the discretion provided in 32 CFR 170.3(e) to include a CMMC Level 2 (C3PAO) assessment during Phase 1 when, informed by adequate market research, there is reason to believe that enough qualified offerors (including their subcontractors) exist to provide for adequate competition to meet the solicitation requirement.

This means the pressure for official C3PAO assessment over self will come first and most heavily from the prime contractors. It's entirely possible (even likely?) that primes will be pushing subs to achieve C3PAO certification even before the PMs are requiring it of them. But we've already seen this, so it's not exactly news. It will only get more intense.

MSPs/MSSPs: In a scenario where IT support is handled by an MSP and where security protection data is handled by an MSSP, both the MSP and the MSSP qualify as ESPs and will be assessed as part of the OSA’s assessment against applicable security requirements. The ESPs do not require their own CMMC certification.

Make sure you get this right! Too many OSCs do not understand how their MSP/MSSPs will fit into their assessment scope.

CSPs: If the cloud tenant is subscribed/licensed to the OSA (even if the MSP resells the service), then the MSP is not a CSP. If the MSP contracts with the CSP and modifies the basic cloud service, then the MSP may be a CSP and must meet applicable FedRAMP or equivalency requirements.

This is another big potential gotcha. A lot of MSPs modify the basic cloud service or even provide their own software on top of it, and assume they are inheriting FedRAMP/equivalent status. This is not the case.

Do you need help? You know where to find me.

Upcoming Virtual Workshops
Self Assessing CMMC Level One

October 14 @ 1-3PM (CT)

Self-Assessing CMMC Level One

Use code "CMMCUpdate" to get 20% off!

Hope to "see" you there!



Glenda R. Snodgrass Sincerely,

Glenda R. Snodgrass, CCP/CCA/Lead CCA
grs@theneteffect.com
The Net Effect, LLC
www.theneteffect.com
251-433-0196 x107

Speak with an Expert

Contact

The Net Effect, L.L.C.
Post Office Box 885
Mobile, Alabama 36601-0885 (US)
phone: (251) 433-0196
email: sales at theneteffect dot com
Secure Payment Center






The Net Effect, LLC

Copyright 1996-2025 The Net Effect, L.L.C. All rights reserved. Read our privacy policy