Frequently Asked Questions

  • What Type of Deliverables or Documentation does CMMC Require?
    Like NIST 800-171, it is a requirement of CMMC to provide a System Security Plan as well as policies and procedures on how you implement the practices found in CMMC. The auditor will most likely need to provide a Report on Compliance, like that of PCI and FedRAMP. If you are submitting a self-assessment for Levels 1 or 2 you will need a System Security Plan to claim compliance.
  • Can we Help Contractors Perform a CMMC Assessment AND Perform their Audit?
    No. They have made it quite clear that they do not want the organizations who are performing the audits to also be the ones implementing the CMMC requirements for the contractor.
  • Who is going to be Accrediting These CMMC Auditors?
    An organization called the CMMC Accreditation Body. This is a non-profit organization that has signed an MOU with the DoD and is the entity vetting and selecting C3PAOs.
    You can find more information on how to accomplish this at
  • How do we Become a CMMC Auditor?
    You will need to become an accredited 3rd party commercial certification organization.
    You can find more information on how to accomplish this at
  • How Much will this Whole Process Cost Me?
    We can’t say for sure. That depends entirely on the market. The DoD has made it clear that they are trying to keep the cost down and are encouraging industry to automate as much of this process as possible. ComplyUp is taking that approach and applying it to our business model. Our software is cost-effective and practical. The cost and associated assessment will likely scale with the level requested. It’s difficult to know exactly what the entire process will cost so it is important to do some price-shopping when selecting solutions and services.
  • How Often do we Need to re-certify?
    Level 1 and Level 2 self-assessment’s will need to submit their results annually. A subset of Level 2 as well as Level 3 will need to undergo triennial assessments led by third-party organizations or the government itself.
  • What are Step I can Take Now to Prepare for CMMC Certification?
    1. Get NIST 800-171 documentation out of the way. This will get you through many of the CMMC Level 2 requirements and keep you compliant with the current DFARS clause.
    2. Be ready to address any gaps you find and implement solutions to remediate them. It is still unclear whether your organization will need to obtain a third-party audit and certification or if you’ll be able to self-assess and submit the results manually.
  • Which Level of CMMC will I Need to be Certified in?
    We’re not sure yet. This will depend entirely upon what level of certification your contract requires and the sensitivity of the information you handle. We can say this: ALL companies handling CUI can expect to need to certify at a CMMC Level 2 certification (which will include all 110 controls from NIST 800-171) at a minimum. Level 1 will be required of companies that handle FCI (Federal Contract Information) while Level 2 will be required by most companies that handle CUI, and 3 will be required among a small subset of contracts handling extremely sensitive information. The safe bet at this point is to shoot for a Level 2.
  • What if we Don’t Handle CUI? Do we Still Need to be Certified?
    Yes. All companies doing business with Department of Defense will need to obtain CMMC. All of Level 1 requirements as well as some of Level 2 will need to complete an annual self-assessment, while the rest of Level 2 and Level 3 will need to undergo either a third-party assessment (a subset of Level 2) or a government led assessment (Level 3).
    Even if you are a subcontractor.
  • CMMC and NIST 800-171 are Different?
    Somewhat. All 110 controls found in NIST 800-171 can be found within CMMC. In fact, CMMC 2.0 Level 2 practices are mapped directly from NIST 800-171. Still, there are differences between the frameworks. CMMC has levels of certification, whereas NIST 800-171 is a “one-size-fits-all” framework. CMMC also requires a third-party assessment and certification on a subset of Level 2 contracts.
  • Is the CMMC 2.0 Framework Available to the Public?
    Yes. Version 2.0 is available at
  • What is CMMC?
    The Cybersecurity Maturity Model Certification is a new standard that will take the place of NIST 800-171 on DoD contracts. CMMC 2.0 is broken down into 3 levels of certification ranging from basic to advanced.
  • Is ComplyUp FedRAMP authorized?
    According to a DoD Memo entitled “Federal Risk and Authorization Management Program Moderate Equivalency for Cloud Service Provider’s Cloud Service Offerings” dated Dec 21, 2023:

    “DFARS clause 252.204-7012 requires any contractor that uses an external cloud service provider to store, process, or transmit any covered defense information in performance of a DoD contract to “require and ensure” that the cloud service provider:
    – meets security requirements equivalent to the FedRAMP Moderate baseline”.

    Users of ComplyUp’s Assessment Platform should not input any Covered Defense Information or Controlled Unclassified Information into the platform. CDI/CUI does not belong in security documentation.
    Consequently, ComplyUp does not store, process, or transmit CDI and is not subject to FedRAMP authorization or FedRAMP moderate equivalency.
  • If CMMC is Replacing NIST 800-171, why would I need to Comply with 800-171 now? Why not just Start with CMMC?
    CMMC and NIST 800-171, while very similar, are different frameworks. The current DFARS clause requires compliance with NIST 800-171, not CMMC. They’re different frameworks that require different documentation. When you enter your information into the SPRS it is asking for a score of your NIST assessment as well as whether or not you have a NIST System Security Plan. Also, it’s good practice to get compliant with NIST first as it is the current requirement but also because as you work your way through NIST, you are also working towards CMMC L2 certification (being that you can map the 110 controls in NIST to CMMC L2).
  • How does NIST 800-171 Relate to CMMC?
    NIST 800-171 is the current requirement in contracts containing the DFARS clause 252.204-7012. CMMC is positioned to start replacing NIST 800-171 in contracts as soon as an official rule is made.
    CMMC contains 3 levels of certification ranging from “basic cyber hygiene” to “advanced”. NIST 800-171 is comparable to CMMC Level 2, as far as the requirements go. All 110 controls for NIST 800-171 can be found in CMMC Level 2. Essentially, if you are 100 percent implemented on NIST 800-171 then you are a good bit of the way done with CMMC Level 2.
  • How do I Generate my SPRS Score?
    You’ll need to conduct a basic assessment of NIST 800-171. This will require you to answer implemented, not implemented, or partially implemented to each of the 110 requirements. You’ll then need to score those answers against the DoD scoring algorithm. Each requirement is weighted separately. The lowest score you can have is -203 with the highest being 110.
    There is no failing score and there is no passing score. The only requirement that hints at failing is the requirement to produce a System Security Plan. If you do not have a System Security Plan created, then you will have to enter a score of Not Available (not technically failing but certainly not complying). So, in order to comply with NIST 800-171 you’ll need your SPRS score, a System Security Plan and a Plan of Action and Milestones.
  • What are the Steps Involved with Becoming NIST 800-171 Compliant? Where do I Begin?
    First, you’ll need to identify what CUI or FCI you are receiving from the DoD or prime. This will help you to “scope” your environment out. This, often, is easier said than done. You may need to consult with your contracting officer or prime contractor to properly identify this sensitive information.
    Debatably, scoping is the next step in the NIST process. Identify the IT systems that need to be assessed. It is possible your network is split up into different sections. Maybe your office computers are on an entirely different network than your production or manufacturing servers (where the CUI is processed). If so, you may be able to focus your assessment on the production servers exclusively.
    Once you’ve “scoped” out the environment(s) (or system) that needs assessed, you’ll need to complete a gap assessment of that environment(s). Start by working your way through each of the requirements, one by one. The requirements are identified in Section 3 of NIST 800-171. They’re broken down into 14 families. Read the requirement, consider your environment, and work out a response. If the requirement is implemented, you’ll need to document how you’ve implemented it. If it is “Not Implemented” you’ll need to create plans on how you intend to remediate the deficiency.
    Then, when you have conducted your gap assessment, you’ll need to score that assessment using the DoD scoring algorithm. This will give you a score of between -203 and 110. This score, along with some information on your System Security Plan and POAMs, will need to be entered into the SPRS system.
  • Does NIST 800-171 Apply to Subcontractors?
    The DFARS clause 252.204-7012, which contains the requirement for compliance with NIST, flows down from the prime to the subcontractors. In fact, even if you’re a sub and you have other subs underneath you, you’ll need to require NIST compliance of your subs as well.
  • What is a System Security Plan and POAM?
    A System Security Plan is a document that shows how you’ve responded to each of the 110 controls/requirements in NIST 800-171. It should outline system boundaries, system interconnections and responses to the controls. This, essentially, means that you’ll need to respond to each requirement as either Implemented, Not Implemented, Not Applicable or Partially Implemented. Once you have given the control a status, you’ll need to describe why you selected that status. If the control is implemented, then describe how your organization meets the requirement. If the control is not implemented, then you’ll need to create a POAM for that requirement.

    A POAM is a Plan of Action and Milestones. When you find a deficiency, or a requirement that your organization does not currently meet, then you’ll need to create a plan to get that deficiency remediated. That plan is your POAM. It shows that you have acknowledged the deficiency and have a good plan for getting the requirement implemented. POAMs will consist of the reason for the deficiency, plans to correct the deficiency and a realistic timeline of when those plans will be completed.

    You’ll need both your System Security Plan and Plan of Actions and Milestones to claim compliance to NIST 800-171.
  • What is CUI?
    Controlled Unclassified Information (CUI) is the data the government wants you to protect. You may have access to it for manufacturing items used by DoD or for executing a services contract. They believe its sensitive enough to warrant specific cyber defenses to keep it safe.
  • How Do I Comply with NIST 800-171
    NIST 800-171 is a list of 110 requirements regarding cybersecurity. To claim NIST 800-171 compliance you need to assess your organization against each of the requirements, formally document how you meet each requirement, and plan to make changes to your IT systems and processes as necessary to resolve any deficiencies you discovered during the assessment.
    You’ll need to be able to present 3 items to claim compliance to NIST 800-171:
    • A System Security Plan
    • Plan of Action and Milestones
    • Your SPRS score
No questions matching current filter