Frequently asked questions

The Cybersecurity Maturity Model Certification (CMMC) is a cybersecurity framework and certification program created by the U.S. Department of Defense (DoD). Its main purpose is to ensure that companies handling sensitive defense information protect it properly.

The Cybersecurity Maturity Model Certification (CMMC) began rolling out in Guam as part of the U.S. Department of Defense's efforts to enhance cybersecurity practices among defense contractors and organizations handling sensitive information. The rollout started in November 10 2025, aligning with the nationwide implementation timeline.

The Cybersecurity Maturity Model Certification (CMMC) applies to all companies that work with the U.S. Department of Defense (DoD) and handle sensitive information. 1️⃣ Who Must Comply • Defense contractors – companies that have DoD contracts, including prime contractors and subcontractors. • Suppliers – vendors that handle Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) as part of a DoD contract. • Service providers – including IT, cloud, or managed service companies that access or manage sensitive DoD data. 2️⃣ Who Does Not Typically Apply • Companies that do not work with the DoD or handle non-sensitive information usually do not need CMMC certification. 3️⃣ Why It Applies • CMMC ensures that all organizations in the Defense Industrial Base (DIB) follow consistent cybersecurity practices, protecting sensitive defense data. • Contractors without certification may be ineligible for new DoD contracts, making compliance essential.

• Only Certified Third-Party Assessment Organizations (C3PAOs) are authorized to perform official CMMC assessments and issue certifications. • Cyber AB (Cybersecurity Maturity Model Certification Accreditation Body) oversees and accredits C3PAOs and manages the certification ecosystem. • Individuals cannot certify a company on their own; only a C3PAO assessment counts.

The Cybersecurity Maturity Model Certification (CMMC) aims to ensure that companies working with the U.S. Department of Defense (DoD) follow consistent cybersecurity practices to protect sensitive defense information.

Companies can prepare by identifying their required CMMC level, assessing their current cybersecurity practices, implementing necessary controls, and scheduling an assessment with a C3PAO.

DoD contractors must comply with CMMC requirements to be eligible for contracts. Non-compliance can result in losing eligibility for new contracts and may affect existing ones.

CMMC has multiple levels, ranging from Level 1 (basic cybersecurity hygiene) to Level 5 (advanced/progressive practices). Each level builds upon the previous one, with increasing requirements for cybersecurity controls.

Certified Third-Party Assessment Organizations (C3PAOs) are authorized to perform official CMMC assessments and issue certifications. They ensure that companies meet the required cybersecurity standards.