CMMC Implementation

Frequently Asked Questions

How will CMMC apply to non-US companies?

The DoD intends to engage with our international partners to establish agreements related to cybersecurity and ensure that foreign companies that support U.S. warfighters will be equipped to safeguard sensitive national security information. These agreements will establish a framework to address application of CMMC to non-US companies. Implementation of such agreements will be accomplished through the rulemaking process.

What is the Department’s intent regarding acceptance agreements between CMMC and other cybersecurity standards and assessments?

The Department is pursuing development of acceptance standards between CMMC and other cybersecurity standards and assessments, to include between CMMC Level 2 (Advanced) and the NIST SP 800-171 DoD Assessment Methodology for the high assessment confidence level, as well as CMMC Level 2 and the GSA Federal Risk and Authorization Management Program (FedRAMP) requirements for commercial cloud service offerings.

Furthermore, DoD is working with international partners to coordinate on potential agreements between CMMC and their respective cybersecurity programs.

Any such equivalencies or acceptance standards, if established, will be implemented as part of the rulemaking process.

CMMC program requirements will be implemented through the acquisition and contracting process. With limited exceptions for information with little national security need, the Department intends to require compliance with CMMC as a condition of contract award.

Overview of implementation

Once CMMC 2.0 is implemented, the required CMMC level for contractors and sub-contractors will be specified in the solicitation and in Requests for Information (RFIs), if utilized.

Five Steps to Make Your Company More Cyber Secure

Most cyber incidents start because of user error. Educate people about the importance of setting strong passwords, recognizing malicious links, and installing the latest security patches. Helpful materials and training videos are available through Project Spectrum.

Limit information systems access to authorized users and the specific actions that they need to perform.

Use multi-factor authentication tools to verify the identities of users, processes and devices.

Escort visitors and monitor visitor activity, maintain audit logs, and manage physical devices like USB keys.

Make sure to download the latest security patches when new releases are available. Always double check to make sure they are coming from a trusted source.

Plan of Actions and Milestones (POA&Ms)

With the implementation of CMMC 2.0, the Department intends to allow companies to receive contract awards with a Plan of Actions and Milestones (POA&M) in place to complete CMMC requirements. The Department’s intent is to specify a baseline number of requirements that must be achieved prior to contract award, in order to allow a remaining subset to be addressed in a POA&M within a clearly defined timeline. The Department also intends to specify a small subset of requirements that cannot be on a POA&M in support of achieving a CMMC certification.


Under CMMC 2.0, the Department intends to allow a limited waiver process to exclude CMMC requirements from acquisitions for select mission-critical requirements. Waiver requests will require senior DoD leadership approval and will have a limited duration. The specifics of the waiver requirements will be implemented as part of the rulemaking process.

Key changes incorporated under the CMMC 2.0 framework

Plan of Actions and Milestones (POA&Ms)

CMMC 1.0

  • No allowance for POA&Ms

CMMC 2.0

  • Allows the use of POA&Ms
  • Highest weighted requirements cannot be on POA&M list
  • DoD will establish a minimum score requirement to support certification with POA&Ms

CMMC 1.0

  • No allowance for waivers

CMMC 2.0

  • Applied to entire CMMC requirement, not individual cybersecurity practices
  • Allowed on a very limited basis in select mission critical instances, upon senior leadership approval
  • DoD program office submits a justification package that includes specified timeline and associated risk mitigation plan
  • Timelines imposed on a case-by-case basis to achieve CMMC compliance