DoW Releases Revised CMMC FAQs

Key takeaways from the September 2025 CMMC FAQs

As cybersecurity threats evolve, the Department of War (DoW) continues to strengthen its commitment to safeguarding the Defense Industrial Base (DIB) through the Cybersecurity Maturity Model Certification (CMMC) Program. The September 2025 revision of the CMMC FAQs clarifies implementation timelines, compliance costs, assessment processes, and expectations for DoW contractors. Key takeaways include:

• CMMC Requirements Begin November 10, 2025

Starting November 10, 2025, the DoW will begin incorporating CMMC assessment requirements into applicable contracts. The first year emphasizes self-assessments under a phased implementation plan designed to minimize disruption while scaling assessment capacity.

• Cost Depends on Readiness and Complexity

Costs incurred to implement existing contract requirements for safeguarding information (e.g., DFARS 252.204.7012) are not considered part of CMMC compliance costs, expenses related to certification or self-assessment will vary based on factors such as organizational size, required CMMC level, network complexity, and current cybersecurity posture, and market forces.

• NIST Alignment and Future Updates

CMMC Level 2 currently aligns with NIST SP 800-171 Revision 2, but DoW plans to transition to Revision 3 through future rulemaking. In the meantime, contractors may voluntarily implement Revision 3 using the Department’s organization-defined parameters. However, since assessments are performed against Revision 2, DIB companies must ensure there are no gaps in their implementations.

• Assessments Vary by Level and Data Type
  • Level 1: Annual self-assessment for companies handling only FCI
  • Level 2: Triennial third-party or self-assessments for companies managing CUI
  • Level 3: Triennial assessments including additional NIST SP 800-172 control

• Subcontractors Must Also Comply

CMMC requirements flow down through the supply chain. Subcontractors handling FCI or CUI must meet the minimum requirement based on the data type: CMMC Level 1 (FCI) and CMMC Level 2 (CUI).

• Data Transparency and Reporting

Assessment results are not public, but available to DoW procurement officials via the Supplier Performance Risk System (SPRS). Contractors can share their compliance status with primes and teaming partners for verification purposes.

• CMMC Conditional Status Allowed in Limited Circumstances

Contractors can achieve CMMC “Conditional” status with Plan of Actions and Milestone (POA&M) for a limited number of non-critical cybersecurity requirements as detailed in 32 CFR 170.21. The POA&Ms must be resolved within 180 days to achieve CMMC “Final” status.

• External Service Providers Must Meet Standards

If contractors use cloud service providers (CSPs) to manage CUI, those providers must meet FedRAMP Moderate or equivalent requirements. Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs) who manage CUI do not require their own CMMC assessment; however, they will be assessed as part of the contractor’s CMMC assessment for the applicable cybersecurity requirements.

• Access the DoWs FAQs resource in its entirety:

Cybersecurity Maturity Model Certification Program Frequently Asked Questions – Revision 2. (2025)

Preparation Is Key

The best way to prepare is to perform a thorough self-assessment now. Identify any gaps, implement required security measures, and document compliance through a detailed System Security Plan (SSP) and Plan of Action and Milestones (POA&M) before the rule takes effect.

Many DoW contractors will not have the expertise or resources needed to perform a CMMC readiness assessment, identify the gaps, and develop corrective action plans. In these cases, the contractors are turning to cybersecurity consultants with knowledge of NIST and the CMMC framework. If you want to learn more about CMMC, Keiter’s team of cybersecurity specialists can help you. Email | Call: 804.747.0000.

Additional resources

• Access all of Keiter’s CMMC resources and insights.