CMMC Frequently Asked Questions

CMMC Frequently Asked Questions

For more information, please contact:

C3PAO@sentar.com 

Sentar has been helping Defense Industrial Base (DIB) contractors meet their DoD compliance requirements since DFARS 252.204-7012 in 2015, NIST SP 800-171 in 2016, and now with CMMC. As a DoD contractor ourselves, Sentar is required to meet CMMC Level 2 under the finalized rule. Along with being a FedRAMP 3PAO (Cloud Application security assessor), Sentar is uniquely positioned to guide any DoD contractor through the compliance journey we have already navigated. We hope you find this FAQ page helpful.

What is the Cybersecurity Maturity Model Certification (CMMC)?

CMMC is a mandatory requirement created by the DoD that requires DIB contractors handling Controlled Unclassified Information (CUI) to hire a Third-Party Authorized Assessor to validate their compliance with controls defined in NIST SP 800-171. DoD contractors have been required to meet NIST SP 800-171 since January 1, 2018.

Sentar is an authorized CMMC Third-Party Assessor Organization (C3PAO) that contractors can use to obtain certification. With the CFR 32 Part 170.14 rule now finalized, contractors receiving, creating, or handling CUI must pass a third-party assessment from a C3PAO prior to receiving new contract awards with the CMMC requirement. Contractors handling only Federal Contractor Information (FCI) or a small subset of CUI not considered critical to national security may self-assess to Maturity Level 1 or Maturity Level 2 compliance.

What is Controlled Unclassified Information (CUI)?

CUI refers to information that requires safeguarding or dissemination controls pursuant to applicable laws, regulations, and government-wide policies. While not classified as Secret or Top Secret, mishandling of CUI can harm national security and must be tightly controlled.

Key Points About CUI:

  • CUI should be marked with unique headers identifying it as such.
  • The CUI Registry provides detailed information about CUI categories and requirements. Access the CUI Registry here.

If you are unsure whether your contract involves CUI, Sentar’s experts can help determine if your organization will need a CMMC Certificate.

Click here to contact Sentar and request a free consultation session.

Why Should My Organization Care About CMMC?

CMMC is a mandatory requirement for DoD contractors. As of FY2026, your organization must achieve the appropriate certification level to be eligible for new DoD contracts requiring CMMC compliance. Additionally:

  • By October 1, 2025, all DoD contracts are expected to require contractors to be certified at CMMC Level 1–3, depending on the contract requirements.
  • Existing contracts now include the CMMC requirement, meaning contractors must achieve certification to maintain current agreements and avoid jeopardizing their contracts.

Without certification, contractors are not eligible for new awards and risk losing existing contracts.

What Are the Challenges of Obtaining CMMC Accreditation?

The primary challenge for most organizations is the risk of incorrectly interpreting or implementing practices, which can lead to assessment failure. Each CMMC level introduces increasingly stringent practices and processes:

  • CMMC Level 1: 17 Practices
  • CMMC Level 2: 110 Practices (includes Level 1 practices)
  • CMMC Level 3: 110+ Practices (includes Levels 1–2 practices)

The following chart illustrates the original CMMC V1.0 five-level model, which was reduced to three levels in CMMC V2.0:

When Might My Organization Be Required to Obtain a CMMC Certification?

What Are My DoD Compliance Requirements Today?

As of FY2026, approximately 76,000 DoD contractors handling CUI must comply with DFARS 252.204 Subparts 7012, 7019, 7020, and 7021. Subpart 7019 requires contractors to assess their NIST SP 800-171 implementation status and submit their score to the Supplier Performance Risk System (SPRS). Failure to comply can prevent new contract awards.

These contractors are now required to obtain a CMMC Level 2 Certificate under the finalized rule.

When Will CMMC Compliance Show Up on DoD Contracts?

New contracts requiring CMMC Level 2 certification are already being phased in, with full implementation expected by October 2025.

Will All DoD Contracts Require CMMC Certification?

Yes, all DoD contracts will eventually require contractors to obtain CMMC certification. Contractors handling, receiving, or creating CUI must hire a C3PAO to certify their compliance.

When Will All DoD Contracts Require CMMC Certification?

The CFR 32 Part 170.14 rule defines a phased rollout of contracts requiring CMMC certification over 30 months (2.5 years). All new contracts could include the CMMC requirement within six months of the rule’s effective date.

See section 170.3 Applicability in CFR 32 Part 170.14 here.

Why Sentar?

Sentar is uniquely positioned to help DoD contractors achieve CMMC compliance:

  • Proven Expertise: Years of experience guiding contractors through DFARS, NIST SP 800-171, and now CMMC requirements.
  • Authorized Assessors: Certified C3PAO assessors with deep knowledge of compliance frameworks.
  • Tailored Support: Customized solutions to help contractors navigate complex requirements and achieve certification efficiently.

Get Started Today!

Don’t let compliance challenges jeopardize your contracts. Take the next step toward achieving CMMC certification with Sentar.

Need help with your CMMC assessment scope?

Download Sentar’s latest whitepaper, “Tips on Establishing Your Assessment Scoping Boundary from a C3PAO”

download whitepaper

We’re Hiring

Join the fastest-growing team in cyber
Careers at Sentar