Every week, we get dozens of defense organizations reaching out to our compliance team asking questions about scoping CMMC, documentation, assessments and more. 

Here are the most common questions asked and answered by our compliance experts.

Questions on CMMC Scoping & Boundaries

Q: Can I continue to use Commercial Office 365 or Gmail if I need to be CMMC compliant?

You can continue to use platforms like Commercial O365 and Gmail but they must be separated from your compliance boundary and not handle CUI. PreVeil integrates directly with Outlook, Gmail, File Explorer and Mac Finder so users can continue to work with their familiar tools, while meeting the security & compliance requirements of CMMC.

Q: For organizations with multiple locations, does CMMC apply company-wide or can it be limited to specific locations?

CMMC compliance can be limited to specific locations. The most effective approach is to create an “enclave” that isolates CUI-handling systems and locations from the rest of your organization. Your SSP can explicitly document which locations and systems are in scope for certification, while listing other company locations as out of scope. This focused approach both simplifies compliance and reduces costs by applying security controls only where needed.

Q: Can we have CUI and non-CUI on the same endpoint?

CUI and non-CUI can exist on the same endpoint. However, they must be either logically or physically separated.

For endpoints to have logical separation, they must restrict data transfer between connected assets (wired or wireless) using software or network controls. For example, access controls, encryption, or network segmentation can prevent unauthorized data flow.

In order for endpoints to achieve physical separation, assets can have no direct connection (wired or wireless). Data can only be transferred manually, such as via a USB drive.

Schedule 15 minutes with our compliance team to learn more.

Q: If a DoD contractor handles CUI, does every employee in the company need to be part of the security boundary?

The documentation for the CMMC states that: “when implementing CMMC, a DIB contractor can achieve a specific CMMC level for its entire enterprise network or for particular segment(s) or enclave(s), depending upon where the information to be protected is handled and stored.”

So, the “enclave model” for protecting CUI is supported by CMMC policies and the security boundary can include only those employees that handle CUI.

Q: What happens if a customer sends CUI to our commercial Office 365 mailbox?

If CUI is mistakenly sent to a non-compliant MS365 mailbox, standard CUI spillage procedures should be followed:

  1. Remove the CUI from the non-compliant mailbox and transfer it to a compliant environment, such as PreVeil.
  2. Delete the CUI from the non-compliant environment to prevent further exposure.
  3. Notify the sender of the mistake and ensure they understand the correct procedures for securely exchanging CUI in the future.

If you have purchased PreVeil’s Compliance Accelerator, you already have a fully fleshed out process describing how to manage this process.

Q: What happens if a customer downloads CUI to an Office 365 OneDrive?

If an employee mistakenly downloads CUI to a non-compliant MS365 OneDrive, they should follow standard CUI spillage procedures:

  1. Remove the CUI from OneDrive and transfer it to a compliant environment, such as PreVeil.
  2. Delete the file from the non-compliant environment to prevent unauthorized access.
  3. Notify the employee of the mistake and ensure they understand the correct procedures for handling and storing CUI securely.

If you have purchased PreVeil’s Compliance Accelerator, you already have a fully fleshed out process describing how to manage this process.

Q: If an employee only has View Only access, can their device be out of scope for CMMC?

No, their device is typically still in scope. Even with View Only access, data is still processed on the endpoint, making it subject to CMMC compliance requirements. The only way to ensure an endpoint with View Only access is out of scope is by using a Virtual Desktop Infrastructure (VDI) environment, where no data is locally stored, processed or transmitted.

Q: Are NIST rules different for remote employees?

No, remote employees handling CUI must comply with the same 110 controls outlined in NIST SP 800-171 as their in-office colleagues. If an employee that handles CUI works from home, all endpoints which they use —such as printers, routers, and firewalls—must also meet compliance requirements.

The easiest way to address these challenges is by using a Virtual Private Network, which allows employees to operate within the corporate network rather than a home network, reducing security risks and simplifying compliance.

Q: Do I need to block access to my printer if I handle CUI?

If you wish to keep your printers out of scope then you need to block access to it. If however you allow printers to access CUI, they will be in scope.To protect the printer which can access CUI, you will need to: 

  • Control who has access to the printer 
  • Ensure the security of the printer and the network it is connected to by maintaining current firmware updates .
  • Control access to the CUI that is printed from the machine and its life cycle eg how is the CUI destroyed when it is no longer needed
  • Document all these items in your SSP

If you purchased PreVeil’s Compliance Accelerator, we have all these policies & procedures available to you. They’re pre-filled and assessment-ready, validated by CMMC Assessors.

Questions on CUI Identification & Handling

Q: Do we need to keep suppliers from forwarding CUI that we’ve shared with them?

Suppliers can share CUI within their supply chain if there is a valid business need. However, organizations that share CUI must ensure that cybersecurity requirements are properly flowed down to subcontractors in compliance with:

  • DFARS 7012 – Requires subcontractors to comply with NIST SP 800-171 and adhere to cybersecurity requirements outlined in DFARS 7012(c)-(g), including incident reporting and forensic cooperation.
  • DFARS 7020 – Requires subcontractors to grant DoD access to their facilities, systems, and personnel for assessments and mandates that they maintain an up-to-date SPRS score.
  • DFARS 7021 – Requires subcontractors to hold a CMMC certification at the appropriate level based on the CUI being shared.

Ensuring these requirements are properly flowed down helps maintain compliance and security across the supply chain.

Q: If I have a DFARS 7012 clause in my contract, what is my responsibility to my suppliers and subcontractors. What are the key responsibilities of my Cloud Service Provider (CSP)?


The OSC’s (Organization Seeking Certification) responsibility is to comply with the 110 NIST 800-171 controls and be prepared for a CMMC Assessment. That includes flowing down the DFARS 7012 requirement to any subcontractors, ensuring they also meet CMMC requirements.

The responsibility of the Cloud Service Provider (CSP is to ensure they meet all requirements of CMMC and DFARS 7012, specifically:

Q: What do I do if CUI is not clearly identified and we cannot get answers from our customers?

If you’re uncertain about CUI identification, your first step should be consulting your contracting officer or Prime- they have the responsibility to properly identify CUI. You are not responsible for marking information received from others as CUI. However, note that you do have an obligation to mark any CUI you create as a derivative of existing CUI.

Questions on CMMC Compliance Requirements & Documentation

Q: What is the difference between CMMC 1.0 and 2.0?

The DoD’s CMMC 2.0 program streamlines the original CMMC framework with a focus on lowering costs and simplifying the program. Key changes include:

  • Lowering the number of CMMC levels from five to three
  • Aligning requirements for the new Level 2 (Advanced) certification with NIST 800-171’s 110 controls (by eliminating the 20 controls that had been added to Level 3 of the original model)
  • Permitting some defense contractors to self-attest to compliance with executive signoff
  • Allowing time-limited POAMs for some low-risk security controls
  • Ensuring Level 3 (Expert) will be based on a subset of NIST SP 800-172

Q: How will bifurcation of CMMC Level 2 (Advanced) contracts work?

The new CMMC Level 2 will bifurcate contracts into two categories: prioritized and non-prioritized acquisitions. Companies handling CUI for prioritized contracts CUI will be required to undergo a third-party assessment from a CMMC third-party assessment organization (C3PAO) once every three years. Companies managing non-prioritized CUI will be permitted to perform a self-assessment. Contractors will need to conduct these self-assessments on an annual basis.


The DoD’s examples of contracts to illustrate the Level 2 path to self-assessment are designing military uniforms or boots, both of which involve CUI but not sensitive national security information. Examples of Level 2 work that would lead to triennial third-party assessments are developing parts for a weapons system, or for a command and control communications system.

Q: If CUI is bifurcated in Level 2, does this mean there are two types of CUI?

No, the DoD has made clear that they do not plan to create a different class of CUI. Instead, the type of assessment required will be based on the type of defense contract and its level of criticality.

Q: Level 2 (Advanced) will allow organizations handling non-critical CUI to conduct self-assessments. How will the DoD ensure that self-assessments scores submitted to DoD’s Supplier Performance Risk System (SPRS) are accurate?

When CMMC 2.0 is implemented, SPRS scores will need to be signed off by a company executive, who will be held accountable for the validity of the score. Currently, any employee can sign off on the NIST SP 800-171 self-assessment score; that most often falls to IT staff. The consequences of submitting false or inaccurate SPRS scores are severe.

Further, the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC)—the DoD’s ultimate authority on compliance—has announced plans to increase the size of its audit staff in response to the very clear need to improve compliance and security in the Defense Industrial Base.

The Department of Justice (DoJ), too, is raising the stakes for compliance with federal cybersecurity regulations with its new Civil Cyber-Fraud Initiative to hold contractors accountable for their cybersecurity. DoJ is now utilizing the power of the False Claims Act to help enforce cybersecurity compliance, and is encouraging whistleblowers to come forward. A new DoJ task force will focus on investigating reports of contractors choosing to withhold reports of breaches or that falsify claims of compliance scores.

Q: Will the DoD allow some organizations to get waivers for meeting CMMC? How will this work?

Under CMMC 2.0, DoD intends to allow a limited number of waivers to contractors that exclude CMMC requirements for select mission-critical contracts. The waiver requests will require senior DoD leadership approval and will have a limited duration.

Q: What are the CMMC Level 2 requirements that are not allowed on a POAM?

For CMMC Level 2 certification, you must meet a minimum threshold of 88 controls during your initial assessment. Critically, you must meet:

  • All CMMC Level 1 controls
  • All 3 or 5 point controls (except SC.L2-3.13.11, if it is partially met—encryption is employed but is not FIPS validated—reducing a SPRS score by 3 points instead of 5.
  • The following 1 point controls:
    • AC.L2-3.1.20 – External Connections (CUI Data) 
    • AC.L2-3.1.22 – Control Public Information (CUI Data) 
    • PE.L2-3.10.3 – Escort Visitors (CUI Data) 
    • PE.L2-3.10.4 – Physical Access Logs (CUI Data) 
    • PE.L2-3.10.5 – Manage Physical Access (CUI Data) 

If you don’t meet these requirements in your first assessment, you’ll need to start the entire assessment process over – including paying for a new assessment. This is why many organizations opt for a readiness assessment first to ensure they meet these minimum requirements. Read more in the Final Register.

Q: Do defense contractors have 180 days to close POAMs for a contract under CMMC 2.0? When does the clock start on those 180 days?

Yes, under CMMC 2.0 a defense contractor has 180 days to close out POA&Ms. There has been much discussion on when this 180-day time limit will begin. To the best of our understanding, the 180-day POAM clock will start upon award of a contract, either by DoD to a prime or by a contractor to a subcontractor.

If you don’t meet these requirements in your first assessment, you’ll need to start the entire assessment process over – including paying for a new assessment. This is why many organizations opt for a readiness assessment first to ensure they meet these minimum requirements.

Q: As a DoD contractor, do I have to comply with FedRAMP standards?

FedRAMP standards require that any cloud services provider (CSP) storing CUI must address FedRAMP Moderate controls. Most defense contractors are not CSPs themselves, instead they store federal data with a CSP. So, the defense contractor does not need to be FedRAMP compliant but the CSPs they work with do need to meet this level of compliance. Make sure that the CSP you are planning to work with is storing data in a sovereign Continental US “FedRAMP Authorized” cloud or equivalent such as FedRAMP Moderate Baseline.

Questions on Prime Contractor Relationships

Q: What DFARs clauses should I be looking for to see my flow-down requirements?

The key DFARS clauses for CMMC flow-down requirements are 252.204-7012, 7019, 7020, and 7021. Of particular importance is 7021, which addresses CMMC requirements and flow-down to subcontractors. Read more here.

Q: Is the CMMC requirement needed at time of order? Or when quoting?

Correct- While CMMC certification is officially required at time of contract award rather than during the bidding process, Prime contractors are increasingly making certification a prerequisite for consideration. 

Here’s what JR Williamson, CISO at Leidos said at our CMMC summit:

We do run the risk that we may have a really great supplier that has a perfect solution that fits excellently into our offering to the customer but they are not certified and not going to be certified for another 12-14 months. As a result, we just cannot use them and they’re off the team because we run the risk of not winning if they cannot be certified at the time the award is given.

Q: What are the consequences for my ongoing work for a Prime if I’m not compliant after CMMC goes live?

The consequences of non-compliance can be severe, potentially resulting in contract termination and exclusion from future opportunities. Prime contractors have made it clear that they cannot risk working with non-compliant suppliers once CMMC requirements take effect. This could mean losing both current contracts and future business opportunities within the defense industrial base. See JR’s stance above.

Questions on CMMC Assessment & Costs

Q: Do we need to replace our existing firewall or routers to become CMMC compliant?

It depends on how you scope your compliant environment. However, best practice, according to multiple C3PAOs we’ve interviewed, is to ensure that your firewalls and routers operate in FIPS mode to avoid potential compliance issues due to varying interpretations by different assessors.

If your current firewall or router does not support FIPS mode, you should upgrade to components that do to ensure compliance.

Q: Do you have to do a readiness assessment before you can go for CMMC certification?

No, but you must complete a self-assessment. We do highly recommend readiness assessments as well because failing your official CMMC assessment means starting over, and paying for a new one. A readiness assessment helps identify and address gaps before committing to the formal certification process, potentially saving significant time and money by ensuring you’re fully prepared.

Q: What’s the cost for CMMC Level 2 Audit? Are there resources to help?

CMMC Level 2 certification costs vary based on organization size, complexity, and current security posture. The DoD estimates the cost of preparing for, conducting, and reporting a level 2 assessment at $100,000, but note this doesn’t include documentation, tools, and potential remediation. We’ve identified several ways organizations can optimize their spending and reduce overall certification costs – these strategies are detailed in our CMMC cost-saving guide.

Q: Are there samples available of a responsibility matrix & what information is required from an MSP, ESP, or CSP?

Responsibility matrices are essential for clearly defining security control ownership between your organization and service providers. These documents outline which party is responsible for implementing and maintaining specific controls. PreVeil offers assessment-ready, pre-filled documentation, including Service Provider Responsibility Matrices (SRM)’s. Talk to our sales team for more information.

Q: How do I know if I have met the CMMC requirements for a particular control?

To evaluate compliance with a specific control, use the self-assessment methodology outlined in NIST SP 800-171A. This guide provides testing objectives and assessment procedures to help you determine how well you meet each of the 110 NIST 800-171 controls. Conducting a self-assessment will allow you to identify gaps, assign a score, and gauge overall compliance readiness.

Q: Who can help me achieve CMMC compliance?

Achieving CMMC compliance can be complex, but solutions like PreVeil make the process far more manageable and cost-effective. Our 3 part CMMC solution includes:

  • An encrypted platform for email, file sharing, and storage that meets the requirements of CMMC, DFARS 7012, and ITAR. 
  • Pre-filled, Assessment-ready CMMC documentation
  • Preferred partner network of consultants, MSPs, and assessors

In fact, 35 contractors have used PreVeil to achieve  CMMC compliance with perfect 110 scores. 

By partnering with PreVeil, organizations can move toward certification quickly and affordably—while ensuring strong data security and compliance confidence.

Still Have CMMC Questions?

screen_share
Get a

PreVeil Demo

support_agent
Schedule a free

Compliance Call

book
Download Our

CMMC Guide

Want to learn more? Summarize this post in AI:

Chat GPT
Perplexity
Claude
Google AI