CMMC FAQ for Federal Contractors
CMMC is complicated, and Kahua has been there!
Read on for all of your CMMC FAQs, and get up to speed to prepare for your organization's certification. (You'll need it to continue contracting for the Department of Defense.)
Understanding CMMC Requirements and Timelines
What is CMMC and why is it important for defense construction contractors?
The Cybersecurity Maturity Model Certification (CMMC) is a framework introduced by the Department of Defense (DoD) to ensure contractors and subcontractors meet specific cybersecurity standards.
Its goal is to safeguard sensitive unclassified information, particularly Controlled Unclassified Information (CUI), from cyber threats.
It is important for construction contractors, because CMMC compliance is required to bid on DoD contracts, and necessary to stay competitive as a government contractor.
What is the deadline to be CMMC certified?
As of Q3 2025, DoD is finalizing the rulemaking needed to enforce CMMC requirements through its contracting language.
The acquisition rule (48 CFR), which adds CMMC clauses to DoD contracts, is expected to be published sometime soon, triggering a 60-day countdown to enforcement—probably beginning in Q4 2025.
Once the CMMC requirement is effective, contractors bidding on DoD work will be required to submit self-assessments for CMMC Levels 1 or 2, depending on the type of data they handle.
Check out our CMMC Resource Center for more info on CMMC Levels
Organizations that have not yet started preparing risk falling behind, as full CMMC compliance will be phased in over the next two years and become a critical eligibility factor for Defense Industrial Base contracts.
Which CMMC level will my company need to achieve based on the nature of our federal contracts?
CMMC features multiple levels of maturity (Levels 1–3 in the latest iteration), each with increasing rigor in cybersecurity controls. The level required depends on the sensitivity of the work being performed, the data handled, and the DoD contract’s security demands.
A prime contractor who is responsible for critical data might need a higher level of compliance than a subcontractor with limited data exposure.
How does the CMMC ruling change our existing cybersecurity practices and obligations?
The ruling requires that company within the DIB formally certify its cybersecurity maturity.
Previously, contractors relied on self-attestation to confirm compliance with standards like NIST SP 800-171. CMMC raises the bar by requiring third-party assessments, ensuring that robust and consistently verified security measures are in place.
How long does CMMC certification last, and how often do reassessments occur?
CMMC certifications are typically valid for three years.
After that, organizations must undergo a reassessment by an accredited third-party assessor (C3PAO) to ensure they continue meeting the necessary cybersecurity standards. Regular internal reviews between reassessments are also recommended to maintain compliance readiness.
Assessing and Achieving CMMC Compliance
As a defense construction contractor, what steps should we take first to prepare for CMMC Compliance?
Start with a gap analysis of your current cybersecurity posture, focusing on how well you align with NIST SP 800-171 controls and other relevant frameworks. From there, develop a remediation plan addressing identified gaps, then map out a timeline for implementing best practices. Finally, determine the appropriate CMMC level you need to meet. If you use solutions like Kahua’s cloud-based platform, you can leverage existing FedRAMP-compliant infrastructure to accelerate compliance efforts.
How do we assess our current cybersecurity posture and identify specific gaps or vulnerabilities?
A comprehensive internal audit or a third-party evaluation can reveal shortcomings in areas such as access control, incident response, or data protection. Review policies, procedures, and technical safeguards against CMMC requirements. FedRAMP-compliant platforms like Kahua already meet many security standards, potentially reducing your cybersecurity workload and simplifying assessments.
What is the role of third-party assessors, and when should we engage with them?
CMMC C3PAOs are authorized to evaluate a contractor’s cybersecurity maturity level. Engaging with a C3PAO early helps identify potential issues before formal assessments begin, giving you time to remediate them. Additionally, working with FedRAMP-authorized solutions like Kahua can streamline many of the controls C3PAOs look for.
Can my company internally perform a self-assessment before engaging with a C3PAO?
Yes, performing an internal self-assessment using NIST SP 800-171 guidelines and the official CMMC assessment guides is highly recommended before engaging with a C3PAO. Self-assessments help you identify cybersecurity gaps early, allowing time to address issues prior to the formal CMMC evaluation.
What happens if our company fails a CMMC assessment?
If your company doesn't pass the CMMC assessment, you'll receive feedback from the C3PAO outlining the deficiencies. You’ll have a defined period to remediate the identified issues and then schedule a reassessment. Using FedRAMP-authorized platforms like Kahua can streamline remediation by addressing common security controls.
How do FedRAMP-authorized cloud solutions or other federal standards (e.g., NIST SP 800-171) fit into CMMC compliance?
FedRAMP and NIST SP 800-171 share many foundational security controls with CMMC. When you adopt a FedRAMP-compliant solution such as Kahua, you inherit built-in security features that align with federal standards. This reduces the number of additional controls you must implement on your own and expedites your journey toward CMMC compliance.
How does Kahua’s FedRAMP authorization help with CMMC efforts?
Kahua’s FedRAMP authorization confirms that we meet stringent security controls, many of which overlap with CMMC requirements. This significantly lowers the technical and administrative work you need to undertake to protect CUI and reduces the chance of gaps when you undergo a CMMC assessment.
We already have a cloud-based project management system. Why consider Kahua for our federal projects?
Kahua is designed for rapid implementation with minimal disruption to your existing workflows. Because our platform is already FedRAMP-authorized, you can immediately benefit from built-in security and compliance features, enabling you to focus on effectively managing your projects rather than worrying about infrastructure and cybersecurity.
If we’re not currently using any software solution for project management, how quickly can we adopt Kahua to securely manage our data?
Kahua is designed for rapid implementation with minimal disruption to your existing workflows. Because our platform is already FedRAMP-authorized, you can immediately benefit from built-in security and compliance features, enabling you to focus on effectively managing your projects rather than worrying about infrastructure and cybersecurity.
Can adopting Kahua guarantee full CMMC compliance for our organization?
No single tool can guarantee complete compliance.
However, by providing a secure, FedRAMP-authorized platform, Kahua addresses a substantial portion of the technical controls required under CMMC. You’ll still need to implement organizational policies, processes, and training to meet all CMMC standards, but Kahua can significantly reduce your compliance burden.
Does Kahua integrate with our other systems and processes, even if they aren’t FedRAMP-authorized?
Yes. Kahua offers flexible integration points to connect with various third-party solutions you may already be using.
While any non-FedRAMP technology will need its own security considerations, Kahua’s secure, FedRAMP-authorized foundation ensures that critical project data remains protected and compliant in our environment.
What if our existing environment includes other on-premises solutions—will we need to move everything to Kahua?
Not necessarily. Kahua’s modular and flexible approach allows you to leverage our platform for the aspects of your projects that must align with federal requirements. Over time, you can migrate other processes if it makes sense for your business. Our goal is to enhance security and efficiency, not disrupt your entire ecosystem overnight.
What advantage does Kahua offer over general-purpose project management platforms?
Kahua is specifically designed for the construction industry, with tailored features like capital planning, asset management and real-time collaboration. We combine these industry-focused capabilities with the reassurance of FedRAMP authorization, ensuring that sensitive data is handled securely and in compliance with federal standards.
How soon should we engage Kahua if we’re targeting upcoming DoD projects?
Engaging early is wise. Getting set up on Kahua’s FedRAMP-authorized platform and aligning your practices with CMMC can take time. By starting the process now, you can position your organization to bid confidently on future DoD opportunities with a secure and compliant environment already in place.
Is there a way to expedite CMMC compliance if we’re aiming for imminent DoD projects?
Yes. Adopting FedRAMP-authorized solutions like Kahua can significantly accelerate your compliance timeline. Since Kahua already meets many key CMMC security controls, you’ll spend less time on technical configuration and can quickly position your organization to compete for upcoming DoD projects requiring CMMC certification.
Managing Subcontractors and Supply Chains
Do we need to ensure our subcontractors also meet CMMC requirements, and how can we manage that?
Yes. CMMC compliance applies across the entire supply chain within the DIB.
Prime contractors are accountable for ensuring subcontractors meet relevant standards. Clear communication of requirements, shared resources, and tools—like a secure, FedRAMP-compliant platform—can simplify oversight and minimize risk throughout the project lifecycle.
What responsibilities do prime contractors have regarding their subcontractors' and suppliers' compliance with the CUI program?
Prime contractors are responsible for ensuring their subcontractors and suppliers adhere to required security practices under the CUI program. To fully understand their obligations, prime contractors should consult Rule 32 CFR Part 117, DoDI 5200.48, and DFARS Clause 252.204-7012.
How can we verify and monitor our subcontractors' ongoing CMMC compliance?
Prime contractors should request documented proof of CMMC compliance, such as third-party assessment results or certification details, from their subcontractors.
Regular audits or assessments, contractual clauses clearly outlining compliance expectations, and secure collaborative platforms like Kahua can help you consistently monitor and manage subcontractor compliance throughout your projects.
What should we do if a subcontractor is unable or unwilling to meet CMMC requirements?
If a subcontractor is unable or unwilling to meet necessary CMMC requirements, prime contractors must use different partners or work closely with the sub to get them onboard.
Early communication, clear contractual obligations, and secure FedRAMP-authorized platforms like Kahua can simplify the compliance process and minimize supply chain disruptions.
Costs, Tools, and Government Assistance
What is the expected cost, timeline, and overall impact on our operations to achieve CMMC compliance?
Costs and timelines vary, depending on the level of cybersecurity maturity you need. Investments may include technology upgrades, consulting fees, staff training, and ongoing assessments.
The impact can be significantly reduced by using existing FedRAMP-compliant platforms like Kahua, which can streamline the implementation of necessary controls.
In the long term, a robust security posture and the ability to compete for federal contracts typically outweigh these upfront compliance costs.
Are there any government-provided resources or tools that can help us meet these new standards?
Yes. The DoD’s Office of the Under Secretary of Defense for Acquisition & Sustainment offers guidance and resources, and agencies like NIST provide detailed publications (e.g., NIST SP 800-171). The FedRAMP Marketplace lists authorized solutions—like Kahua—whose security posture is thoroughly vetted by federal standards.
Will the DoD provide any financial assistance for small businesses aiming for CMMC certification?
Currently, the DoD does not directly provide financial support for CMMC certification costs.
However, resources such as guidance documents, training materials, and workshops are available to assist small businesses. Contractors can also reduce expenses by adopting FedRAMP-authorized tools like Kahua, which already cover many required cybersecurity controls.
Handling Controlled, Unclassified Information
What is CUI data, and how does it relate to CMMC?
Controlled Unclassified Information (CUI) refers to sensitive data that is not classified but is still protected by federal regulations.
In the context of defense construction, CUI can include building plans, infrastructure details, and other project-related information critical to national security.
CUI also includes personally identifiable info, financial records, and critical infrastructure data.
If you are working on defense projects, you MUST comply with CMMC to securely handle CUI data and continue to do business with DoD.
How is Federal Contract Information different from CUI?
FCI refers to any information generated for or provided by the federal government under a contract that isn't intended for public disclosure.
CUI and FCI both involve government-related information. However, FCI includes all non-public information related to federal contracts, while CUI specifically requires additional safeguarding measures and sometimes dissemination restrictions.
In short, all CUI held by government contractors qualifies as FCI, but not all FCI qualifies as CUI.
What is the relationship between CUI and CMMC?
According to the CMMC guidance, the Department of Defense is adopting the CMMC framework to evaluate and strengthen cybersecurity within the DIB.
CMMC verifies that companies have effective cybersecurity practices to safeguard FCI and CUI in unclassified networks.
The CMMC initiative is overseen by the Office of the Under Secretary of Defense for Acquisition and Sustainment.
What are examples of CUI data in the construction industry?
Some examples in the construction industry are infrastructure design documents, such as detailed schematics for government or military facilities, and site security plans outlining protocols for construction on sensitive federal properties.
Other examples: Structural vulnerability assessments, which identify potential security weaknesses in government buildings, and specialized specifications for security equipment and materials required in federal contracts.
Additionally, environmental impact studies conducted for construction projects in areas of national security interest or environmentally sensitive locations may also be classified as CUI, thanks to their sensitive content.
Who is accountable for managing CUI?
Anyone who generates CUI is responsible for ensuring its proper handling and protection.
Officially, the National Archives and Records Administration (NARA) serves as the executive agent for the CUI program. NARA maintains the federal CUI registry and acts as the primary contact for CUI-related policies within the Executive Branch, while the Defense Counterintelligence and Security Agency (DCSA) handles CUI implementation specifically for the DoD.
Can corporate intellectual property be considered CUI?
Corporate intellectual property is generally not considered CUI unless specifically created for or included as part of a government contract requirement.
For example: information relating to a company's products, financial data, trade secrets, research and development, product designs and performance specifications (current or future), marketing plans or techniques, schematics, client lists, computer programs, or processes, when specifically developed for the DoD.
Additionally, to be categorized as General Proprietary Business Information (a subset of CUI), the data must be clearly identified and marked as proprietary, trade secret, or confidential. It must also be originally developed by the company and be restricted from other sources, including the government or the public.
Does CUI cover Personally Identifiable Information and HIPAA-related information?
PII and HIPAA information, including medical data, might have separate, additional legal protection requirements that might override or extend beyond standard CUI safeguards.
Companies should consult with their contracting officer representative to understand specific handling requirements for each category of information.
CUI Marking, Dissemination, and Compliance
Where can you find CUI categories?
DoD contractors have two primary government-approved resources for CUI categories and organizational indexes: NARA ISOO National CUI Registry and DOD CUI Registry.
Owners, employees, and contractors associated with the DoD should first refer to the DoD CUI Registry, since it provides detailed indexes and categories specific to DoD-related CUI. The NARA ISOO Registry covers broader Executive Branch information and should be used for non-DoD-specific contexts.
What timeline has the DoD set for implementing CUI requirements?
Protection of CUI under Executive Order 13556 has been required since December 2010.
Government agencies have issued guidance for protecting CUI, and the DoD expects current contracts to already include relevant CUI safeguarding measures--although the reality is that full implementation is still ongoing in many cases.
If you are unsure about your CUI obligations, consult directly with the responsible government contracting agency.
Does the DoD follow the same CUI implementation schedule as other agencies?
No.
While all federal agencies implement CUI requirements under Executive Order 13556, each agency has its own timeline.
Guidance from the DCSA relates specifically to the DoD and might not reflect the policies or timelines of other agencies. Again, consult directly with your respective government contracting activities for agency-specific CUI requirements and timelines.
How should CUI be marked?
DoD documents that have CUI must, at minimum, be clearly marked with "CUI" in both the document's banner and footer.
Approved labels for marking CUI-compliant materials can be found in the DoD CUI Marking Guide. The National Industrial Security System (NISS) is an approved system for processing and storing CUI.
How can CUI be shared?
Authorized holders can share CUI if it aligns with distribution statements, applicable laws, regulations, government-wide policies—AND serves a lawful government purpose.
When should CUI be decontrolled?
CUI must be promptly decontrolled when it no longer meets the criteria for CUI designation.
Before being released, documents need to be reviewed by the Director of Washington Headquarters Services, according to DoDI 5230.09.
Who authorizes public release of decontrolled CUI?
The Director of Washington Headquarters Services reviews and authorizes the public release of documents formerly marked as CUI, in line with DoDI 5230.09.
What are legacy materials, and do they need to be re-marked as CUI?
Legacy materials are documents that are previously marked as FOUO, SBU, or similar designations before the CUI program's implementation; but that now meet CUI criteria.
These documents don't need immediate remarking unless the information is reused, restated, or paraphrased in new documents. In those cases, new materials derived from legacy information must use current CUI marking standards, per DoDI 5200.48. However, legacy materials that are not disseminated outside the DoD do not require remarking.
How can we determine if a contract involves CUI?
The government agency issuing a contract is responsible for identifying applicable CUI requirements in the DD254, RFQ, RFP, or related contract documents.
For existing contracts, review your agreements and consult directly with your government contracting agency to clarify if CUI requirements apply, and how to comply. Additionally, FAR 52.204-2 and NISPOM 4-103 mandate that the government issue a DD254 whenever classified information access is required in a bid, RFP, or RFQ.
How can we prepare for CUI requirements even if current contracts don't require them?
Companies without current CUI-related contracts should still inventory existing legacy information and become familiar with CUI policies and procedures for future engagements.
Be aware that unclassified interactions with the DoD could involve handling FCI or CUI, outside of classified contracts. Since contractors often have FCI, you'll need to meet relevant CMMC requirements.
What are self-inspection requirements regarding CUI?
DCSA is updating the Self-Inspection Handbook to specifically address CUI requirements for industry partners. "Self-Inspection Handbook for NISP Contractors" was originally published in June 2021.
DCSA also has a "CUI Self-Inspection Tool for DoD and Industry," with requirements to establish a standard CUI program, identify gaps, and address vulnerabilities. -
Whew!
There's a lot ot know about achieving CMMC compliance, but it is necessary to stay competitive and for the safety of your customers' data.
Check out the resources in our comprehensive round-up, Everything Owners and GCs Need to Know about Contracting for the Federal Government!
