This article brings together common customer questions and practical answers based on typical Secureframe workflows, compliance situations and unique tech stacks.

It is meant as quick reference material for day-to-day use of the product.

CMMC

Are all companies providing services to my organization considered ESPs for CMMC scoping?

• Not necessarily. Cloud-based services such as human resource and accounting SaaS applications typically do not contribute to the security of the OSA’s environment, process or store SPD, or process, store, or transmit CUI.

Are classified assets included in the scope of the CMMC Program?

• No, the scope of the CMMC Program does not include classified assets, even if they contain applicable Controlled Unclassified Information (CUI).

Are IoT and OT devices in scope for CMMC Level 1?

• No. Internet of Things (IoT), Industrial IoT, and Operational Technology (OT) are considered specialized assets and are not part of the Level 1 assessment.

Are Microsoft Intune or SentinelOne viable options for organizations working toward CMMC compliance?

• Yes. Both Microsoft Intune and SentinelOne are FedRAMP-authorized solutions, which means they can be viable options for meeting CMMC requirements—similar to NinjaOne.

  However, the “best” choice depends on your broader environment:

  Device Types: Intune is strongest in Windows environments; macOS support is more limited and can be harder to manage.

  Admin Experience: Many admins report that Intune is complex to configure and maintain.

  Tech Stack Alignment: Your cloud provider (e.g., Azure, AWS, GCP) and existing security tools often dictate which MDM/EDR solution integrates most smoothly.

  Feature Coverage: All three—Intune, SentinelOne, and NinjaOne—can support required CMMC controls, but the ease of deploying policies, enforcing baselines, and reporting varies.

  If you’re comparing tools specifically for CMMC readiness, NinjaOne is often the simplest option for mixed OS environments and for organizations that need quicker onboarding. Intune and SentinelOne remain viable but may require more administrative overhead depending on your stack.

Are Specialized Assets part of the CMMC Assessment Scope?

• Yes, Specialized Assets are part of the CMMC Assessment Scope.

Are there any CMMC assessment requirements for Out-of-Scope Assets?

• No, there are none.

Can a dormant division be included in a CMMC audit, or does it need to be reassessed once it becomes active again?

• Yes, a dormant division can be included in a CMMC assessment, provided certain conditions are met.

  If the division currently has no active employees but is expected to operate under the same systems, services, and processes used by the parent organization for handling CUI (for example, the same VDI environment, GCC High, identity management, and security controls), it may be included within the parent organization’s scope.

  In this case:

  The division should be explicitly documented in the CMMC scope and System Security Plan (SSP).

  The SSP should clearly describe the division’s status (dormant), historical handling of CUI, and the shared services and controls it will rely on if reactivated.

  However, if the division later becomes active and:

  Uses different systems, tools, or processes for handling CUI (for example, moving from VDI to endpoint-based solutions like NinjaOne), or

  Introduces new infrastructure, workflows, or personnel that were not previously assessed,

  then a reassessment or scope update would be required to ensure continued CMMC compliance.

  In short:
  Including the dormant division in scope is appropriate if it aligns with the parent organization’s assessed environment, but any material change in how CUI is handled would trigger the need for reassessment.

Can a Level 2 self-assessment result in a CMMC certification?

• No, a self-assessment cannot result in a certification.

Can my organization define a specific enclave for its CMMC Assessment Scope, separate from the broader enterprise network?

• Yes, satisfaction of CMMC security requirements may be accomplished by people, processes, or technologies which apply to the entire OSA enterprise, but this does not mean all enterprise assets are automatically in scope. Systems within a defined assessment scope (enclave) can use centrally deployed tools.

Can you tell me about CMMC Maturity levels?

• If an organization works with the DoD, either directly or as a subcontractor, and handles Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), the organization will need to comply with CMMC. The specific CMMC level required will depend on the type of information the organization handles and the requirements outlined in the DoD contracts the organization is involved with.

  Three CMMC Levels:
  Level 1: Aligns with NIST SP 800-171 Rev. 2, basic cyber hygiene practices, relates to organizations with Federal Contract Information (FCI).
  Secureframe supports Level 1 compliance.
  Level 2: Aligns with NIST SP 800-171 Rev. 2, can be required depending on contract or if CUI or more sensitive federal data is involved.
  Secureframe currently supports Level 2 with an important caveat:
  If the client carries CUI data, that data cannot be brought into Secureframe (because Secureframe is not yet CMMC authorized).
  Level 3: Aligns with Level 2 + a subset of NIST SP 800-172; the most stringent of the 3 levels.
  Level 3 has similar CUI restrictions to Level 2. Secureframe will implement Level 3 once published.

Do CMMC waivers apply to an entire company?

• No. CMMC waivers apply only to a specific contract. They do not give a company a permanent or blanket exemption from CMMC requirements.

Do operational changes within an existing CMMC Assessment Scope require a new assessment?

• No, operational changes within a CMMC Assessment Scope, such as adding or subtracting resources within the existing assessment boundary that follow the existing SSP, do not require a new assessment, but rather may be covered by annual affirmations to the continuing compliance with requirements.

  **External Service Provider (ESP) Considerations**

Does a CMMC waiver mean security requirements go away?

• No. Even with a waiver, contractors must still comply with DFARS 252.204-7012, NIST SP 800-171, and other baseline cybersecurity requirements. The waiver only delays the certification requirement, not the obligation to protect Controlled Unclassified Information (CUI).

Does a waiver remove the need to become CMMC certified later?

• No. Contracts issued with a waiver will still include a deadline to achieve CMMC certification. The waiver is temporary and does not eliminate the requirement to become certified.

Does an organization need to submit a CMMC self-assessment to anyone once completed?

• Yes, the self-assessment score is submitted to the Supplier Performance Risk System (SPRS): SPRS.

Does CMMC require an audit?

• CMMC level 1 is self-attested, like an SAQ for PCI. Level 2 requires an audit (triennially). Level 3 isn't released yet, but will require an audit (triennially).

Does physical paper CUI for CMMC always need to be accessed in secure locations, such as when employees need to bring printed plans onto government vessels?

• Physical CUI does require physical protections, but the requirements become more nuanced in environments like shipyards or government vessels. In this type of scenario — where CUI is printed in an office and transported to a vessel — the customer should ensure physical safeguards are in place throughout the process. The customer mentioned CUI sign-out tracking and asset identification numbers to track what is out, but it was unclear whether additional controls like locked transport containers are also required on top of any controls already in place on the vessel itself. Best practice is to digitize CUI and access it via a CUI-approved system rather than transporting physical copies outside of approved locations, but whether physical transport constitutes a hard requirement violation depends on the specific protections in place and should be reviewed with the auditor.

Does Secureframe support CPCSC (the Canadian equivalent of CMMC)? — Q4 2025

• At this time, Secureframe does not have CPCSC on our upcoming framework roadmap. However, organizations pursuing CPCSC can still move forward by using Secureframe’s Custom Framework capabilities to map requirements, upload evidence, and track compliance progress internally.

Does the CMMC Scoping Guide Level 2 document have the force and effect of law?

• No, the contents of this document do not have the force and effect of law and are not meant to bind the public in any way.

How CMMC relates to other frameworks?

• CMMC is based off of NIST 800-171 revision 2 which is based off of NIST 800-53
  Thus, all of the CMMC controls are from NIST 800-171 and NIST 800-53. Many of these controls are common controls i.e. Access Controls, Incident response, seen in other frameworks such as SOC 2, ISO 27001, HIPAA, PCI and many more.
  In terms of difficulty, CMMC Level 2 is harder than SOC 2 or ISO 27001 but not as hard as FedRAMP.
  If an org is at 100% for SOC 2, then they would be at like 50-60% for CMMC Level 2.
  C3PAOs are only authorized to do CMMC audits, that does not apply to any other frameworks.
  CMMC requires submission of SPRS scores, this only applies to NIST 800-171 in some cases, but none others

How does CMMC affect organization and data scope?

• Organizations must determine if they handle CUI and where it is located in their systems to ensure compliance with CMMC requirements.

How does CMMC compare to other frameworks?

• CMMC is based on NIST 800-171 and NIST 800-53. It shares many controls with frameworks like SOC 2, ISO 27001, and HIPAA but is more stringent than SOC 2 and ISO 27001 while being less rigorous than FedRAMP.

How is CMMC different than NIST 800-171?

• CMMC is based on NIST 800-171 but is a distinct program. CMMC verifies that contractors have implemented NIST 800-171 requirements. Different DFARS clauses govern each: DFARS 252.204-7021 for CMMC and DFARS 252.204-7012 for NIST SP 800-171.

How often are CMMC assessments required?

• CMMC assessments are required triennially for Level 3 and Level 2, and annually for Level 1.

How should hardened hosts and Docker containers be treated within a CMMC / NIST 800-171 system boundary?

• A: When Docker containers run on a hardened host (such as a STIG-hardened Rocky Linux system), the recommended approach is to define a single system boundary that includes both the host and the container(s), treating the container as a component within that boundary rather than a separate system.
  Controls are generally split across two layers:
  Inherited from the hardened host: Physical/logical access controls (AC family), OS-level audit logging (AU family) if container logs are forwarded to the host audit system, identification and authentication at the SSH/OS layer, and configuration management baselines for the host OS itself.
  Must be addressed independently at the container layer: Image minimization and hardening (CM-6, CM-7), image vulnerability scanning and signing (SI-2, SI-7, RA-5), privilege controls within the container such as running as non-root (AC-3, AC-6), and container-level logging if not aggregated to the host audit pipeline (AU-2, AU-12).
  Your System Security Plan (SSP) should explicitly document which controls are satisfied at the host layer, which are satisfied at the container layer, and which require both together. A data flow diagram showing where CUI touches the container workload is also strongly recommended for assessors.
  Note: Secureframe's compliance SMEs can help identify which CMMC requirements apply to your container environment, but configuration-level implementation decisions (e.g., specific Docker hardening steps) are the responsibility of your engineering and security teams.

If a client was to complete CMMC level 2, would this cover CMMC level 1 as well?

• Yes, CMMC Level 2 includes all the requirements of Level 1.

If a Docker container is part of a CUI boundary, does it need to meet all 110 CMMC Level 2 requirements?

• Yes — if a container processes, stores, or transmits CUI, it falls within your CMMC assessment boundary and all 110 NIST 800-171 controls are applicable. This includes container-specific considerations such as image hardening, vulnerability scanning, non-root execution, and log forwarding to the host audit system.
  If a container only processes non-CUI data (for example, publicly available datasets used for model training), your scope may be narrower. Either way, this determination should be explicitly documented in your SSP and reviewed with your C3PAO or assessor to avoid scope disputes during assessment.

If I use an ESP purely for staff augmentation where my organization provides all processes, technology, and facilities, does the ESP need CMMC assessment?

• No, an ESP that is used as staff augmentation and the OSA provides all processes, technology, and facilities does not need CMMC assessment.

If my ESP is *not* a CSP and does *not* handle CUI, does it require its own CMMC assessment?

• No, ESPs that are not a CSP, and do NOT store, process, or transmit CUI, do not require their own CMMC assessment. However, services provided by the ESP are in the OSA’s assessment scope.

If my organization intends to seek a CMMC Status of Final Level 3 (DIBCAC), what scoping guidance should I also consider?

• If the intent is to obtain a CMMC Status of Final Level 3 (DIBCAC), the Organization Seeking Certification (OSC) should also consider the guidance provided in the CMMC Scoping Guide – Level 3 document.

If my organization processes both Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within the same CMMC Assessment Scope, does a Level 2 assessment satisfy Level 1 requirements?

• Yes, a Level 2 self-assessment or Level 2 certification assessment satisfies the Level 1 self-assessment requirements for the same CMMC Assessment Scope. If FCI is processed, stored, or transmitted within the same scope as CUI in the Level 2 scope, then the methods to implement the Level 2 security requirements apply towards meeting the Level 1 assessment objectives.

If my organization uses a SIEM, is the SIEM itself considered in scope for the CMMC assessment?

• Yes, the SIEM is considered the Security Protection Asset (SPA) and is part of the assessment scope.

Is an SSP required for CMMC level 1?

• It is recommended to develop a Security System Plan (SSP) as a best practice at Level 1, but it's not required for a self-assessment.

Is my normal device (laptop/workstation) in scope for CMMC when using a VDI?

• No. When CUI is accessed exclusively through a VDI, the physical device is out of scope — it's simply a window into the virtual environment. All CMMC-relevant activity occurs inside the enclave.

is POAM required for CMMC level 1?

• ​No, a Plan of Action and Milestones (POA&M) is not permitted for CMMC Level 1 compliance.

Is the storage location for SIEM logs (both hot and cold storage) considered part of the CMMC Assessment Scope?

• Yes. SIEM logs typically available in hot storage (collocated with the SPA) and the method used and the location of cold storage (typically offline or in cloud storage) are also in the OSA’s assessment scope.

Tell me about CMMC scoping and what customers should consider when onboarding?

• Scoping is more critical in CMMC than any other framework. Data and Asset categorization must be completed and verified before an audit can begin
  Recommended to introduce vCISO services with CMMC Level 2 and above

Under what condition might a Contractor Risk Managed Asset (CRMA) be assessed against other CMMC security requirements beyond an SSP review?

• If the OSA’s risk-based security policies, procedures, and practices documentation for CRMAs in the SSP is insufficient, or if other findings raise questions about these assets, the assessor can conduct a limited check against CMMC security requirements to identify deficiencies.

What are CMMC audit requirements?

• CMMC level 1 is self-attested, like an SAQ for PCI. Level 2 requires an audit (triennially). Level 3 isn't technically released yet, but will require an audit as well (triennially).

What are Internet of Things (IoT) or Industrial Internet of Things (IIoT) devices according to the CMMC guide?

• They are the network of devices containing hardware, software, firmware, and actuators allowing connection, interaction, and free exchange of data. They are interconnected, uniquely identifiable devices with physical/virtual representation, sensing/actuation, and programmability features (as defined in NIST SP 800-172A). Examples include smart electric grids, lighting, HVAC, and detectors.

What are NFO controls as it relates to CMMC?

• NFO controls are implied controls that organizations are expected to have in place. They are not explicitly spelled out but are routine controls that non-federal organizations are expected to follow.

What are Restricted Information Systems according to the CMMC guide?

• These are systems (and associated IT components) configured based on government security requirements (i.e., connected to support a functional requirement) and used to support a contract (e.g., fielded systems, obsolete systems, and product deliverable replicas).

What are the audit requirements for CMMC?

• CMMC Level 1 does not require an audit, some Level 2 organizations can self-attest, but others handling CUI require a C3PAO assessment every three years, and Level 3 requires a government-led assessment every three years.

What are the CMMC assessment requirements for CUI Assets?

• CUI Assets must be prepared to be assessed against, and will be assessed against, all CMMC Level 2 security requirements.

  **Security Protection Assets (SPA) & Security Protection Data (SPD)**

What are the CMMC assessment requirements for Security Protection Assets?

• Security Protection Assets must be prepared to be assessed against, and will be assessed against, Level 2 security requirements that are relevant to the capabilities they provide.

What are the CMMC assessment requirements for Specialized Assets?

• The CMMC assessment requirement for Specialized Assets is a review of the SSP; they are not assessed against other CMMC security requirements.

What are the differences between CMMC levels?

• CMMC levels differ in the type and scope of security controls. Level 1 is focused on basic practices for Federal Contract Information (FCI), while Levels 2 and 3 are more advanced and cover Controlled Unclassified Information (CUI), with Level 3 being the most comprehensive.

What are the keywords and Terminology to know for CMMC?

• Key terms include FCI (Federal Contract Information), CUI (Controlled Unclassified Information), C3PAO (Certified Third-Party Assessor Organization), and SPRS (Supplier Performance Risk System).

What are the risk of being non-compliant with CMMC?

• If non-compliant, organizations are leaving themselves susceptible to losing contracts with DoD suppliers and/or many others.
  If two or more organizations are up for a DoD and/or federal contract, then it’s likely that the organization that is CMMC compliant will end up winning the award.
  DFARS 7012 is a regulation that requires safeguard of covered defense information (CDI) and controlled unclassified information (CUI) and thus if out of compliance with CMMC but working on a federal contract and/or with federal CDI or CUI, then would be out of compliance with DoD regulations and subject to any potential fines, penalties, or disciplinary action.

What are the three levels of CMMC?

• CMMC Level 1 focuses on FCI with basic security requirements, Level 2 addresses CUI with more stringent security, and Level 3 adds even more advanced security for highly sensitive data.

What are the Variations and types of CMMC?

• CMMC has three levels: Level 1 (17 requirements), Level 2 (110 requirements), and Level 3 (134 requirements including additional NIST 800-172 controls).

What are “specialized assets” in CMMC Level 1?

• Specialized assets are those that could process, store, or transmit FCI but cannot be fully secured. They are not assessed in Level 1. Examples include:

  Government Furnished Equipment (GFE)

  Internet of Things (IoT) / Industrial IoT devices

  Operational Technology (OT), including SCADA

  Restricted Information Systems

  Test Equipment

What asset categories are included in the Level 2 CMMC Assessment Scope?

• The Level 2 CMMC Assessment Scope includes CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, and Specialized Assets.

  **CUI Assets**

What assets are out of scope for a CMMC Level 1 self-assessment?

• Assets that do not process, store, or transmit FCI are out of scope and are not part of the assessment.

what CMMC compliance policy, checklist, or other downloadable docs do you offer?

• Yes, we have many free documents.

  All documents and templates are free to download, courtesy of the team at Secureframe. We're committed to bringing you the most comprehensive CMMC 2.0 news and resources, plus expert guidance to help you navigate certification and follow best practices.

  
  Get policy templates, readiness checklists, and more tools to simplify your CMMC 2.0 certification.

  [https://www.cmmc.com/resources](https://www.cmmc.com/resources)[](https://www.cmmc.com/)

What defines a Contractor Risk Managed Asset (CRMA) for CMMC Level 2 scoping?

• A Contractor Risk Managed Asset (CRMA) is an asset that can, but is not intended to, process, store, or transmit CUI because of security policy, procedures, and practices in place.

What defines a CUI Asset for CMMC Level 2 scoping?

• A CUI Asset is an asset that processes, stores, or transmits Controlled Unclassified Information (CUI).

What defines a Security Protection Asset for CMMC Level 2 scoping?

• A Security Protection Asset is an asset that provides security functions or capabilities to the OSA’s CMMC Assessment Scope.

What defines a Specialized Asset for CMMC Level 2 scoping?

• A Specialized Asset is an asset that can process, store, or transmit CUI but is unable to be fully secured.

What defines an Out-of-Scope Asset for CMMC Level 2 scoping?

• An Out-of-Scope Asset is an asset that cannot process, store, or transmit CUI; does not provide security protections for CUI Assets; and is physically or logically separated from CUI assets.

What do I need to know when scoping for CMMC compliance?

• CMMC scoping begins with identifying your required level (1, 2, or 3). If pursuing Level 2 and storing Controlled Unclassified Information (CUI), do not store it in Secureframe, and consult your C3PAO or vCISO. Secureframe supports CMMC Level 1 and 2 (non-CUI), with Level 3 requiring special review.

What does the CMMC Assessment Scope define?

• The CMMC Assessment Scope defines which assets within the OSA’s environment will be assessed and the details of the assessment.

What guidance does CMMC follow for effective separation?

• Effective separation for CMMC follows the guidance in NIST SP 800-171 Rev 2.

What happens if an organization is non-compliant with CMMC?

• Non-compliance can result in loss of contracts with the DoD, reduced business opportunities, and potential security vulnerabilities.

What is a CMMC Registered Practitioner (RP)?

• Individuals trained in CMMC preparation and consulting. Secureframe employs 15+ certified RPs.

What is a CMMC Registered Provider Organization (RPO)?

• Companies authorized by Cyber AB to provide pre-assessment consulting for CMMC. Secureframe is an RPO; competitors are not.

What is a CMMC waiver?

• A CMMC waiver is a temporary exception granted by the Department of Defense (DoD) for a specific contract, not for an entire company. It allows a contractor to proceed without CMMC certification only when the DoD determines there are not enough certified vendors available to fulfill that contract.

What is an enduring exception in CMMC?

• The "enduring exception" referenced in the CMMC Level 2 final rule is a concept introduced by the Department of Defense (DoD) to handle situations where certain security requirements cannot be fully implemented due to technical or mission-based limitations — but the risk is mitigated through alternative measures.

  Secureframe doesn't yet include a dedicated 'enduring exception' template, but customers can track these within their SSP or upload a custom exception record using our documentation tools. We're monitoring DoD guidance closely and plan to align our platform to support enduring exception workflows where applicable.

What is CMMC 2.0? What are the differences?

• CMMC 2.0 is the revised version of CMMC. It has 3 levels, compared to 5 in CMMC 1.0. CMMC 2.0 drops 20 security requirements and aligns with NIST SP 800-171’s 110 security controls. Level 2 certification indicates an organization can securely store and share CUI.

What is Government Furnished Equipment (GFE) according to the CMMC guide?

• GFE is all equipment owned or leased by the government, and includes OSA-acquired equipment that is based on government required specifications and/or configurations. It does not include intellectual property or software [Reference: FAR 52.245-1].

What is Operational Technology (OT) according to the CMMC guide?

• OT means programmable systems or devices interacting with the physical environment (or managing devices that do), detecting or causing direct change through monitoring or control of devices, processes, and events. Examples include industrial control systems, building management systems, fire control systems, and physical access control mechanisms [Source: NIST SP 800-160v2 Rev 1]. It specifically includes SCADA.

What is Test Equipment according to the CMMC guide?

• Test Equipment means hardware and/or associated IT components used in the testing of products, system components, and contract deliverables (e.g., oscilloscopes, spectrum analyzers, power meters, and special test equipment).

What is the CMMC framework?

• CMMC is a framework designed for organizations working with the Department of Defense (DoD) or subcontractors, vendors, and suppliers dealing with the DoD.

What is the CMMC Level 1 assessment scope?

• For a Level 1 self-assessment, the scope includes all assets that process, store, or transmit Federal Contract Information (FCI). These assets are assessed against all Level 1 requirements. There is no documentation requirement for in-scope, out-of-scope, or specialized assets.

What is the CMMC Level 2 self-assessment process in between 3-year certification cycles?

• Between C3PAO certification cycles, organizations only need to submit their SPRS score annually — there is no requirement to conduct a full self-assessment or resubmit their SSP during that period. The full third-party assessment with a C3PAO only occurs once every 3 years to renew the certification.
  To submit your SPRS score, you'll need a PIEE account, your CAGE code, and your calculated score. You can reference DISA's quick entry guide here: https://www.sprs.csd.disa.mil/pdf/CMMCL2SelfQuickEntryGuide.pdf. If you have additional questions about the submission process, your C3PAO can provide further guidance.

What is the difference between NIST, CMMC, and FedRAMP?

• NIST is the National Institute of Standards & Technologies, a governing body that has developed various IT security frameworks, standards, and criteria applicable to organizations working with the federal government. CMMC is specifically for companies working with the DoD, and FedRAMP is for Cloud Service Providers (CSPs) working with the federal government.

What is the distribution statement for the CMMC Scoping Guide Level 2 document (Version 2.13)?

• The distribution statement is "[DISTRIBUTION STATEMENT A] Approved for public release."

What is the DoD identifier for this CMMC Scoping Guide?

• The identifier is DoD-CIO-00006 (ZRIN 0790-ZA22).

What is the overlap between CMMC Level 1 and SOC 2 in Secureframe?

• CMMC Level 1 focuses on 17 basic cyber hygiene practices derived from FAR 52.204-21, including areas like access control, media protection, and physical security. ​

  SOC 2, governed by the AICPA, encompasses five Trust Services Criteria (TSC): Security, Availability, Processing Integrity, Confidentiality, and Privacy. The Security criterion is mandatory, while the others are optional based on organizational needs. ​

  There is a notable overlap between the two frameworks, particularly in the following areas:​

  Access Control: Both require mechanisms to ensure only authorized individuals access systems and data.​

  System Monitoring and Logging: Monitoring user activities and maintaining logs are essential for detecting and responding to incidents.​

  Physical Security: Protecting physical access to systems and data centers is a shared concern.​

  Incident Response: Both frameworks emphasize the importance of having a plan to respond to security incidents.​

  Secureframe facilitates this overlap by mapping controls across frameworks, enabling organizations to implement a unified set of controls that satisfy multiple compliance requirements. ​

What is the overlap between CMMC/NIST 800-171 and NIST 800-53?

• All controls in CMMC/NIST 800-171 are part of NIST 800-53, but not vice versa. CMMC/NIST 800-171 covers around half of the controls in NIST 800-53.

What is the primary CMMC assessment requirement for Contractor Risk Managed Assets (CRMAs)?

• The primary assessment requirement for Contractor Risk Managed Assets (CRMAs) is a review of the System Security Plan (SSP). If sufficiently documented, they are not assessed against other CMMC security requirements, except as noted.

What is the purpose of using separation techniques in system architecture for CMMC?

• Separation is a system architecture design concept that can provide physical/logical isolation of assets that process, transmit, or store CUI from assets not involved with CUI. By separating assets, the CMMC Assessment Scope can be limited.

What is the stated purpose of the CMMC Scoping Guide Level 2 document?

• This document is intended only to provide clarity to the public regarding existing CMMC requirements under the law or departmental policies.

What is the version number and date of this CMMC Scoping Guide for Level 2?

• This is Version 2.13, dated September 2024.

What level of CMMC compliance should customers consider?

• DoD Contractors and MSP / Service Providers should already know what level of compliance they need.
  Level 1 - If only FCI (Federal contract information is handled. Self Assessment)
  Very low lift as it is 17 requirements
  Level 2 - If CUI or SPD is handled. Self Assessment (Low risk Contract) / Third Party C3PAO audit (likely)
  All 110 Requirements from NIST 800-171v2
  Level 3 - High Risk contracts - Will know they need level 3
  Additional 24 requirements selected from NIST 800-172

What needs to be defined in CMMC scoping?

• Define your desired level (1, 2, or 3), whether CUI is processed, and if an external party like a C3PAO is needed for clarification.

What preparation is required for Out-of-Scope Assets regarding a CMMC assessment?

• The Organization Seeking Assessment (OSA) must be prepared to justify the inability of an Out-of-Scope Asset to store, process, or transmit CUI.

What Secureframe integrations help streamline compliance for frameworks like CMMC and FedRAMP, and which integrations should be considered or are recommended specifically when working on CMMC compliance?

• Currently, we offer our customers two key integrations that help streamline compliance for both CMMC and FedRAMP: AWS GovCloud and Microsoft Azure Government.

  These integrations allow you to connect and continuously sync resources from Government Cloud environments, as well as commercial cloud instances. This is especially valuable because CMMC and FedRAMP require strict controls and visibility into system configurations, resource inventories, and access management—often across highly regulated environments.

  By integrating your government cloud infrastructure directly with Secureframe, you can automatically collect evidence, monitor for compliance gaps, and maintain real-time visibility into your cloud posture. This reduces the need for manual evidence gathering, speeds up audit readiness, and ensures you're always aligned with the rigorous requirements of these federal frameworks.

What specific regulation does this guide provide scoping guidance for regarding CMMC Level 2?

• This guide provides scoping guidance for Level 2 of the Cybersecurity Maturity Model Certification (CMMC) as set forth in section 170.19 of title 32, Code of Federal Regulations (CFR).

What’s the bottom line on CMMC waivers?

• CMMC waivers are a narrow, temporary exception that apply only at the contract level when certified bidders are scarce. They do not remove core security obligations and do not replace certification as the industry standard. Companies serious about DoD work should pursue CMMC certification, not waiver chasing.

When is a new CMMC assessment required after an initial one?

• A new assessment is required if there are significant architectural or boundary changes to the previous CMMC Assessment Scope. Examples include, but are not limited to, expansions of networks or mergers and acquisitions.

When is an External Service Provider (ESP) considered within my organization's CMMC scope?

• An External Service Provider (ESP) can be within the OSA’s scope of CMMC requirements if it meets CUI Asset and/or Security Protection Asset criteria. Specifically, data (CUI or Security Protection Data) must reside on the ESP assets as set forth in 32 CFR § 170.19(c)(2).

When must an Organization Seeking Assessment (OSA) specify the CMMC Assessment Scope?

• The OSA must specify the CMMC Assessment Scope prior to conducting a CMMC assessment, as defined in 32 CFR § 170.19(c).

Where can I find more details on the CMMC Model itself?

• More details on the CMMC Model can be found in the CMMC Model Overview document.

Where can I find scoping guidance for a CMMC Level 1 self-assessment?

• Guidance for scoping a Level 1 self-assessment can be found in the CMMC Scoping Guide – Level 1 document.

Where can I find scoping guidance for a CMMC Level 3 certification assessment?

• Guidance for scoping a Level 3 certification assessment can be found in the CMMC Scoping Guide – Level 3 document.

Who is the Governing Body of CMMC?

• The governing body for CMMC is the Department of Defense (DoD).

Who is the intended audience for the CMMC Scoping Guide – Level 2?

• The intended audience includes Organizations Seeking Assessment (OSAs) conducting a Level 2 self-assessment, Organizations Seeking Certification (OSCs) obtaining a Level 2 certification assessment, and the professionals or companies supporting them.

  **Level 2 Assessments (Self vs. Certification)**

Who needs CMMC compliance?

• Any vendors, contractors, or companies that wish to work with the Department of Defense (DoD) must comply with CMMC.

Who/What does CMMC apply to?

• CMMC applies to DoD contractors, subcontractors, and any organization handling controlled unclassified information (CUI) or federal contract information (FCI).

Why do CMMC Level 2 and NIST SP 800-171 Rev. 3 appear misaligned or structured differently in Secureframe?

• This is expected behavior. Secureframe breaks out CMMC Level 2 controls into granular assessment objectives ([a], [b], [c]) because CMMC Level 2 is based on NIST SP 800-171 Rev. 2 and requires objective-level clarity.
  NIST SP 800-171 Rev. 3, however, is implemented at the high-level requirement only (e.g., 3.1.1). The assessment objectives are included in the control description, but they are not broken out as separate sub-controls.

Why do organizations need CMMC compliance?

• CMMC ensures that organizations working with the DoD follow strict cybersecurity measures to protect sensitive government data.

Why is CMMC scoping important?

• Scoping is crucial for identifying where CUI is stored, ensuring that necessary security controls are in place, and preventing unnecessary compliance efforts.

Within an enclave, who determines which CMMC requirements are met locally versus inherited from the enterprise?

• Within the enclave, the OSA determines which requirements are implemented and which requirements are inherited; all requirements must be MET.

DFARS, NIST 800-171, and CUI

Are Contractor Risk Managed Assets (CRMAs) required to be physically or logically separated from CUI assets?

• No, Contractor Risk Managed Assets (CRMAs) are not required to be physically or logically separated from CUI assets.

Can an asset that falls into an in-scope category (CUI, SPA, CRMA, Specialized) be considered an Out-of-Scope Asset?

• No, an asset that falls into any in-scope asset category cannot be considered an Out-of-Scope Asset.

Can I still populate my SSP in an assessment-objective-aligned way for NIST SP 800-171 Rev. 3?

• Yes. While Rev. 3 assessment objectives are not separated in the UI, all required information is present. The controls and mapped tests are intended to collectively cover all listed assessment objectives under each high-level requirement. You can document objective-level detail within the control description or evidence notes, even though Secureframe does not currently support breaking Rev. 3 into individual [a], [b], [c] controls.

Can I use Secureframe if some of my 800-171 responsibilities are handled by a third-party enclave provider like Prevail?

• Yes. You can still use Secureframe for training, policies, device-level controls, and other framework requirements outside of your enclave. While Secureframe does not currently integrate with Prevail, you can upload documentation provided by Prevail into the Vendor Access or SSP module. Manual control mapping may still be required unless you build a custom integration (Complete plan only).

Can my organization choose to have CRMAs assessed as CUI Assets during the Level 2 certification assessment?

• Yes, Organizations Seeking Certification (OSCs) may choose to designate Contractor Risk Managed Assets (CRMAs) as CUI Assets for the Level 2 certification assessment and have them assessed by a C3PAO.

Can you give me a brief description of CUI (Controlled Unclassified Information)?

• Sensitive information that isn’t classified but requires protection as defined by law or regulation (e.g., personal data, export control info). Must be protected under NIST 800-171.

Do I need to embed every CUI Asset in my System Security Plan (SSP)?

• No, there is no requirement to embed each CUI asset in the System Security Plan (SSP), but you must document the treatment of these assets in the SSP.

Do you know what type of data you carry or process: FCI or CUI?

• If FCI → You’ll need CMMC Level 1.
  If CUI → You’ll need to be at least CMMC Level 2 compliant.

Does NIST 800-171 require an audit?

• No. Customers can pay auditors for an attestation, but audits are not required.

How do I scope NIST 800-53 or 800-171?

• Ensure the correct level (Low, Moderate, or High) is selected. For 800-171, confirm whether Revision 2 or 3 is needed.

How does FISMA relate to NIST 800-171?

• FISMA relates to NIST 800-53, whereas NIST 800-171 is specific to DOD contractors. FISMA applies to government agencies and contractors working with those agencies, while NIST 800-171 applies to DOD contractors.

How is "Process" defined in the context of CUI Assets?

• "Process" means CUI can be used by an asset (e.g., accessed, entered, edited, generated, manipulated, or printed).

How is "Store" defined in the context of CUI Assets?

• "Store" means CUI is inactive or at rest on an asset (e.g., located on electronic media, in system component memory, or in physical format such as paper documents).

How is "Transmit" defined in the context of CUI Assets?

• "Transmit" means CUI is being transferred from one asset to another asset (e.g., data in transit using physical or digital transport methods).

If my ESP is *not* a CSP but stores, processes, or transmits CUI, is an assessment required?

• Yes, ESPs that are not a CSP, and store, process, or transmit CUI, require assessment. The ESP services used to meet OSA requirements are within the scope of the OSA’s CMMC assessment.

If my ESP is a Cloud Service Provider (CSP) that stores, processes, or transmits CUI, what additional requirement must it meet?

• ESPs that are CSPs, and store, process, or transmit CUI, must meet the FedRAMP requirements in DFARS clause 252.204-7012.

If my organization handles Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) in completely separate environments (different assessment scopes), how are assessments handled?

• If FCI and CUI do not share an environment, the two assessments (Level 1 for FCI, Level 2 for CUI) would be conducted independently, and methods to implement security requirements in one scope would not apply to the other scope.

What are the documentation requirements for CUI Assets for an Organization Seeking Assessment (OSA)?

• For CUI Assets, the OSA must document them in the asset inventory, document their treatment in the System Security Plan (SSP), and document them in the network diagram of the CMMC Assessment Scope.

What if CUI needs to move from the enclave to manufacturing equipment on a factory floor?

• Any system that touches CUI outside the enclave enters CMMC scope and is subject to audit. A valid approach is a dedicated broker server with encryption, FIPS-compliant controls, and strong authentication — with that endpoint explicitly scoped into the audit boundary. Customers planning this should engage Secureframe's engineering team early to scope it properly.

What is Controlled Unclassified Information (CUI)?

• A category of unclassified information within the U.S. Federal government and the main data type protected under CMMC.

What is the difference between NIST 800-53 and 800-171?

• NIST 800-53 is a comprehensive framework for federal information systems, while NIST 800-171 is specifically for protecting Controlled Unclassified Information (CUI) in nonfederal systems working with the Department of Defense.

Where should we store CUI?

• Any files containing CUI should be stored in a secure system authorized for CUI — typically in line with DFARS 7012 / CMMC Level 2 requirements.

FedRAMP

Can a FedRAMP authorized system use non-FedRAMP authorized vendors and/or services?

• Technically, no. If a FedRAMP-authorized system uses a non-FedRAMP-authorized service, it must accept an SA-9 (external services) finding for using a non-FedRAMP-compliant system or service.

Does an ESP that is a CSP but does *not* handle CUI need to meet FedRAMP requirements under DFARS 252.204-7012?

• No, ESPs that are CSPs and do NOT store, process, or transmit CUI are not required to meet FedRAMP requirements in DFARS clause 252.204-7012. However, services provided by the ESP are in the OSA’s assessment scope.

How do I scope FedRAMP?

• Ensure the correct impact level (Low, Moderate, or High) is selected and confirm agency sponsorship status.

How does FedRAMP compare to other frameworks?

• FedRAMP is more rigorous than SOC 2 and ISO 27001 and is often required before engaging with federal agencies, making it one of the most comprehensive security frameworks.

Is GovCloud required for FedRAMP authorization?

• GovCloud is required for FedRAMP High, but not for FedRAMP Moderate or Low. However, many organizations pursuing FedRAMP Moderate use it either because they want to or are asked to.

What are the latest updates to FedRAMP compliance requirements?

• FedRAMP has recently introduced several significant updates to enhance the security and efficiency of cloud services used by federal agencies. Here's an overview of the latest developments:​

  1. Introduction of FedRAMP 20x Framework

  In March 2025, FedRAMP unveiled the FedRAMP 20x framework, a cloud-native authorization process designed for annual updates to adapt to evolving security needs. This initiative aims to streamline compliance, reduce bureaucracy, and promote private-sector innovation in cloud security solutions. The traditional Agency Authorization process remains active, ensuring continuity for ongoing and planned authorizations. ​

  2. Draft Authorization Boundary Guidance

  In January 2025, FedRAMP released new draft guidance on defining authorization boundaries for cloud service offerings. This guidance clarifies which systems and data fall within the FedRAMP boundary, emphasizing the inclusion of all services handling federal information or impacting its confidentiality, integrity, or availability. Public comments were solicited to refine this guidance, indicating a collaborative approach to policy development. ​

  3. Transition to NIST SP 800-53 Revision 5

  FedRAMP has updated its documentation and templates to align with NIST Special Publication 800-53, Revision 5. This transition reflects changes in control baselines and introduces new requirements, ensuring that FedRAMP's security standards remain current with the latest federal guidelines. ​

  FedRAMP | FedRAMP.gov

  4. Executive Order on AI and Cybersecurity

  In January 2025, President Biden signed an executive order aimed at enhancing federal cybersecurity through the use of artificial intelligence (AI). The order includes provisions for the Federal Risk and Authorization Management Program (FedRAMP) to develop policies that encourage cloud service providers to implement robust security measures, particularly when handling federal data. ​

  FedRAMP | FedRAMP.gov

  5. FedRAMP Roadmap Release

  In March 2024, FedRAMP released a strategic roadmap outlining goals to improve customer experience, provide cybersecurity leadership, scale the FedRAMP marketplace, and adopt technology-forward operations. Initiatives include simplifying processes for cloud providers, enhancing security expectations, and developing APIs for digital authorization packages. ​

  Anchore

  These updates demonstrate FedRAMP's commitment to evolving its processes and policies to address the dynamic landscape of cloud security and federal requirements.

What are the non-compliance consequences for FedRAMP?

• Non-compliance can result in inability to work with federal agencies, security vulnerabilities, and loss of business opportunities.

What is the audit process for FedRAMP?

• FedRAMP compliance involves extensive security controls, continuous monitoring, and third-party audits by authorized assessment organizations.

What is the framework for FedRAMP?

• FedRAMP is a compliance framework required for cloud service providers working with U.S. federal agencies to ensure secure cloud environments.

What is the typical preparation time for FedRAMP compliance through Secureframe?

• Achieving FedRAMP compliance is a complex, resource-heavy process—but Secureframe helps accelerate and simplify it through automation, expert support, and a structured approach.

  ✅ With Secureframe: Most organizations reach FedRAMP readiness in 9–12 months

  ⏳ Without automation: It typically takes 18+ months to prepare manually

  🧰 Secureframe provides pre-built templates, automated control mapping, continuous monitoring tools, and policy generation to eliminate manual lift

  🤝 Customers are supported every step of the way by a dedicated Customer Success Manager and Compliance Manager with FedRAMP expertise

  📈 Existing security maturity helps: If you’re already SOC 2 or ISO 27001 compliant, you’re often further along than you think

  Using a platform like Secureframe means you're not starting from scratch—and you don’t have to do it alone. We make it easier to meet FedRAMP requirements with confidence and hit your goals faster.

What resources are available for FedRAMP compliance?

• Resources for FedRAMP compliance include Secureframe’s compliance management tools, policy templates, automated control monitoring, and framework mapping guides.

What should I consider when scoping for FedRAMP compliance?

• Scoping for FedRAMP requires choosing the correct baseline: Low, Moderate, or High. You must have a sponsoring U.S. government agency to pursue authorization. Ask your CSM about the new FedRAMP 20x pilot program if you’re targeting Low authorization faster.

While some FedRAMP controls do overlap with SOC 2 (for example, around control environment and risk management in CC3), Secureframe keeps framework requirements distinct, even when overlap exists, so controls don’t automatically clear across SOC 2 and FedRAMP.

• Here’s why:

  Different Framework Requirements: Even when two frameworks share similar language, they often have different levels of rigor, scope, and evidence expectations. For example, a SOC 2 CC3 control may be satisfied by a written policy, while FedRAMP could additionally require a system security plan (SSP) entry, implementation evidence, and periodic review.

  Auditor Interpretation: Each framework has its own audit methodology, and what passes for SOC 2 may not meet a FedRAMP auditor’s threshold.

  Customer Control: By not auto-clearing, Secureframe ensures you explicitly review each requirement for the framework in question, giving you confidence that you’re truly meeting FedRAMP’s expectations.

  In short, overlap doesn’t mean equivalence. Secureframe surfaces each framework individually so you can decide if evidence truly meets FedRAMP, rather than assuming SOC 2 coverage is enough.

Why do organizations need FedRAMP compliance?

• Organizations need FedRAMP to provide cloud services to federal agencies and ensure that government data is protected.

Additional customer questions

What is a POA&M? (Plan of Action & Milestones)

• A POA&M is a federal risk register used for NIST 800-53, CMMC, NIST 800-171, and FedRAMP, containing findings, risks, and vulnerabilities. It’s required for certain compliance efforts. Secureframe provides a template for this.

Where can I view my monthly bill as an MSSP?

As a Secureframe Partner (MSSP), billing details and invoices are not displayed directly in the platform. For any questions about payments, invoices, or monthly billing statements, please contact our Partnerships team at partners@secureframe.com and they’ll be able to assist you.

What are the prerequisites to access the Audit and Accountability (AU) Procedures in the policies section?

The prerequisites is that a customer would need at least one of our Federal frameworks.

That would include frameworks like:

NIST 800-53

NIST 800-171

NIST CSF

CJIS

CMMC

TX-Ramp

FedRamp

GovRamp

For more information on our framework offering vist https://support.secureframe.com/hc/en-us/articles/34396857648403-Secureframe-Framework-offering

Can you provide a list of case studies for review?

​Secureframe features several case studies highlighting how various companies have benefited from their compliance automation platform. Here are some notable examples:​

Coda – Achieved SOC 2 compliance and is pursuing HIPAA to unlock larger deals.

https://secureframe.com/customers/coda

PerkUp – Shortened their sales cycle by 2–3 weeks after getting SOC 2 compliant.

https://secureframe.com/customers/perkup

Kinectify – Got SOC 2 Type I in 3 months and spent just 5 hours preparing for Type II.

https://secureframe.com/customers/kinectify

Formsort – Completed the compliance process quickly and sped up their sales cycle.

https://secureframe.com/customers/formsort

Osmos – Reduced time to compliance and enhanced their security posture.

https://secureframe.com/customers/osmos

Roadie – Saved a year on SOC 2 using Secureframe’s platform.

https://secureframe.com/customers/roadie

Troops – Achieved SOC 2 compliance to meet strict security requirements of HR clients.

https://secureframe.com/customers/troops

Haystack – Leveraged Secureframe’s integrations to obtain SOC 2, ISO 27001, and ISO 27701 certifications.

https://secureframe.com/customers/haystack

Wealth – Achieved SOC 2 compliance in just over six months, reducing strain on the team and boosting customer trust.

https://secureframe.com/customers/wealth

Abmatic AI – Achieved SOC 2 compliance in just six days and unblocked two deals.

https://secureframe.com/customers/abmatic-ai

rready – Achieved ISO 27001 certification 5x faster and expanded in a competitive global market.

https://secureframe.com/customers/rready

Adyton – Streamlined NIST 800-53 compliance, resulting in 50-70% time savings.

https://secureframe.com/customers/adyton

Arbor Education – Streamlined multi-framework compliance across multiple business units.

https://secureframe.com/customers/arbor-education

Bruin – Set up their security and compliance program 4x faster.

https://secureframe.com/customers/bruin

Open Assessment Technologies – Obtained ISO 27001 compliance, won three multi-million dollar contracts, and secured future growth.

https://secureframe.com/customers/open-assessment-technologies

Optify – Saved hundreds of hours and gained new business by achieving SOC 2 compliance with Secureframe’s expert guidance.

https://secureframe.com/customers/optify

You can browse more customer stories here:

https://secureframe.com/customers

If we already have NIST SP 800-53 aligned policies (from TX-RAMP), do we need to replace them with Secureframe’s template policies?

No — if you already have comprehensive, NIST 800-53 aligned policies, those will typically suffice for SOC 2, which is more flexible. You can either continue using your existing policies or choose to adopt Secureframe’s templates if you prefer. The key is ensuring that the relevant content (such as acceptable use, access control, etc.) is covered in your policy set.

What is Security Protection Data (SPD)?

Data type stored by SPAs in support of CMMC; Secureframe falls under this category.

Can an ESP be part of my own company structure (e.g., a central IT group)?

• Yes, ESPs can be part of the same corporate/organizational structure but still be external to the OSA, such as a centralized SOC or NOC which supports multiple business units. The same requirements apply based on whether the ESP provides cloud services and handles CUI.

If my organization uses enterprise-wide tools (like anti-malware managed by central IT) that support systems within my CMMC Assessment Scope, does this automatically bring the entire enterprise IT group into scope?

• No, this does not mean all assets across the entire OSA enterprise are automatically part of a CMMC Assessment Scope. For example, the anti-malware tool, the people maintaining it, related processes/policies, and supporting systems (e.g., management server) could be in scope, but other functions performed by enterprise IT and other enterprise assets would not automatically be part of the scope.

Can you give me a brief description of C3PAO (Certified Third-Party Assessor Organization)?

• An organization authorized by the Cyber AB to conduct official CMMC assessments of defense contractors handling FCI or CUI.

What are the constraints on the "limited check" an assessor might perform on Contractor Risk Managed Assets (CRMAs)?

• The limited check(s) on CRMAs shall not materially increase the assessment duration nor the assessment cost and will be assessed against CMMC security requirements.

  **Specialized Assets**

What is a Certified Third Party Assessor Organization (C3PAO)?

• Certified assessor organizations such as Coalfire, ALIGN, Schellman, and ControlCase authorized to conduct CMMC assessments. (Note: 3PAO refers specifically to FedRAMP.)

What will an assessor review regarding Specialized Assets?

• An assessor will review the SSP to verify that specialized assets are managed using the OSA’s risk-based information security policy, procedures, and practices, and accounted for within the OSA’s CMMC Assessment Scope.

Will the assessor retain a copy of my System Security Plan (SSP)?

• No, the assessor will not retain a copy of the SSP.

  **Out-of-Scope Assets**