Question 1

What is CMMC Level 2?

Accepted Answer

CMMC Level 2 is the Cybersecurity Maturity Model Certification level required for Defense Industrial Base contractors handling Controlled Unclassified Information (CUI). It requires implementation of all 110 security practices from NIST SP 800-171 Rev. 2 and validation through a formal assessment by a certified C3PAO (CMMC Third-Party Assessment Organization).

Question 2

What is required for NIST SP 800-171 compliance?

Accepted Answer

NIST SP 800-171 compliance requires implementation of 110 security requirements across 14 control families to protect Controlled Unclassified Information (CUI) in non-federal systems. Organizations must develop a System Security Plan (SSP), implement technical and administrative controls, document evidence, and submit a Supplier Performance Risk System (SPRS) score to demonstrate compliance.

Question 3

How is an SPRS score calculated?

Accepted Answer

The Supplier Performance Risk System (SPRS) score is calculated based on implementation of the 110 NIST SP 800-171 requirements. Each requirement has a point value (1, 3, or 5 points). Organizations self-assess their implementation status and submit scores through the SPRS portal. The maximum score is 110 points, representing full compliance. Scores below 110 require a Plan of Action and Milestones (POA&M) documenting remediation timelines.

Question 4

How long does CMMC implementation take?

Accepted Answer

CMMC Level 2 implementation timelines vary based on organization size, existing security posture, and resource availability. Small to mid-sized Defense Industrial Base contractors typically require 6-18 months for full implementation, including gap assessment, policy development, technical control deployment, evidence collection, and assessment preparation.

Question 5

Do Texas DIB contractors require CMMC certification?

Accepted Answer

Yes, Defense Industrial Base contractors in Texas handling Controlled Unclassified Information (CUI) under Department of Defense contracts are required to achieve CMMC Level 2 certification. This applies to prime contractors and subcontractors throughout the supply chain.

Question 6

What is the difference between CMMC and NIST 800-171?

Accepted Answer

NIST SP 800-171 is the foundational security standard defining 110 requirements for protecting CUI. CMMC Level 2 operationalizes these requirements through a formal certification program requiring third-party assessment. While NIST 800-171 allows self-assessment and SPRS score submission, CMMC Level 2 mandates independent validation by a C3PAO assessor.

Operational Cybersecurity.

Assessment-Ready Compliance.

Structured Governance Across
the Compliance Lifecycle

11th Hour Training Solutions

11th Hour Consulting

11th Hour Assurance Group

Built on Industry Standards

Defense Industrial Base Focus

Defense Contractors

Manufacturers

IT & MSPs

Government Suppliers

Higher Education

Ready to Achieve Assessment Readiness?