[{"data":1,"prerenderedAt":6150},["ShallowReactive",2],{"framework-topics-cmmc":3,"framework-cmmc":3208,"related-glossary-nist-audit-grc":3706,"explore-glossary-cmmc-\u002Fframeworks\u002Fcmmc\u002Fself-assessment-vs-third-party":3928,"explore-topics-cmmc-\u002Fframeworks\u002Fcmmc\u002Fself-assessment-vs-third-party":4719,"explore-hub-cmmc":5300,"explore-compare-vs-\u002Fframeworks\u002Fcmmc\u002Fself-assessment-vs-third-party":5582,"explore-compare-\u002Fframeworks\u002Fcmmc\u002Fself-assessment-vs-third-party":5748,"explore-blog-cmmc-\u002Fframeworks\u002Fcmmc\u002Fself-assessment-vs-third-party":5868,"explore-industry-cmmc":6066},[4,424,910,1241,1603,1960,2296,2601,2925],{"id":5,"title":6,"body":7,"description":404,"extension":405,"faq":406,"frameworkSlug":407,"lastUpdated":408,"meta":409,"navigation":410,"path":411,"relatedTerms":412,"relatedTopics":415,"seo":419,"stem":422,"__hash__":423},"frameworkTopics\u002F5.frameworks\u002Fcmmc\u002Fassessment-process.md","CMMC Assessment Process",{"type":8,"value":9,"toc":383},"minimark",[10,15,19,24,27,33,67,70,74,77,81,146,150,153,158,166,170,173,177,181,184,188,191,213,228,232,235,239,242,262,266,302,306,309,323,327,330,368,372],[11,12,14],"h2",{"id":13},"cmmc-assessment-types","CMMC assessment types",[16,17,18],"p",{},"CMMC 2.0 uses three assessment types that correspond to the certification levels. The assessment type for your organization is determined by the CMMC level specified in your contract.",[20,21,23],"h3",{"id":22},"self-assessment-level-1-and-level-2","Self-assessment (Level 1 and Level 2)",[16,25,26],{},"Self-assessments are conducted internally by the organization. They are required for all Level 1 certifications and for Level 2 certifications on contracts involving less sensitive CUI.",[16,28,29],{},[30,31,32],"strong",{},"How it works:",[34,35,36,43,49,55,61],"ol",{},[37,38,39,42],"li",{},[30,40,41],{},"Scope your environment"," — identify the systems, people, and processes that handle FCI (Level 1) or CUI (Level 2) within the assessment boundary.",[37,44,45,48],{},[30,46,47],{},"Evaluate each practice"," — assess whether your organization meets each required practice using the DoD Assessment Methodology.",[37,50,51,54],{},[30,52,53],{},"Calculate your score"," — Level 1 is pass\u002Ffail across 17 practices. Level 2 uses a scoring methodology based on 110 objectives, starting at 110 and subtracting points for unmet requirements.",[37,56,57,60],{},[30,58,59],{},"Submit to SPRS"," — enter your assessment score into the Supplier Performance Risk System.",[37,62,63,66],{},[30,64,65],{},"Affirm annually"," — a senior official must sign an annual affirmation confirming continued compliance.",[16,68,69],{},"Self-assessments must be conducted with the same rigor as third-party assessments. The DoD reserves the right to audit self-assessment scores, and material misrepresentation can result in False Claims Act liability.",[20,71,73],{"id":72},"c3pao-assessment-level-2","C3PAO assessment (Level 2)",[16,75,76],{},"Third-party assessments are conducted by CMMC Third-Party Assessment Organizations (C3PAOs) accredited by the Cyber AB (formerly the CMMC Accreditation Body). They are required for Level 2 certifications on contracts involving more sensitive CUI or critical programs.",[16,78,79],{},[30,80,32],{},[34,82,83,89,95,101,107,113,140],{},[37,84,85,88],{},[30,86,87],{},"Select a C3PAO"," — choose from the list of accredited C3PAOs published by the Cyber AB. The C3PAO assigns certified CMMC assessors to your engagement.",[37,90,91,94],{},[30,92,93],{},"Pre-assessment readiness review"," (optional but recommended) — many C3PAOs offer a readiness review to identify gaps before the formal assessment begins.",[37,96,97,100],{},[30,98,99],{},"Assessment planning"," — the C3PAO works with your organization to define scope, schedule, and logistics. This includes identifying assessment boundaries, CUI data flows, and inherited controls.",[37,102,103,106],{},[30,104,105],{},"Evidence collection and review"," — assessors review your System Security Plan (SSP), policies, procedures, and evidence artifacts. This typically takes two to four weeks depending on scope.",[37,108,109,112],{},[30,110,111],{},"On-site or virtual assessment"," — assessors interview personnel, observe processes, and test controls. Most assessments include both documentation review and interactive sessions.",[37,114,115,118,119],{},[30,116,117],{},"Scoring and findings"," — the C3PAO scores each of the 110 objectives and documents any deficiencies. You receive one of three results:\n",[120,121,122,128,134],"ul",{},[37,123,124,127],{},[30,125,126],{},"Met"," — all 110 objectives satisfied. Full certification issued.",[37,129,130,133],{},[30,131,132],{},"Conditional"," — score of 88 or above with documented POA&M items. Conditional certification issued with a 180-day remediation window.",[37,135,136,139],{},[30,137,138],{},"Not met"," — score below 88. No certification issued. You must remediate and re-engage the C3PAO.",[37,141,142,145],{},[30,143,144],{},"Certification validity"," — a full or conditional certification is valid for three years with annual affirmation of continued compliance.",[20,147,149],{"id":148},"dibcac-assessment-level-3","DIBCAC assessment (Level 3)",[16,151,152],{},"Government-led assessments are conducted by the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). They are required for Level 3 certifications.",[16,154,155],{},[30,156,157],{},"Prerequisites:",[120,159,160,163],{},[37,161,162],{},"A valid Level 2 C3PAO certification must be in place before a Level 3 assessment can begin",[37,164,165],{},"The organization must demonstrate compliance with all 110 NIST SP 800-171 requirements plus the 24 selected NIST SP 800-172 enhanced requirements",[16,167,168],{},[30,169,32],{},[16,171,172],{},"DIBCAC assessments follow a similar structure to C3PAO assessments but are conducted by government assessors with additional focus on advanced threat scenarios, penetration-resistant architecture, and operational resilience. The assessment scope, timeline, and logistics are coordinated directly with DIBCAC.",[11,174,176],{"id":175},"scoring-methodology","Scoring methodology",[20,178,180],{"id":179},"level-1-scoring","Level 1 scoring",[16,182,183],{},"Level 1 uses a simple pass\u002Ffail model. All 17 practices must be met. There is no partial scoring or POA&M allowance for Level 1.",[20,185,187],{"id":186},"level-2-scoring","Level 2 scoring",[16,189,190],{},"The DoD Assessment Methodology for Level 2 evaluates 110 objectives (one per NIST SP 800-171 requirement). Scoring starts at 110 and subtracts points for each unmet objective:",[120,192,193,200,210],{},[37,194,195,196,199],{},"Most objectives subtract ",[30,197,198],{},"1 point"," if not met",[37,201,202,203,206,207],{},"Some higher-impact objectives subtract ",[30,204,205],{},"3 points"," or ",[30,208,209],{},"5 points",[37,211,212],{},"The specific point values are defined in the NIST SP 800-171A assessment objectives",[16,214,215,216,219,220,223,224,227],{},"A score of ",[30,217,218],{},"110"," means all requirements are met. A score of ",[30,221,222],{},"88 or above"," (with POA&M) qualifies for conditional certification. A score ",[30,225,226],{},"below 88"," does not qualify for any certification.",[20,229,231],{"id":230},"level-3-scoring","Level 3 scoring",[16,233,234],{},"Level 3 scoring evaluates the 24 enhanced requirements from NIST SP 800-172 in addition to the Level 2 baseline. The scoring methodology is determined by DIBCAC and follows government assessment procedures.",[11,236,238],{"id":237},"plan-of-action-and-milestones-poam","Plan of Action and Milestones (POA&M)",[16,240,241],{},"A POA&M documents security requirements that are not yet fully met and the organization's plan to remediate them. Under CMMC 2.0:",[120,243,244,250,256],{},[37,245,246,249],{},[30,247,248],{},"Level 1"," does not allow POA&Ms — all 17 practices must be met",[37,251,252,255],{},[30,253,254],{},"Level 2"," allows POA&Ms for conditional certification if the score is 88 or above",[37,257,258,261],{},[30,259,260],{},"Level 3"," allows limited POA&Ms under DIBCAC discretion",[20,263,265],{"id":264},"poam-rules-for-level-2","POA&M rules for Level 2",[120,267,268,275,282,289,292,299],{},[37,269,270,271,274],{},"Maximum of ",[30,272,273],{},"22 unmet objectives"," (score of 88+)",[37,276,277,278,281],{},"Certain critical requirements ",[30,279,280],{},"cannot"," be placed on a POA&M regardless of score",[37,283,284,285,288],{},"All POA&M items must be ",[30,286,287],{},"closed within 180 days"," of the conditional certification date",[37,290,291],{},"A C3PAO must verify POA&M closure through a close-out assessment",[37,293,294,295,298],{},"Failure to close POA&M items within 180 days ",[30,296,297],{},"revokes"," the conditional certification",[37,300,301],{},"The organization must then undergo a new full assessment",[20,303,305],{"id":304},"what-cannot-go-on-a-poam","What cannot go on a POA&M",[16,307,308],{},"The DoD has identified specific high-impact requirements that cannot be deferred via POA&M. These typically include:",[120,310,311,314,317,320],{},[37,312,313],{},"Multifactor authentication requirements",[37,315,316],{},"FIPS-validated encryption requirements",[37,318,319],{},"Requirements related to incident reporting to the DoD",[37,321,322],{},"Other requirements designated by the DoD as non-deferrable",[11,324,326],{"id":325},"preparing-for-your-assessment","Preparing for your assessment",[16,328,329],{},"Regardless of assessment type, preparation follows a similar pattern:",[34,331,332,338,344,350,356,362],{},[37,333,334,337],{},[30,335,336],{},"Define your CUI boundary"," — identify where CUI enters, flows through, and is stored in your environment. This defines your assessment scope.",[37,339,340,343],{},[30,341,342],{},"Complete your SSP"," — document every NIST SP 800-171 requirement with your implementation status, responsible parties, and evidence.",[37,345,346,349],{},[30,347,348],{},"Conduct a gap analysis"," — compare your current controls against all required practices and identify shortfalls.",[37,351,352,355],{},[30,353,354],{},"Remediate or document"," — close gaps where possible. For remaining gaps, create POA&M items with realistic remediation timelines.",[37,357,358,361],{},[30,359,360],{},"Organize evidence"," — collect and catalog evidence artifacts (screenshots, configs, policies, logs) mapped to each requirement.",[37,363,364,367],{},[30,365,366],{},"Perform a mock assessment"," — walk through the assessment process internally or with a consultant to identify weaknesses.",[11,369,371],{"id":370},"how-episki-helps","How episki helps",[16,373,374,375,382],{},"episki automates the heaviest parts of assessment preparation. The platform generates a pre-mapped SSP template aligned to NIST SP 800-171, tracks your SPRS score in real time as you close gaps, and organizes evidence by control family. POA&M items are tracked with 180-day countdown timers and assigned owners. When your C3PAO arrives, they get a scoped portal with everything organized by assessment objective — reducing assessment time and back-and-forth. ",[376,377,381],"a",{"href":378,"rel":379},"https:\u002F\u002Fepiski.app\u002Fauth\u002Fregister",[380],"nofollow","Start a free trial"," to see your current assessment readiness.",{"title":384,"searchDepth":385,"depth":385,"links":386},"",2,[387,393,398,402,403],{"id":13,"depth":385,"text":14,"children":388},[389,391,392],{"id":22,"depth":390,"text":23},3,{"id":72,"depth":390,"text":73},{"id":148,"depth":390,"text":149},{"id":175,"depth":385,"text":176,"children":394},[395,396,397],{"id":179,"depth":390,"text":180},{"id":186,"depth":390,"text":187},{"id":230,"depth":390,"text":231},{"id":237,"depth":385,"text":238,"children":399},[400,401],{"id":264,"depth":390,"text":265},{"id":304,"depth":390,"text":305},{"id":325,"depth":385,"text":326},{"id":370,"depth":385,"text":371},"How CMMC assessments work — self-assessments, C3PAO third-party assessments, and DIBCAC government-led assessments including scoring, POA&Ms, and conditional certification.","md",null,"cmmc","2026-04-16",{},true,"\u002Fframeworks\u002Fcmmc\u002Fassessment-process",[407,413,414],"grc","audit",[416,417,418],"levels","nist-800-171-mapping","who-needs-cmmc",{"title":420,"description":421},"CMMC Assessment Process — Self-Assessment, C3PAO, and DIBCAC Guide","Step-by-step guide to CMMC assessment types, scoring methodology, POA&M requirements, and what to expect during a C3PAO or DIBCAC assessment.","5.frameworks\u002Fcmmc\u002Fassessment-process","yKDypkTFwQoLdWiTOACXalnWiwTYLKu-4YYu3A5uDlU",{"id":425,"title":426,"body":427,"description":881,"extension":405,"faq":882,"frameworkSlug":407,"lastUpdated":408,"meta":896,"navigation":410,"path":897,"relatedTerms":898,"relatedTopics":903,"seo":905,"stem":908,"__hash__":909},"frameworkTopics\u002F5.frameworks\u002Fcmmc\u002Fcui-handling.md","CUI Handling Under CMMC",{"type":8,"value":428,"toc":862},[429,433,436,439,443,446,450,453,458,472,478,482,491,494,535,540,544,547,551,554,589,592,596,599,631,635,638,682,685,689,692,736,740,743,775,779,786,789,793,796,799,803,853,855],[11,430,432],{"id":431},"cui-is-the-center-of-gravity-for-cmmc","CUI is the center of gravity for CMMC",[16,434,435],{},"CMMC exists because of CUI. The entire program — CMMC Level 2 requirements, CMMC Level 3 enhanced controls, DFARS 252.204-7012, NIST SP 800-171 — is built to protect Controlled Unclassified Information as it flows through the defense industrial base. Get CUI handling right and most of your CMMC obligations fall into place. Get it wrong and you fail assessments, miss contract awards, or worse, leak sensitive information that nation-state adversaries spend careers trying to collect.",[16,437,438],{},"This page walks through how to identify CUI, how to mark it, how to handle it, and how to scope your systems so CMMC assessors can see exactly where CUI lives in your environment.",[11,440,442],{"id":441},"fci-vs-cui-the-bright-line","FCI vs CUI: the bright line",[16,444,445],{},"The first move in any CMMC program is distinguishing Federal Contract Information (FCI) from Controlled Unclassified Information (CUI). They are related but distinct categories with very different CMMC implications.",[20,447,449],{"id":448},"federal-contract-information-fci","Federal Contract Information (FCI)",[16,451,452],{},"FCI is information provided by or generated for the government under a contract to develop or deliver a product or service — and that is not intended for public release. It excludes public-facing information (like contract award announcements) and simple transactional information (like invoices).",[16,454,455],{},[30,456,457],{},"Examples of FCI:",[120,459,460,463,466,469],{},[37,461,462],{},"Internal correspondence about a DoD contract",[37,464,465],{},"Performance reports generated for the government under contract",[37,467,468],{},"Unclassified technical specifications shared to support a contract",[37,470,471],{},"Contract deliverables that have not been released publicly",[16,473,474,477],{},[30,475,476],{},"CMMC impact:"," FCI triggers CMMC Level 1 — 17 practices, annual self-assessment.",[20,479,481],{"id":480},"controlled-unclassified-information-cui","Controlled Unclassified Information (CUI)",[16,483,484,485,490],{},"CUI is a narrower, more sensitive category. Under 32 CFR Part 2002, CUI is information the government creates or possesses — or that an entity creates or possesses for or on behalf of the government — that requires safeguarding or dissemination controls pursuant to law, regulation, or government-wide policy. CUI is defined through the ",[376,486,489],{"href":487,"rel":488},"https:\u002F\u002Fwww.archives.gov\u002Fcui",[380],"CUI Registry maintained by the National Archives",".",[16,492,493],{},"CUI categories relevant to defense contractors include:",[120,495,496,502,508,513,518,523,529],{},[37,497,498,501],{},[30,499,500],{},"Controlled Technical Information (CTI)"," — technical data with military or space application",[37,503,504,507],{},[30,505,506],{},"Export Controlled"," — information controlled under ITAR or EAR",[37,509,510],{},[30,511,512],{},"Naval Nuclear Propulsion Information (NNPI)",[37,514,515],{},[30,516,517],{},"Critical Infrastructure Security Information",[37,519,520],{},[30,521,522],{},"Operations Security Information",[37,524,525,528],{},[30,526,527],{},"Procurement and Acquisition"," (specific subcategories)",[37,530,531,534],{},[30,532,533],{},"Source Selection"," information during contract competitions",[16,536,537,539],{},[30,538,476],{}," CUI triggers CMMC Level 2 at minimum. More sensitive CUI or critical programs trigger CMMC Level 3.",[20,541,543],{"id":542},"the-relationship","The relationship",[16,545,546],{},"All CUI is also FCI. But not all FCI is CUI. If your contract involves CUI, you are automatically dealing with FCI too — and your CMMC level is set by the most sensitive category. That usually means CMMC Level 2, which includes the 17 Level 1 FCI practices by virtue of being built on top of them.",[11,548,550],{"id":549},"cui-marking-and-identification","CUI marking and identification",[16,552,553],{},"Proper CUI marking is a government responsibility, but it is also the place where marking most often breaks down. The official rules under 32 CFR Part 2002 require:",[120,555,556,571,577,583],{},[37,557,558,561,562,566,567,570],{},[30,559,560],{},"Banner marking"," at the top of every page: ",[563,564,565],"code",{},"CUI"," followed by applicable categories (e.g., ",[563,568,569],{},"CUI\u002F\u002FSP-EXPT",")",[37,572,573,576],{},[30,574,575],{},"Portion marking"," on individual paragraphs, charts, and attachments where CUI content appears",[37,578,579,582],{},[30,580,581],{},"Source and decontrolling information"," in designated marking blocks",[37,584,585,588],{},[30,586,587],{},"Distribution limitation statements"," where applicable",[16,590,591],{},"In practice, marking discipline varies widely. Many contractors receive unmarked information that meets the CUI definition. The safe posture is to treat unmarked-but-apparently-CUI information as CUI and confirm with the contracting officer. When in doubt, treat it as CUI — the cost of over-protection is far lower than the cost of an under-protected CUI spill.",[20,593,595],{"id":594},"identifying-cui-you-already-have","Identifying CUI you already have",[16,597,598],{},"If you are not sure whether CUI lives in your environment today, start with these signals:",[120,600,601,607,613,619,625],{},[37,602,603,606],{},[30,604,605],{},"DFARS 252.204-7012 in your contract."," If your contract includes 7012, the DoD has effectively told you CUI is present.",[37,608,609,612],{},[30,610,611],{},"Drawings or technical data from government customers."," CTI is pervasive in engineering and manufacturing contracts.",[37,614,615,618],{},[30,616,617],{},"Export-controlled markings."," ITAR or EAR controlled material is CUI.",[37,620,621,624],{},[30,622,623],{},"Information labeled \"For Official Use Only\" (FOUO)."," FOUO is a legacy marking that in most cases has been reclassified as CUI under the current regime.",[37,626,627,630],{},[30,628,629],{},"Source selection documents during contract competitions."," Source Selection Sensitive information is CUI while the competition is active.",[11,632,634],{"id":633},"cui-access-controls-under-nist-sp-800-171","CUI access controls under NIST SP 800-171",[16,636,637],{},"NIST SP 800-171 — and therefore CMMC Level 2 — imposes specific access controls on CUI. The Access Control family (3.1) alone contains 22 requirements, many of which directly address how CUI is accessed. Key obligations include:",[120,639,640,646,652,658,664,670,676],{},[37,641,642,645],{},[30,643,644],{},"Authorized users only."," Limit system access to authorized users, processes acting on behalf of authorized users, and authorized devices.",[37,647,648,651],{},[30,649,650],{},"Least privilege."," Users should have only the access necessary to perform their duties.",[37,653,654,657],{},[30,655,656],{},"Need-to-know enforcement."," Not every authorized user should see all CUI — access should be segmented by need.",[37,659,660,663],{},[30,661,662],{},"Multifactor authentication."," MFA is required for local and network access to systems handling CUI.",[37,665,666,669],{},[30,667,668],{},"Encrypted mobile devices."," CUI on laptops, phones, and tablets must be encrypted with FIPS-validated cryptography.",[37,671,672,675],{},[30,673,674],{},"Session controls."," Sessions must lock after inactivity and terminate on logout.",[37,677,678,681],{},[30,679,680],{},"Remote access controls."," Remote access to CUI must be controlled, monitored, and encrypted.",[16,683,684],{},"These requirements map to specific System and Communications Protection (3.13) controls as well, particularly FIPS-validated cryptography for CUI at rest and in transit.",[11,686,688],{"id":687},"cui-handling-across-the-data-lifecycle","CUI handling across the data lifecycle",[16,690,691],{},"Good CUI handling covers the full lifecycle of the information:",[120,693,694,700,706,712,718,724,730],{},[37,695,696,699],{},[30,697,698],{},"Receipt."," When CUI arrives from the government or a prime contractor, verify the marking, confirm the category, and route it to a CUI-authorized system.",[37,701,702,705],{},[30,703,704],{},"Storage."," CUI lives only on systems inside your CMMC assessment boundary. That means encrypted storage with access controls — typically a FedRAMP Moderate-equivalent environment.",[37,707,708,711],{},[30,709,710],{},"Processing."," Tools that process CUI (CAD software, ERP systems, email, collaboration platforms) need to be part of the CMMC boundary and configured to support the required controls.",[37,713,714,717],{},[30,715,716],{},"Transmission."," CUI in transit requires FIPS-validated encryption. This affects email (S\u002FMIME or TLS 1.2+), file transfer (SFTP, HTTPS with appropriate cipher suites), and internal network traffic segments.",[37,719,720,723],{},[30,721,722],{},"Sharing."," Before sharing CUI with anyone — employees, subcontractors, cloud vendors — verify they are authorized. For subcontractors, that means verifying their CMMC certification.",[37,725,726,729],{},[30,727,728],{},"Retention."," CUI retention should follow contractual requirements. Over-retention expands risk; under-retention can breach contract terms.",[37,731,732,735],{},[30,733,734],{},"Destruction."," CUI media must be sanitized before disposal or reuse, consistent with NIST SP 800-88 media sanitization guidelines.",[11,737,739],{"id":738},"system-scoping-for-cmmc-cui-boundaries","System scoping for CMMC CUI boundaries",[16,741,742],{},"Scoping is where CMMC assessments most often go wrong. Your CMMC assessment boundary includes every system that processes, stores, or transmits CUI, plus every system that can affect the security of those systems. The DoD's CMMC Assessment Scope guidance categorizes assets into several buckets:",[120,744,745,751,757,763,769],{},[37,746,747,750],{},[30,748,749],{},"CUI Assets."," Process, store, or transmit CUI directly. Fully in scope. All NIST SP 800-171 requirements apply.",[37,752,753,756],{},[30,754,755],{},"Security Protection Assets."," Provide security services (firewalls, SIEM, identity providers) to CUI assets. In scope. Requirements apply based on function.",[37,758,759,762],{},[30,760,761],{},"Contractor Risk Managed Assets."," Not required to support CUI protection but could impact it if compromised. Documented but not fully assessed.",[37,764,765,768],{},[30,766,767],{},"Specialized Assets."," Government Furnished Equipment, IoT, OT, test equipment. Documented in the SSP with appropriate protections.",[37,770,771,774],{},[30,772,773],{},"Out-of-Scope Assets."," Cannot process, store, or transmit CUI and cannot affect CUI confidentiality. Physically or logically isolated from CUI assets.",[20,776,778],{"id":777},"the-enclave-strategy","The enclave strategy",[16,780,781,782,785],{},"Many organizations reduce their CMMC scope by creating a ",[30,783,784],{},"CUI enclave"," — a dedicated environment (physical, virtual, or cloud-based) where CUI is concentrated and the rest of the business sits outside the CMMC boundary. Microsoft 365 GCC High is the most common enclave choice for defense contractors, but purpose-built on-premises environments and specialized cloud services are also used.",[16,787,788],{},"Enclaves work when they are genuinely isolated. If CUI routinely leaves the enclave into unauthorized systems — pasted into a non-CUI email, stored on a non-CUI file share, accessed from a personal device — the enclave fails and the rest of the environment becomes in-scope.",[11,790,792],{"id":791},"how-this-fits-into-your-cmmc-program","How this fits into your CMMC program",[16,794,795],{},"CUI handling is the thread that runs through every other CMMC topic. Your SSP describes how CUI is protected. Your assessment scope is defined by where CUI lives. Your subcontractor flow-down decisions depend on which subs see CUI. Your POA&M items are prioritized based on which gaps expose CUI. Your incident response obligations under DFARS 252.204-7012 center on CUI breach reporting.",[16,797,798],{},"Getting CUI handling right early — especially the scoping decisions — makes the rest of the program tractable. Getting it wrong means rework on a scale that can delay certification by months.",[11,800,802],{"id":801},"common-mistakes","Common mistakes",[120,804,805,811,817,823,829,835,841,847],{},[37,806,807,810],{},[30,808,809],{},"Treating all FCI as CUI (or vice versa)."," Over-protection wastes resources; under-protection fails assessments. Classify accurately.",[37,812,813,816],{},[30,814,815],{},"Accepting unmarked information without verification."," If it looks like CUI, treat it as CUI and confirm with the contracting officer.",[37,818,819,822],{},[30,820,821],{},"Over-broad scoping."," Bringing every system into the CMMC boundary when an enclave strategy would isolate CUI to a fraction of the environment.",[37,824,825,828],{},[30,826,827],{},"Under-broad scoping."," Declaring systems out of scope that in fact touch CUI. Assessors find this quickly and it turns into a finding.",[37,830,831,834],{},[30,832,833],{},"Using commercial Microsoft 365 for CUI."," Commercial M365 does not meet FedRAMP Moderate equivalency for CUI. Organizations handling CUI need GCC High or an equivalent authorized environment.",[37,836,837,840],{},[30,838,839],{},"Forgetting the CUI lifecycle."," Strong access controls on storage but weak controls on transmission, sharing, or destruction still leak CUI.",[37,842,843,846],{},[30,844,845],{},"Ignoring paper and physical CUI."," CUI can exist on paper, on whiteboards, in physical drawings, and in conversations. Physical and procedural controls matter as much as technical ones.",[37,848,849,852],{},[30,850,851],{},"Letting CUI leave the enclave."," The strongest enclave fails if users routinely copy CUI outside it. Technical controls plus user training plus monitoring are all required.",[11,854,371],{"id":370},[16,856,857,858,861],{},"episki maps your CMMC assessment boundary as a first-class object. You declare which systems are CUI assets, security protection assets, or contractor risk managed assets, and the platform uses that scoping to focus evidence collection and control attestations where they matter. When a system moves in or out of scope, the impact on your NIST SP 800-171 score is visible immediately. For organizations using a CUI enclave strategy, episki tracks the enclave separately from the rest of the environment and supports the documentation an assessor will expect to see. ",[376,859,381],{"href":378,"rel":860},[380]," to map your CUI boundary.",{"title":384,"searchDepth":385,"depth":385,"links":863},[864,865,870,873,874,875,878,879,880],{"id":431,"depth":385,"text":432},{"id":441,"depth":385,"text":442,"children":866},[867,868,869],{"id":448,"depth":390,"text":449},{"id":480,"depth":390,"text":481},{"id":542,"depth":390,"text":543},{"id":549,"depth":385,"text":550,"children":871},[872],{"id":594,"depth":390,"text":595},{"id":633,"depth":385,"text":634},{"id":687,"depth":385,"text":688},{"id":738,"depth":385,"text":739,"children":876},[877],{"id":777,"depth":390,"text":778},{"id":791,"depth":385,"text":792},{"id":801,"depth":385,"text":802},{"id":370,"depth":385,"text":371},"Controlled Unclassified Information (CUI) under CMMC — FCI vs CUI, CUI marking, handling, access controls, and defining your CMMC system scope.",{"items":883},[884,887,890,893],{"label":885,"content":886},"What is the difference between FCI and CUI?","FCI (Federal Contract Information) is any information provided by or generated for the government under contract that is not intended for public release. CUI (Controlled Unclassified Information) is more sensitive — information that requires safeguarding or dissemination controls under law, regulation, or government-wide policy. All CUI is FCI, but not all FCI is CUI. FCI triggers CMMC Level 1; CUI triggers Level 2 or higher.",{"label":888,"content":889},"Who is responsible for marking CUI?","The originator of the information — typically the government or the prime contractor on its behalf — is responsible for marking CUI. In practice, marking is often missing or inconsistent. Contractors receiving unmarked information that appears to meet the CUI definition should treat it as CUI and contact the contracting officer for confirmation.",{"label":891,"content":892},"Does CUI need to be encrypted?","Yes. NIST SP 800-171 requires FIPS-validated cryptography for CUI at rest and in transit on non-federal systems. This is one of the requirements that cannot be deferred via POA&M for CMMC Level 2 conditional certification.",{"label":894,"content":895},"Can CUI be stored in standard Microsoft 365 or Google Workspace?","Generally no. Commercial Microsoft 365 and Google Workspace do not meet the FedRAMP Moderate equivalency required for CUI. Organizations handling CUI typically need Microsoft 365 GCC High, Google Workspace with specific FedRAMP authorizations, or a dedicated CUI enclave. Check the specific tenant's authorization before assuming coverage.",{},"\u002Fframeworks\u002Fcmmc\u002Fcui-handling",[899,900,901,902],"nist","data-classification","access-control","encryption",[416,418,417,904],"assessment-process",{"title":906,"description":907},"CUI Handling Under CMMC: FCI vs CUI, Marking, Scoping, and Controls","How to identify, mark, handle, and scope Controlled Unclassified Information (CUI) for CMMC compliance. FCI vs CUI explained, access control requirements, and common scoping mistakes.","5.frameworks\u002Fcmmc\u002Fcui-handling","079g6EcUkr3PREZ49XZw_WBF023HlI6VeB_1h_OdPak",{"id":911,"title":912,"body":913,"description":1212,"extension":405,"faq":1213,"frameworkSlug":407,"lastUpdated":408,"meta":1227,"navigation":410,"path":1228,"relatedTerms":1229,"relatedTopics":1232,"seo":1236,"stem":1239,"__hash__":1240},"frameworkTopics\u002F5.frameworks\u002Fcmmc\u002Fdfars-relationship.md","CMMC and DFARS — How They Relate",{"type":8,"value":914,"toc":1200},[915,919,922,925,929,936,950,953,960,964,970,973,987,990,994,1000,1003,1029,1032,1036,1039,1059,1062,1066,1069,1072,1076,1079,1111,1113,1116,1154,1157,1159,1191,1193],[11,916,918],{"id":917},"cmmc-is-verification-dfars-is-enforcement","CMMC is verification; DFARS is enforcement",[16,920,921],{},"It is easy to talk about CMMC and DFARS as if they are separate programs. They are not. CMMC is the Department of Defense's certification framework. DFARS — the Defense Federal Acquisition Regulation Supplement — is the set of contract clauses that actually imposes CMMC (and the NIST SP 800-171 controls beneath it) on defense contractors. Without DFARS, CMMC is a program on paper. With DFARS, CMMC is an enforceable requirement that can kill a contract award.",[16,923,924],{},"This page walks through the DFARS clauses that matter for CMMC, how they relate, and what each one obliges you to do.",[11,926,928],{"id":927},"dfars-252204-7012-the-foundation","DFARS 252.204-7012: the foundation",[16,930,931,932,935],{},"DFARS 252.204-7012 — \"Safeguarding Covered Defense Information and Cyber Incident Reporting\" — has been in effect since December 31, 2017. It applies to any DoD contract that involves ",[30,933,934],{},"covered defense information"," (essentially CUI as the DoD defines it) and it does two things:",[34,937,938,944],{},[37,939,940,943],{},[30,941,942],{},"Requires implementation of NIST SP 800-171."," Contractors must implement the 110 security requirements in NIST SP 800-171 Rev 2 to protect covered defense information processed, stored, or transmitted on non-federal systems.",[37,945,946,949],{},[30,947,948],{},"Requires cyber incident reporting within 72 hours."," If a cyber incident affects covered defense information or the systems handling it, the contractor must report to the DoD through the DoD Cyber Crime Center (DC3) within 72 hours of discovery.",[16,951,952],{},"7012 also flows down to subcontractors at every tier that process covered defense information. That flow-down language — unchanged since 2017 — is why primes have a long-established responsibility to require NIST SP 800-171 compliance from their subs.",[16,954,955,956,959],{},"What 7012 did ",[30,957,958],{},"not"," do was verify compliance. Contractors self-attested. There was no audit. There was no score. That gap is exactly what CMMC closed.",[11,961,963],{"id":962},"dfars-252204-7019-and-7020-the-scoring-clauses","DFARS 252.204-7019 and -7020: the scoring clauses",[16,965,966,967,490],{},"In November 2020, the DoD added DFARS 252.204-7019 (\"Notice of NIST SP 800-171 DoD Assessment Requirements\") and DFARS 252.204-7020 (\"NIST SP 800-171 DoD Assessment Requirements\"). Together, they imposed a new obligation on contractors with 7012 in their contracts: conduct a NIST SP 800-171 self-assessment and post the score to the ",[30,968,969],{},"Supplier Performance Risk System (SPRS)",[16,971,972],{},"The mechanics:",[120,974,975,978,981,984],{},[37,976,977],{},"The self-assessment uses the DoD Assessment Methodology — the same scoring method CMMC Level 2 self-assessments use today.",[37,979,980],{},"Scoring starts at 110 and subtracts points for unmet requirements.",[37,982,983],{},"The score is posted to SPRS and is visible to contracting officers during source selection.",[37,985,986],{},"Scores more than three years old are considered expired.",[16,988,989],{},"7019 and 7020 were the bridge between 7012 and CMMC. They introduced the scoring methodology, they stood up SPRS as the authoritative repository, and they normalized the idea that a specific numerical measure of NIST SP 800-171 compliance would factor into contract decisions. When CMMC 2.0 arrived, it could plug into the mechanism 7019 and 7020 had already built.",[11,991,993],{"id":992},"dfars-252204-7021-the-cmmc-clause","DFARS 252.204-7021: the CMMC clause",[16,995,996,997,490],{},"DFARS 252.204-7021 — \"Cybersecurity Maturity Model Certification Requirements\" — is the clause that makes CMMC a contract requirement. Originally published in 2020 (briefly, under CMMC 1.0), it was revised and republished alongside the CMMC 2.0 program rule and ",[30,998,999],{},"took effect November 10, 2025",[16,1001,1002],{},"7021 does four things:",[34,1004,1005,1011,1017,1023],{},[37,1006,1007,1010],{},[30,1008,1009],{},"Requires a current CMMC certification at contract award."," Before an award can be made, the contractor must hold a valid CMMC certification at the level specified in the solicitation. No certification, no award.",[37,1012,1013,1016],{},[30,1014,1015],{},"Requires the certification to remain current."," Certifications must not expire during performance, and annual affirmations must be submitted on time.",[37,1018,1019,1022],{},[30,1020,1021],{},"Requires flow-down."," The CMMC requirement flows to subcontractors at the level appropriate for the covered information they will handle.",[37,1024,1025,1028],{},[30,1026,1027],{},"Specifies the assessment type."," The solicitation identifies whether the required certification is Level 1 self, Level 2 self, Level 2 C3PAO, or Level 3 DIBCAC.",[16,1030,1031],{},"7021 does not replace 7012, 7019, or 7020. All four clauses operate simultaneously. A contractor with a Level 2 C3PAO contract is subject to 7012 (safeguarding and incident reporting), 7019 and 7020 (scoring and SPRS), and 7021 (certification before award). Each clause addresses a different mechanism of the same program.",[11,1033,1035],{"id":1034},"how-the-clauses-work-together","How the clauses work together",[16,1037,1038],{},"Think of the DFARS cyber clauses as a stack:",[120,1040,1041,1047,1053],{},[37,1042,1043,1046],{},[30,1044,1045],{},"7012 sets the control standard."," NIST SP 800-171. Incident reporting within 72 hours. Flow-down to subs.",[37,1048,1049,1052],{},[30,1050,1051],{},"7019 and 7020 introduce scoring."," DoD Assessment Methodology. SPRS submission. Visibility during source selection.",[37,1054,1055,1058],{},[30,1056,1057],{},"7021 adds certification."," A formal CMMC credential at the right level, verified at award.",[16,1060,1061],{},"Each clause is additive. 7012 still requires 800-171 implementation. 7019 and 7020 still require SPRS scoring. 7021 adds the requirement that your scoring translate into a recognized CMMC certification before a DoD agency can put contract dollars behind you.",[11,1063,1065],{"id":1064},"nist-sp-800-171-is-the-common-thread","NIST SP 800-171 is the common thread",[16,1067,1068],{},"Every DFARS cyber clause points back to the same underlying control standard: NIST SP 800-171 Rev 2. The 14 control families and 110 security requirements are what you actually implement. Everything else — the scoring methodology, the SPRS entry, the C3PAO certification — is downstream machinery for verifying your NIST SP 800-171 posture.",[16,1070,1071],{},"This is why investing in a strong NIST SP 800-171 program is the highest-leverage move a defense contractor can make. It satisfies DFARS 252.204-7012. It produces the score for SPRS under 7019 and 7020. It is the pre-work for any CMMC Level 2 assessment under 7021. One control implementation, four DFARS obligations satisfied.",[11,1073,1075],{"id":1074},"contractual-enforcement-what-happens-when-you-miss","Contractual enforcement: what happens when you miss",[16,1077,1078],{},"The DFARS clauses are not advisory. Enforcement mechanisms include:",[120,1080,1081,1087,1093,1099,1105],{},[37,1082,1083,1086],{},[30,1084,1085],{},"Contract ineligibility."," Under 7021, no CMMC certification means no award. The contracting officer cannot legally make the award.",[37,1088,1089,1092],{},[30,1090,1091],{},"Stop-work or termination."," A certification that lapses mid-contract can trigger cure periods or, in the worst case, termination for default.",[37,1094,1095,1098],{},[30,1096,1097],{},"False Claims Act exposure."," A misrepresented SPRS score under 7019 or 7020 is a false claim. Multiple defense contractors have settled FCA cases tied to inflated NIST SP 800-171 scores, with settlements in the hundreds of thousands to tens of millions of dollars.",[37,1100,1101,1104],{},[30,1102,1103],{},"Suspension and debarment."," Egregious cybersecurity failures can trigger suspension or debarment from federal contracting.",[37,1106,1107,1110],{},[30,1108,1109],{},"Incident reporting failures."," Under 7012, missing the 72-hour reporting window is itself a contractual breach, independent of any underlying cybersecurity posture.",[11,1112,792],{"id":791},[16,1114,1115],{},"The DFARS clauses give you a concrete obligations map. Every CMMC readiness activity should be traceable to one or more of them:",[120,1117,1118,1124,1130,1136,1142,1148],{},[37,1119,1120,1123],{},[30,1121,1122],{},"SSP development"," → 7012 (NIST SP 800-171 implementation).",[37,1125,1126,1129],{},[30,1127,1128],{},"SPRS score submission"," → 7019 and 7020.",[37,1131,1132,1135],{},[30,1133,1134],{},"C3PAO assessment"," → 7021 at Level 2.",[37,1137,1138,1141],{},[30,1139,1140],{},"DIBCAC assessment"," → 7021 at Level 3.",[37,1143,1144,1147],{},[30,1145,1146],{},"Incident response program"," → 7012 (72-hour reporting).",[37,1149,1150,1153],{},[30,1151,1152],{},"Subcontractor flow-down"," → 7012 and 7021 flow-down language.",[16,1155,1156],{},"Using the clauses as the organizing frame makes the obligations tangible. \"Because DFARS 252.204-7012 requires 72-hour incident reporting, we need an incident response plan that can meet a 72-hour clock\" is a more actionable statement than \"we need an incident response plan.\"",[11,1158,802],{"id":801},[120,1160,1161,1167,1173,1179,1185],{},[37,1162,1163,1166],{},[30,1164,1165],{},"Assuming CMMC replaces the older clauses."," It does not. 7012, 7019, and 7020 all continue to apply.",[37,1168,1169,1172],{},[30,1170,1171],{},"Ignoring 7012 incident reporting."," Many contractors focus on controls and forget that 7012 also requires rapid reporting to DC3. Missing the 72-hour window is its own breach.",[37,1174,1175,1178],{},[30,1176,1177],{},"Treating SPRS as optional."," Under 7019 and 7020, an SPRS score is a prerequisite for being considered for many DoD contracts. Organizations without scores are self-disqualifying.",[37,1180,1181,1184],{},[30,1182,1183],{},"Flowing down 7021 without the data to justify it."," CMMC clauses should flow to subcontractors based on the information actually shared. Overflow creates unnecessary subcontractor obligations; underflow is an enforcement risk.",[37,1186,1187,1190],{},[30,1188,1189],{},"Confusing CUI scope with contract scope."," The DFARS clauses apply because of how covered information flows, not because of the contract's dollar value. A small contract with CUI triggers the clauses; a large contract without CUI may not.",[11,1192,371],{"id":370},[16,1194,1195,1196,1199],{},"episki maps each DFARS obligation to the specific NIST SP 800-171 controls and CMMC practices that satisfy it. When a new DFARS clause is modified or a new solicitation cites a specific requirement, the platform shows you exactly what you already have coverage for and what you still need. Incident response workflows are pre-configured to meet the 72-hour reporting clock under 7012, and SPRS score submissions under 7019 and 7020 are generated from the same control evidence that feeds your CMMC assessment. ",[376,1197,381],{"href":378,"rel":1198},[380]," to align your DFARS obligations in one workspace.",{"title":384,"searchDepth":385,"depth":385,"links":1201},[1202,1203,1204,1205,1206,1207,1208,1209,1210,1211],{"id":917,"depth":385,"text":918},{"id":927,"depth":385,"text":928},{"id":962,"depth":385,"text":963},{"id":992,"depth":385,"text":993},{"id":1034,"depth":385,"text":1035},{"id":1064,"depth":385,"text":1065},{"id":1074,"depth":385,"text":1075},{"id":791,"depth":385,"text":792},{"id":801,"depth":385,"text":802},{"id":370,"depth":385,"text":371},"How CMMC relates to DFARS 252.204-7012, 7019, 7020, and 7021, how contractual enforcement actually works, and how NIST SP 800-171 ties the two together.",{"items":1214},[1215,1218,1221,1224],{"label":1216,"content":1217},"What is DFARS 252.204-7012?","DFARS 252.204-7012 — 'Safeguarding Covered Defense Information and Cyber Incident Reporting' — has been in effect since 2017. It requires contractors that process covered defense information to implement the security requirements in NIST SP 800-171 and to report cyber incidents to the DoD within 72 hours. CMMC builds on top of 7012 rather than replacing it.",{"label":1219,"content":1220},"What is DFARS 252.204-7021?","DFARS 252.204-7021 is the clause that imposes CMMC certification as a contract requirement. It took effect November 10, 2025, and specifies the CMMC level and assessment type (self, C3PAO, or DIBCAC) that a contractor must hold before award. Without 7021, CMMC existed only as a program; with 7021, it is a binding contractual obligation.",{"label":1222,"content":1223},"Does NIST SP 800-171 still apply now that CMMC exists?","Yes. NIST SP 800-171 remains the underlying control standard. CMMC Level 2 maps to NIST SP 800-171 directly, and DFARS 252.204-7012 continues to require NIST SP 800-171 implementation for any contractor handling covered defense information. CMMC did not replace 800-171 — CMMC is the verification mechanism for it.",{"label":1225,"content":1226},"Do all DoD contracts include DFARS CMMC clauses?","Only contracts that involve covered defense information, FCI, or CUI trigger the DFARS cyber clauses. Contracts that do not involve covered information — for example, a purely commercial-item purchase unrelated to defense information handling — do not include 7012 or 7021. The clauses flow from the data, not the contract dollar value.",{},"\u002Fframeworks\u002Fcmmc\u002Fdfars-relationship",[899,1230,1231],"framework","control-framework",[1233,904,1234,1235],"implementation-timeline","self-assessment-vs-third-party","subcontractor-requirements",{"title":1237,"description":1238},"CMMC and DFARS: 252.204-7012, 7019, 7020, 7021 Explained","The DFARS clauses behind CMMC. How 252.204-7012, 7019, 7020, and 7021 enforce CMMC, NIST SP 800-171, and incident reporting obligations in DoD contracts.","5.frameworks\u002Fcmmc\u002Fdfars-relationship","AcL6HsfS0U9dnU6bRJWDbXP0BQKnQNpHqVuM2616QD8",{"id":1242,"title":1243,"body":1244,"description":1591,"extension":405,"faq":406,"frameworkSlug":407,"lastUpdated":408,"meta":1592,"navigation":410,"path":1593,"relatedTerms":1594,"relatedTopics":1597,"seo":1598,"stem":1601,"__hash__":1602},"frameworkTopics\u002F5.frameworks\u002Fcmmc\u002Fimplementation-timeline.md","CMMC Implementation Timeline",{"type":8,"value":1245,"toc":1579},[1246,1250,1253,1275,1278,1282,1285,1289,1294,1297,1320,1325,1336,1340,1343,1359,1363,1374,1378,1381,1396,1400,1408,1412,1415,1429,1433,1441,1445,1531,1535,1538,1570,1572],[11,1247,1249],{"id":1248},"cmmc-rulemaking-timeline","CMMC rulemaking timeline",[16,1251,1252],{},"CMMC's path to enforcement involved two separate rulemakings:",[120,1254,1255,1265],{},[37,1256,1257,1260,1261,1264],{},[30,1258,1259],{},"CMMC Program Rule (32 CFR Part 170)"," — published in the Federal Register on October 15, 2024, and effective ",[30,1262,1263],{},"December 16, 2024",". This rule established the CMMC program structure, assessment requirements, and certification processes.",[37,1266,1267,1270,1271,1274],{},[30,1268,1269],{},"DFARS Rule (48 CFR)"," — published on September 10, 2025, and effective ",[30,1272,1273],{},"November 10, 2025",". This rule amended the Defense Federal Acquisition Regulation Supplement to incorporate CMMC requirements into actual DoD contracts.",[16,1276,1277],{},"The DFARS rule is what triggers enforcement. Without it, CMMC existed as a program but could not be contractually required. With the DFARS rule in effect, the DoD can now include CMMC level requirements as conditions of contract award.",[11,1279,1281],{"id":1280},"the-four-phases","The four phases",[16,1283,1284],{},"The DFARS rule implements CMMC through a phased approach that gradually expands requirements over four years.",[20,1286,1288],{"id":1287},"phase-1-november-10-2025-to-november-9-2026","Phase 1 — November 10, 2025 to November 9, 2026",[16,1290,1291],{},[30,1292,1293],{},"Status: Active now",[16,1295,1296],{},"Phase 1 introduces CMMC requirements into select DoD solicitations and contracts:",[120,1298,1299,1305,1311,1317],{},[37,1300,1301,1304],{},[30,1302,1303],{},"Level 1 self-assessments"," may be required as a condition of award for contracts involving FCI",[37,1306,1307,1310],{},[30,1308,1309],{},"Level 2 self-assessments"," may be required as a condition of award for contracts involving CUI",[37,1312,1313,1316],{},[30,1314,1315],{},"Level 2 C3PAO assessments"," may be required at the DoD's discretion for a limited number of contracts involving more sensitive CUI",[37,1318,1319],{},"The DoD has discretion over which solicitations include CMMC requirements during this phase",[16,1321,1322],{},[30,1323,1324],{},"What this means for contractors:",[120,1326,1327,1330,1333],{},[37,1328,1329],{},"If your contract is selected for CMMC requirements, you must have a valid self-assessment score in SPRS before contract award",[37,1331,1332],{},"Begin preparing now even if your current contracts do not yet require CMMC — new solicitations and recompetes will increasingly include requirements",[37,1334,1335],{},"Organizations that have been maintaining NIST SP 800-171 compliance and submitting SPRS scores are well positioned",[20,1337,1339],{"id":1338},"phase-2-november-10-2026-to-november-9-2027","Phase 2 — November 10, 2026 to November 9, 2027",[16,1341,1342],{},"Phase 2 broadens CMMC requirements:",[120,1344,1345,1350,1356],{},[37,1346,1347,1349],{},[30,1348,1315],{}," become more widely required. Contracts involving CUI that was previously eligible for self-assessment may now require third-party certification.",[37,1351,1352,1355],{},[30,1353,1354],{},"Level 3 DIBCAC assessments"," may be required at the DoD's discretion for a limited number of the most sensitive programs",[37,1357,1358],{},"The scope of solicitations including CMMC requirements expands significantly",[16,1360,1361],{},[30,1362,1324],{},[120,1364,1365,1368,1371],{},[37,1366,1367],{},"Organizations handling CUI should plan for C3PAO assessment timelines. Engaging a C3PAO early is critical — the pool of accredited assessors will be stretched.",[37,1369,1370],{},"C3PAO assessments typically require two to six months of preparation plus the assessment itself",[37,1372,1373],{},"Budget for assessment costs, which typically range from $50,000 to $150,000+ depending on scope",[20,1375,1377],{"id":1376},"phase-3-november-10-2027-to-november-9-2028","Phase 3 — November 10, 2027 to November 9, 2028",[16,1379,1380],{},"Phase 3 adds Level 3 requirements broadly:",[120,1382,1383,1388,1393],{},[37,1384,1385,1387],{},[30,1386,1315],{}," continue expanding across applicable contracts",[37,1389,1390,1392],{},[30,1391,1354],{}," become more widely required for contracts involving the most sensitive CUI and critical programs",[37,1394,1395],{},"Most new DoD solicitations involving FCI or CUI will include CMMC requirements",[16,1397,1398],{},[30,1399,1324],{},[120,1401,1402,1405],{},[37,1403,1404],{},"Organizations on the most sensitive programs should already be preparing for Level 3",[37,1406,1407],{},"Level 3 requires a valid Level 2 C3PAO certification as a prerequisite, so the certification chain must be planned well in advance",[20,1409,1411],{"id":1410},"phase-4-november-10-2028-onward","Phase 4 — November 10, 2028 onward",[16,1413,1414],{},"Phase 4 represents full implementation:",[120,1416,1417,1423,1426],{},[37,1418,1419,1422],{},[30,1420,1421],{},"All DoD contracts"," that require the processing, storage, or transmission of FCI or CUI must include the appropriate CMMC level as a condition of award",[37,1424,1425],{},"No exceptions or discretionary application — CMMC is a universal contract requirement for covered information",[37,1427,1428],{},"Option periods and extensions on existing contracts will also incorporate CMMC requirements",[16,1430,1431],{},[30,1432,1324],{},[120,1434,1435,1438],{},[37,1436,1437],{},"By Phase 4, any organization without the appropriate CMMC certification will be ineligible for DoD contract awards involving FCI or CUI",[37,1439,1440],{},"This is the hard deadline. Organizations that have not achieved certification by this point will lose the ability to compete for affected contracts.",[11,1442,1444],{"id":1443},"key-dates-summary","Key dates summary",[1446,1447,1448,1461],"table",{},[1449,1450,1451],"thead",{},[1452,1453,1454,1458],"tr",{},[1455,1456,1457],"th",{},"Date",[1455,1459,1460],{},"Milestone",[1462,1463,1464,1473,1480,1488,1498,1509,1520],"tbody",{},[1452,1465,1466,1470],{},[1467,1468,1469],"td",{},"October 15, 2024",[1467,1471,1472],{},"CMMC Program Rule published",[1452,1474,1475,1477],{},[1467,1476,1263],{},[1467,1478,1479],{},"CMMC Program Rule effective",[1452,1481,1482,1485],{},[1467,1483,1484],{},"September 10, 2025",[1467,1486,1487],{},"DFARS Rule published",[1452,1489,1490,1492],{},[1467,1491,1273],{},[1467,1493,1494,1497],{},[30,1495,1496],{},"Phase 1 begins"," — CMMC in select contracts",[1452,1499,1500,1503],{},[1467,1501,1502],{},"November 10, 2026",[1467,1504,1505,1508],{},[30,1506,1507],{},"Phase 2 begins"," — C3PAO requirements expand",[1452,1510,1511,1514],{},[1467,1512,1513],{},"November 10, 2027",[1467,1515,1516,1519],{},[30,1517,1518],{},"Phase 3 begins"," — Level 3 requirements expand",[1452,1521,1522,1525],{},[1467,1523,1524],{},"November 10, 2028",[1467,1526,1527,1530],{},[30,1528,1529],{},"Phase 4 begins"," — full CMMC enforcement",[11,1532,1534],{"id":1533},"why-you-should-not-wait","Why you should not wait",[16,1536,1537],{},"Although full enforcement is phased, several factors make early action critical:",[34,1539,1540,1546,1552,1558,1564],{},[37,1541,1542,1545],{},[30,1543,1544],{},"C3PAO availability"," — the number of accredited C3PAOs is limited and growing slowly. As Phase 2 approaches, demand for assessments will spike, and wait times will increase.",[37,1547,1548,1551],{},[30,1549,1550],{},"Remediation takes time"," — closing gaps in 110 NIST SP 800-171 requirements is not a quick project. Most organizations need 6 to 18 months of sustained effort.",[37,1553,1554,1557],{},[30,1555,1556],{},"Contract competitiveness"," — DoD agencies can add CMMC requirements to any solicitation at their discretion even during Phase 1. Organizations that are already certified will have a competitive advantage.",[37,1559,1560,1563],{},[30,1561,1562],{},"Subcontract flow-down"," — prime contractors are increasingly requiring CMMC readiness from their subcontractors ahead of the DFARS timeline to reduce their own supply chain risk.",[37,1565,1566,1569],{},[30,1567,1568],{},"False Claims Act exposure"," — submitting inaccurate SPRS scores has already resulted in enforcement actions under the False Claims Act. The stakes of self-attestation are real.",[11,1571,371],{"id":370},[16,1573,1574,1575,1578],{},"episki gives your team a real-time view of where you stand against each phase's requirements. The platform tracks your SPRS score, monitors POA&M remediation progress, and alerts you when assessment deadlines approach. As phases shift and requirements expand, episki updates your workspace to reflect the new obligations — so you are never caught off guard. ",[376,1576,381],{"href":378,"rel":1577},[380]," to see your phase readiness today.",{"title":384,"searchDepth":385,"depth":385,"links":1580},[1581,1582,1588,1589,1590],{"id":1248,"depth":385,"text":1249},{"id":1280,"depth":385,"text":1281,"children":1583},[1584,1585,1586,1587],{"id":1287,"depth":390,"text":1288},{"id":1338,"depth":390,"text":1339},{"id":1376,"depth":390,"text":1377},{"id":1410,"depth":390,"text":1411},{"id":1443,"depth":385,"text":1444},{"id":1533,"depth":385,"text":1534},{"id":370,"depth":385,"text":371},"The four-phase CMMC rollout from November 2025 through November 2028, including what each phase requires for Level 1, Level 2, and Level 3 contractors.",{},"\u002Fframeworks\u002Fcmmc\u002Fimplementation-timeline",[407,1595,1596],"dfars","cui",[416,418,904],{"title":1599,"description":1600},"CMMC Timeline 2025–2028: All 4 Phases & Deadlines","CMMC phased rollout from Phase 1 (Nov 2025) through Phase 4 (Nov 2028). Know exactly when each level requirement kicks in for your DoD contracts.","5.frameworks\u002Fcmmc\u002Fimplementation-timeline","Ad6K16LwtfWSkuNM3UZqkl1Q5_Q_CT6KUJ_aLYOZvu4",{"id":1604,"title":1605,"body":1606,"description":1949,"extension":405,"faq":406,"frameworkSlug":407,"lastUpdated":408,"meta":1950,"navigation":410,"path":1951,"relatedTerms":1952,"relatedTopics":1954,"seo":1955,"stem":1958,"__hash__":1959},"frameworkTopics\u002F5.frameworks\u002Fcmmc\u002Flevels.md","CMMC Levels Explained",{"type":8,"value":1607,"toc":1929},[1608,1612,1615,1619,1625,1629,1640,1644,1661,1665,1668,1712,1716,1722,1725,1736,1739,1742,1755,1757,1764,1775,1778,1782,1789,1792,1809,1812,1826,1830,1833,1856,1860,1863,1917,1920,1922],[11,1609,1611],{"id":1610},"overview-of-cmmc-20-levels","Overview of CMMC 2.0 levels",[16,1613,1614],{},"CMMC 2.0 replaced the original five-level model with three streamlined levels. Each level builds on the one below it, adding more practices and more rigorous assessment requirements. The level your organization needs is determined by the type of information you handle under your DoD contract.",[11,1616,1618],{"id":1617},"level-1-foundational","Level 1 — Foundational",[16,1620,1621,1622,1624],{},"Level 1 applies to organizations that handle ",[30,1623,449],{}," — information provided by or generated for the government under contract that is not intended for public release.",[20,1626,1628],{"id":1627},"requirements","Requirements",[120,1630,1631,1637],{},[37,1632,1633,1636],{},[30,1634,1635],{},"17 practices"," drawn from FAR 52.204-21, \"Basic Safeguarding of Covered Contractor Information Systems\"",[37,1638,1639],{},"Practices cover fundamental cyber hygiene: access control, identification and authentication, media protection, physical protection, system and communications protection, and system and information integrity",[20,1641,1643],{"id":1642},"assessment-type","Assessment type",[120,1645,1646,1652,1655,1658],{},[37,1647,1648,1651],{},[30,1649,1650],{},"Annual self-assessment"," performed by the organization",[37,1653,1654],{},"Results entered into the Supplier Performance Risk System (SPRS)",[37,1656,1657],{},"A senior official must affirm compliance annually",[37,1659,1660],{},"No third-party assessment required",[20,1662,1664],{"id":1663},"what-level-1-covers","What Level 1 covers",[16,1666,1667],{},"Level 1 practices are baseline security measures that most organizations should already have in place:",[120,1669,1670,1673,1676,1679,1682,1685,1688,1691,1694,1697,1700,1703,1706,1709],{},[37,1671,1672],{},"Limit system access to authorized users",[37,1674,1675],{},"Limit system access to the types of transactions and functions that authorized users are permitted to execute",[37,1677,1678],{},"Verify and control connections to external systems",[37,1680,1681],{},"Control information posted on publicly accessible systems",[37,1683,1684],{},"Identify and authenticate users before granting access",[37,1686,1687],{},"Sanitize or destroy media before disposal or reuse",[37,1689,1690],{},"Limit physical access to systems and equipment",[37,1692,1693],{},"Escort visitors and monitor visitor activity",[37,1695,1696],{},"Monitor and control communications at system boundaries",[37,1698,1699],{},"Implement subnetworks for publicly accessible system components",[37,1701,1702],{},"Identify, report, and correct information system flaws in a timely manner",[37,1704,1705],{},"Provide protection from malicious code at appropriate locations",[37,1707,1708],{},"Update malicious code protection mechanisms as new releases are available",[37,1710,1711],{},"Perform periodic scans and real-time scans of files from external sources",[11,1713,1715],{"id":1714},"level-2-advanced","Level 2 — Advanced",[16,1717,1718,1719,1721],{},"Level 2 applies to organizations that handle ",[30,1720,481],{}," — information that requires safeguarding or dissemination controls pursuant to law, regulation, or government-wide policy.",[20,1723,1628],{"id":1724},"requirements-1",[120,1726,1727,1733],{},[37,1728,1729,1732],{},[30,1730,1731],{},"110 security requirements"," aligned to all 14 control families in NIST SP 800-171 Rev 2",[37,1734,1735],{},"Covers access control, awareness and training, audit and accountability, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, and system and information integrity",[20,1737,1643],{"id":1738},"assessment-type-1",[16,1740,1741],{},"Level 2 has two assessment paths depending on the sensitivity of the CUI:",[120,1743,1744,1750],{},[37,1745,1746,1749],{},[30,1747,1748],{},"Self-assessment"," — for contracts involving less sensitive CUI. The organization conducts its own assessment, scores it using the DoD Assessment Methodology, and submits the score to SPRS. A senior official must affirm compliance annually.",[37,1751,1752,1754],{},[30,1753,1134],{}," — for contracts involving more sensitive CUI or critical programs. A CMMC Third-Party Assessment Organization (C3PAO) conducts the assessment. Certification is valid for three years, with annual affirmation of continued compliance required.",[20,1756,176],{"id":175},[16,1758,1759,1760,1763],{},"The DoD Assessment Methodology assigns a score out of 110 based on the number of objectives met. Organizations that do not meet all 110 requirements may receive a ",[30,1761,1762],{},"conditional certification"," if they:",[120,1765,1766,1769,1772],{},[37,1767,1768],{},"Score at least 80% (88 out of 110)",[37,1770,1771],{},"Document unmet requirements in a Plan of Action and Milestones (POA&M)",[37,1773,1774],{},"Close all POA&M items within 180 days of the conditional certification",[16,1776,1777],{},"Failure to close POA&M items within 180 days revokes the conditional certification.",[11,1779,1781],{"id":1780},"level-3-expert","Level 3 — Expert",[16,1783,1784,1785,1788],{},"Level 3 applies to organizations working on the ",[30,1786,1787],{},"most sensitive DoD programs"," where advanced persistent threats (APTs) are a concern.",[20,1790,1628],{"id":1791},"requirements-2",[120,1793,1794,1800,1806],{},[37,1795,1796,1797],{},"All 110 NIST SP 800-171 Rev 2 requirements from Level 2, ",[30,1798,1799],{},"plus",[37,1801,1802,1805],{},[30,1803,1804],{},"24 additional requirements"," selected from NIST SP 800-172, \"Enhanced Security Requirements for Protecting Controlled Unclassified Information\"",[37,1807,1808],{},"Enhanced requirements focus on penetration-resistant architecture, damage-limiting operations, and designing for cyber resiliency",[20,1810,1643],{"id":1811},"assessment-type-2",[120,1813,1814,1820,1823],{},[37,1815,1816,1819],{},[30,1817,1818],{},"Government-led assessment"," conducted by the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC)",[37,1821,1822],{},"Requires a valid Level 2 C3PAO certification as a prerequisite",[37,1824,1825],{},"Certification is valid for three years with annual affirmation",[20,1827,1829],{"id":1828},"level-3-enhanced-focus-areas","Level 3 enhanced focus areas",[16,1831,1832],{},"The 24 additional requirements from NIST SP 800-172 emphasize:",[120,1834,1835,1838,1841,1844,1847,1850,1853],{},[37,1836,1837],{},"Dual authorization for critical actions",[37,1839,1840],{},"Advanced threat hunting and monitoring",[37,1842,1843],{},"Automated response to security events",[37,1845,1846],{},"Network segmentation and micro-segmentation",[37,1848,1849],{},"Supply chain risk management",[37,1851,1852],{},"Penetration testing and red team exercises",[37,1854,1855],{},"System resilience and recovery capabilities",[11,1857,1859],{"id":1858},"how-to-determine-your-required-level","How to determine your required level",[16,1861,1862],{},"Your required CMMC level is specified in the solicitation or contract. As a general guide:",[1446,1864,1865,1877],{},[1449,1866,1867],{},[1452,1868,1869,1872,1875],{},[1455,1870,1871],{},"Information type",[1455,1873,1874],{},"Typical CMMC level",[1455,1876,1643],{},[1462,1878,1879,1888,1897,1907],{},[1452,1880,1881,1884,1886],{},[1467,1882,1883],{},"FCI only",[1467,1885,248],{},[1467,1887,1748],{},[1452,1889,1890,1893,1895],{},[1467,1891,1892],{},"CUI (less sensitive)",[1467,1894,254],{},[1467,1896,1748],{},[1452,1898,1899,1902,1904],{},[1467,1900,1901],{},"CUI (more sensitive or critical programs)",[1467,1903,254],{},[1467,1905,1906],{},"C3PAO",[1452,1908,1909,1912,1914],{},[1467,1910,1911],{},"CUI on highest-priority programs",[1467,1913,260],{},[1467,1915,1916],{},"DIBCAC",[16,1918,1919],{},"If you are unsure which level applies, review your contract's DFARS clause 252.204-7021 or consult your contracting officer.",[11,1921,371],{"id":370},[16,1923,1924,1925,1928],{},"episki provides pre-mapped practice sets for all three CMMC levels. During onboarding, select your target level and the platform generates a tailored workspace with the right controls, narratives, and evidence requirements. As you close gaps, your SPRS score updates in real time. If you hold multiple contracts at different levels, episki maintains separate scoping views while reusing shared controls — so Level 1 work automatically counts toward Level 2 readiness. ",[376,1926,381],{"href":378,"rel":1927},[380]," to see your current readiness posture.",{"title":384,"searchDepth":385,"depth":385,"links":1930},[1931,1932,1937,1942,1947,1948],{"id":1610,"depth":385,"text":1611},{"id":1617,"depth":385,"text":1618,"children":1933},[1934,1935,1936],{"id":1627,"depth":390,"text":1628},{"id":1642,"depth":390,"text":1643},{"id":1663,"depth":390,"text":1664},{"id":1714,"depth":385,"text":1715,"children":1938},[1939,1940,1941],{"id":1724,"depth":390,"text":1628},{"id":1738,"depth":390,"text":1643},{"id":175,"depth":390,"text":176},{"id":1780,"depth":385,"text":1781,"children":1943},[1944,1945,1946],{"id":1791,"depth":390,"text":1628},{"id":1811,"depth":390,"text":1643},{"id":1828,"depth":390,"text":1829},{"id":1858,"depth":385,"text":1859},{"id":370,"depth":385,"text":371},"A complete guide to the three CMMC 2.0 maturity levels — Level 1 (Foundational), Level 2 (Advanced), and Level 3 (Expert) — with practice counts, assessment types, and scoping guidance.",{},"\u002Fframeworks\u002Fcmmc\u002Flevels",[407,1953,1596],"nist-800-171",[904,418,417],{"title":1956,"description":1957},"CMMC 2.0 Levels Explained (2026): Level 1 vs 2 vs 3 Requirements & Costs","CMMC 2.0 maturity levels compared — practice counts, assessment types, costs, and how to determine which level your DoD contract requires.","5.frameworks\u002Fcmmc\u002Flevels","8gqyHHG0u8w-zYk-RDhj3lhi-RR5Ex1SnkudAMzBhNk",{"id":1961,"title":1962,"body":1963,"description":2285,"extension":405,"faq":406,"frameworkSlug":407,"lastUpdated":408,"meta":2286,"navigation":410,"path":2287,"relatedTerms":2288,"relatedTopics":2290,"seo":2291,"stem":2294,"__hash__":2295},"frameworkTopics\u002F5.frameworks\u002Fcmmc\u002Fnist-800-171-mapping.md","NIST SP 800-171 Mapping",{"type":8,"value":1964,"toc":2259},[1965,1969,1976,1979,1983,1986,1990,1993,1998,2012,2016,2019,2023,2026,2030,2033,2037,2040,2044,2055,2059,2062,2066,2069,2073,2076,2080,2083,2087,2090,2094,2097,2101,2104,2108,2111,2115,2126,2130,2133,2137,2140,2144,2151,2213,2216,2220,2227,2231,2234,2238,2245,2247],[11,1966,1968],{"id":1967},"cmmc-level-2-and-nist-sp-800-171","CMMC Level 2 and NIST SP 800-171",[16,1970,1971,1972,1975],{},"CMMC Level 2 is a direct mapping to ",[30,1973,1974],{},"NIST SP 800-171 Rev 2",", \"Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.\" Every one of the 110 CMMC Level 2 practices corresponds to a NIST SP 800-171 security requirement. There are no additions, modifications, or deletions — the mapping is one-to-one.",[16,1977,1978],{},"This alignment was a deliberate design choice in CMMC 2.0. The original CMMC 1.0 introduced unique practices and maturity processes on top of NIST standards. CMMC 2.0 eliminated those additions, making NIST SP 800-171 the single authoritative source for Level 2 requirements.",[11,1980,1982],{"id":1981},"the-14-control-families","The 14 control families",[16,1984,1985],{},"NIST SP 800-171 organizes its 110 security requirements into 14 families. Each family addresses a specific domain of cybersecurity:",[20,1987,1989],{"id":1988},"_31-access-control-22-requirements","3.1 Access Control (22 requirements)",[16,1991,1992],{},"The largest family. Covers how organizations limit system access to authorized users, processes, and devices. Key areas include account management, access enforcement, remote access, and wireless access restrictions.",[16,1994,1995],{},[30,1996,1997],{},"Example requirements:",[120,1999,2000,2003,2006,2009],{},[37,2001,2002],{},"Limit system access to authorized users (3.1.1)",[37,2004,2005],{},"Employ the principle of least privilege (3.1.5)",[37,2007,2008],{},"Use multifactor authentication for network access (3.1.8)",[37,2010,2011],{},"Encrypt CUI on mobile devices and mobile computing platforms (3.1.19)",[20,2013,2015],{"id":2014},"_32-awareness-and-training-3-requirements","3.2 Awareness and Training (3 requirements)",[16,2017,2018],{},"Ensures personnel are aware of security risks and trained on their responsibilities. Includes role-based training for users with elevated privileges or security-sensitive roles.",[20,2020,2022],{"id":2021},"_33-audit-and-accountability-9-requirements","3.3 Audit and Accountability (9 requirements)",[16,2024,2025],{},"Covers creation, protection, and review of system audit logs. Organizations must create and retain system audit logs sufficient to enable monitoring, analysis, investigation, and reporting of unauthorized activity.",[20,2027,2029],{"id":2028},"_34-configuration-management-9-requirements","3.4 Configuration Management (9 requirements)",[16,2031,2032],{},"Addresses baseline configurations, change control, and least functionality. Organizations must establish and enforce security configuration settings and track changes to systems.",[20,2034,2036],{"id":2035},"_35-identification-and-authentication-11-requirements","3.5 Identification and Authentication (11 requirements)",[16,2038,2039],{},"Requires unique identification of users and devices, multifactor authentication, and credential management. This family includes some of the most technically demanding requirements.",[16,2041,2042],{},[30,2043,1997],{},[120,2045,2046,2049,2052],{},[37,2047,2048],{},"Authenticate (or verify) the identities of users, processes, or devices (3.5.2)",[37,2050,2051],{},"Use multifactor authentication for local and network access (3.5.3)",[37,2053,2054],{},"Employ replay-resistant authentication mechanisms (3.5.4)",[20,2056,2058],{"id":2057},"_36-incident-response-3-requirements","3.6 Incident Response (3 requirements)",[16,2060,2061],{},"Organizations must establish incident handling capabilities including preparation, detection, analysis, containment, recovery, and reporting. Incidents involving CUI must be reported to the DoD within 72 hours.",[20,2063,2065],{"id":2064},"_37-maintenance-6-requirements","3.7 Maintenance (6 requirements)",[16,2067,2068],{},"Covers system maintenance procedures, maintenance tools, and remote maintenance controls. Includes requirements for supervising maintenance personnel and sanitizing equipment removed for off-site maintenance.",[20,2070,2072],{"id":2071},"_38-media-protection-9-requirements","3.8 Media Protection (9 requirements)",[16,2074,2075],{},"Addresses protection of system media — both digital and physical — containing CUI. Includes marking, storage, transport, sanitization, and destruction requirements.",[20,2077,2079],{"id":2078},"_39-personnel-security-2-requirements","3.9 Personnel Security (2 requirements)",[16,2081,2082],{},"Requires screening individuals before granting access to systems containing CUI and ensuring CUI access is revoked when personnel are terminated or transferred.",[20,2084,2086],{"id":2085},"_310-physical-protection-6-requirements","3.10 Physical Protection (6 requirements)",[16,2088,2089],{},"Covers physical access controls to systems, equipment, and operating environments. Includes visitor management, monitoring, and protection of physical access devices.",[20,2091,2093],{"id":2092},"_311-risk-assessment-3-requirements","3.11 Risk Assessment (3 requirements)",[16,2095,2096],{},"Organizations must periodically assess risk to operations, assets, and individuals. Includes vulnerability scanning and remediation requirements.",[20,2098,2100],{"id":2099},"_312-security-assessment-4-requirements","3.12 Security Assessment (4 requirements)",[16,2102,2103],{},"Requires periodic assessment of security controls, monitoring for control effectiveness, and a plan of action for addressing deficiencies. This family directly supports the CMMC assessment process itself.",[20,2105,2107],{"id":2106},"_313-system-and-communications-protection-16-requirements","3.13 System and Communications Protection (16 requirements)",[16,2109,2110],{},"The second-largest family. Covers boundary protection, CUI confidentiality during transmission and at rest, network segmentation, and cryptographic protections. FIPS-validated encryption is required for CUI at rest and in transit.",[16,2112,2113],{},[30,2114,1997],{},[120,2116,2117,2120,2123],{},[37,2118,2119],{},"Implement FIPS-validated cryptography for CUI (3.13.11)",[37,2121,2122],{},"Prohibit remote activation of collaborative computing devices (3.13.12)",[37,2124,2125],{},"Control and monitor the use of mobile code (3.13.13)",[20,2127,2129],{"id":2128},"_314-system-and-information-integrity-7-requirements","3.14 System and Information Integrity (7 requirements)",[16,2131,2132],{},"Addresses flaw remediation, malicious code protection, security alerts, and system monitoring. Organizations must identify, report, and correct system flaws in a timely manner.",[11,2134,2136],{"id":2135},"cross-framework-overlap","Cross-framework overlap",[16,2138,2139],{},"Organizations pursuing CMMC Level 2 alongside other frameworks can reuse significant portions of their control implementation.",[20,2141,2143],{"id":2142},"cmmc-and-nist-csf","CMMC and NIST CSF",[16,2145,2146,2150],{},[376,2147,2149],{"href":2148},"\u002Fframeworks\u002Fnistcsf","NIST CSF"," provides a high-level risk management framework organized around six functions: Govern, Identify, Protect, Detect, Respond, and Recover. NIST SP 800-171 requirements map across these functions:",[1446,2152,2153,2163],{},[1449,2154,2155],{},[1452,2156,2157,2160],{},[1455,2158,2159],{},"NIST CSF function",[1455,2161,2162],{},"NIST SP 800-171 families",[1462,2164,2165,2173,2181,2189,2197,2205],{},[1452,2166,2167,2170],{},[1467,2168,2169],{},"Govern",[1467,2171,2172],{},"Security Assessment, Risk Assessment",[1452,2174,2175,2178],{},[1467,2176,2177],{},"Identify",[1467,2179,2180],{},"Risk Assessment, Configuration Management",[1452,2182,2183,2186],{},[1467,2184,2185],{},"Protect",[1467,2187,2188],{},"Access Control, Awareness and Training, Configuration Management, Identification and Authentication, Maintenance, Media Protection, Personnel Security, Physical Protection, System and Communications Protection",[1452,2190,2191,2194],{},[1467,2192,2193],{},"Detect",[1467,2195,2196],{},"Audit and Accountability, System and Information Integrity",[1452,2198,2199,2202],{},[1467,2200,2201],{},"Respond",[1467,2203,2204],{},"Incident Response",[1452,2206,2207,2210],{},[1467,2208,2209],{},"Recover",[1467,2211,2212],{},"Incident Response, System and Information Integrity",[16,2214,2215],{},"An organization with a mature NIST CSF implementation will have significant coverage toward CMMC Level 2, though the specific implementation details and evidence requirements differ.",[20,2217,2219],{"id":2218},"cmmc-and-iso-27001","CMMC and ISO 27001",[16,2221,2222,2226],{},[376,2223,2225],{"href":2224},"\u002Fframeworks\u002Fiso27001","ISO 27001"," Annex A controls overlap substantially with NIST SP 800-171 requirements. Key areas of overlap include access control, cryptography, operations security, communications security, and incident management. Organizations already ISO 27001 certified will find that many of their existing controls satisfy CMMC Level 2 practices — though CUI-specific handling requirements and DoD incident reporting obligations are unique to CMMC.",[20,2228,2230],{"id":2229},"cmmc-and-fedramp","CMMC and FedRAMP",[16,2232,2233],{},"Cloud service providers supporting DoD contracts often need both FedRAMP authorization and CMMC certification. FedRAMP is based on NIST SP 800-53, which is more comprehensive than NIST SP 800-171. A FedRAMP-authorized system at the Moderate baseline will satisfy the majority of CMMC Level 2 requirements, but organizations must still verify coverage and produce CMMC-specific documentation.",[11,2235,2237],{"id":2236},"nist-sp-800-171-rev-3","NIST SP 800-171 Rev 3",[16,2239,2240,2241,2244],{},"NIST published SP 800-171 Rev 3 in May 2024 with significant restructuring. However, ",[30,2242,2243],{},"CMMC 2.0 Level 2 currently maps to Rev 2",", not Rev 3. The DoD has indicated it will update CMMC to align with Rev 3 in a future rulemaking, but no timeline has been announced. Organizations should implement against Rev 2 for current CMMC compliance while monitoring for updates.",[11,2246,371],{"id":370},[16,2248,2249,2250,206,2252,2254,2255,2258],{},"episki maps every CMMC Level 2 practice to its NIST SP 800-171 Rev 2 source requirement with pre-written narratives and evidence templates. When you also pursue ",[376,2251,2149],{"href":2148},[376,2253,2225],{"href":2224},", the unified control graph highlights overlap automatically — one control satisfies multiple frameworks without duplicating documentation. As NIST SP 800-171 Rev 3 alignment is announced, episki will provide migration guidance showing what changes. ",[376,2256,381],{"href":378,"rel":2257},[380]," to see the full mapping.",{"title":384,"searchDepth":385,"depth":385,"links":2260},[2261,2262,2278,2283,2284],{"id":1967,"depth":385,"text":1968},{"id":1981,"depth":385,"text":1982,"children":2263},[2264,2265,2266,2267,2268,2269,2270,2271,2272,2273,2274,2275,2276,2277],{"id":1988,"depth":390,"text":1989},{"id":2014,"depth":390,"text":2015},{"id":2021,"depth":390,"text":2022},{"id":2028,"depth":390,"text":2029},{"id":2035,"depth":390,"text":2036},{"id":2057,"depth":390,"text":2058},{"id":2064,"depth":390,"text":2065},{"id":2071,"depth":390,"text":2072},{"id":2078,"depth":390,"text":2079},{"id":2085,"depth":390,"text":2086},{"id":2092,"depth":390,"text":2093},{"id":2099,"depth":390,"text":2100},{"id":2106,"depth":390,"text":2107},{"id":2128,"depth":390,"text":2129},{"id":2135,"depth":385,"text":2136,"children":2279},[2280,2281,2282],{"id":2142,"depth":390,"text":2143},{"id":2218,"depth":390,"text":2219},{"id":2229,"depth":390,"text":2230},{"id":2236,"depth":385,"text":2237},{"id":370,"depth":385,"text":371},"How CMMC Level 2 maps to NIST SP 800-171 Rev 2's 14 control families and 110 security requirements, plus overlap with NIST CSF and ISO 27001.",{},"\u002Fframeworks\u002Fcmmc\u002Fnist-800-171-mapping",[407,1953,2289],"nistcsf",[416,904,1233],{"title":2292,"description":2293},"CMMC to NIST SP 800-171 Mapping — Control Families and Overlap Guide","Complete mapping of CMMC Level 2 practices to NIST SP 800-171 Rev 2 control families. Understand cross-framework overlap with NIST CSF and ISO 27001.","5.frameworks\u002Fcmmc\u002Fnist-800-171-mapping","g6SHRIJZ5YlpzIpR_uCUJVULPl590tRWJnn6TS4V2sA",{"id":2297,"title":2298,"body":2299,"description":2576,"extension":405,"faq":2577,"frameworkSlug":407,"lastUpdated":408,"meta":2591,"navigation":410,"path":2592,"relatedTerms":2593,"relatedTopics":2594,"seo":2596,"stem":2599,"__hash__":2600},"frameworkTopics\u002F5.frameworks\u002Fcmmc\u002Fself-assessment-vs-third-party.md","CMMC Self-Assessment vs Third-Party (C3PAO)",{"type":8,"value":2300,"toc":2558},[2301,2305,2308,2312,2316,2319,2323,2326,2329,2333,2336,2340,2343,2381,2384,2388,2391,2394,2398,2401,2404,2446,2449,2453,2460,2467,2470,2474,2477,2502,2504,2507,2510,2512,2550,2552],[11,2302,2304],{"id":2303},"two-paths-to-cmmc-when-self-assessment-works-and-when-it-does-not","Two paths to CMMC: when self-assessment works and when it does not",[16,2306,2307],{},"CMMC 2.0 allows two assessment paths for most contractors: self-assessment performed internally, and third-party assessment performed by a CMMC Third-Party Assessment Organization (C3PAO). Choosing — or being assigned — the right path depends on your CMMC level and the sensitivity of the information your contract involves. This page explains when each path applies, what each costs, how long each takes, and the risks that come with each.",[11,2309,2311],{"id":2310},"when-self-assessment-is-sufficient","When self-assessment is sufficient",[20,2313,2315],{"id":2314},"cmmc-level-1-always-self-assessment","CMMC Level 1: always self-assessment",[16,2317,2318],{},"Level 1 is always a self-assessment. The 17 practices from FAR 52.204-21 are fundamental cyber hygiene — things like limiting system access to authorized users, sanitizing media before disposal, and using malware protection. The DoD decided these controls are straightforward enough to verify internally. Organizations handling only Federal Contract Information (FCI) — the broad category of contract-related information that is not intended for public release — stay at Level 1 and self-assess annually.",[20,2320,2322],{"id":2321},"cmmc-level-2-self-assessment-for-less-sensitive-cui","CMMC Level 2: self-assessment for less sensitive CUI",[16,2324,2325],{},"Level 2 splits. Contracts involving less sensitive Controlled Unclassified Information (CUI) accept self-assessment. Contracts involving more sensitive CUI, critical programs, or certain categories of controlled technical information require third-party certification. The split is intentional: self-assessment keeps costs down for the long tail of defense suppliers, while third-party certification provides verified assurance where the stakes are highest.",[16,2327,2328],{},"The contracting officer tells you which path applies by pointing at DFARS 252.204-7021 and specifying the required level and assessment type in the solicitation. The decision is not yours to make.",[20,2330,2332],{"id":2331},"cmmc-level-3-never-self-assessment","CMMC Level 3: never self-assessment",[16,2334,2335],{},"Level 3 is government-led, conducted by the Defense Contract Management Agency's DIBCAC assessors. Level 3 requires a valid Level 2 C3PAO certification as a prerequisite. There is no self-assessment path at Level 3.",[11,2337,2339],{"id":2338},"the-self-assessment-path-what-it-actually-entails","The self-assessment path: what it actually entails",[16,2341,2342],{},"Self-assessment is cheaper and faster than a C3PAO engagement, but it is not the low-effort option some contractors hope for. A credible self-assessment involves:",[34,2344,2345,2351,2357,2363,2369,2375],{},[37,2346,2347,2350],{},[30,2348,2349],{},"Scoping the environment"," — defining which systems, people, and processes handle FCI (Level 1) or CUI (Level 2) and therefore fall within the assessment boundary.",[37,2352,2353,2356],{},[30,2354,2355],{},"Documenting the System Security Plan (SSP)"," — a narrative description of how each required practice or NIST SP 800-171 requirement is implemented.",[37,2358,2359,2362],{},[30,2360,2361],{},"Collecting evidence"," — screenshots, configurations, policies, logs, and other artifacts supporting each requirement.",[37,2364,2365,2368],{},[30,2366,2367],{},"Scoring against the DoD Assessment Methodology"," — starting at 110 for Level 2 and subtracting 1, 3, or 5 points for each unmet objective.",[37,2370,2371,2374],{},[30,2372,2373],{},"Submitting to SPRS"," — entering the score in the Supplier Performance Risk System.",[37,2376,2377,2380],{},[30,2378,2379],{},"Affirming annually"," — a senior official signs an annual affirmation of continued compliance.",[16,2382,2383],{},"The DoD expects self-assessments to be conducted with the same rigor as a third-party assessment. It reserves the right to audit SPRS submissions and has already pursued False Claims Act cases against contractors who submitted inflated scores.",[20,2385,2387],{"id":2386},"self-assessment-cost-and-timeline","Self-assessment cost and timeline",[16,2389,2390],{},"The direct cost of a self-assessment is staff time. Organizations new to NIST SP 800-171 typically need 6 to 18 months to stand up controls, document them, and produce defensible evidence. Organizations already operating against NIST SP 800-171 can usually complete a self-assessment in 4 to 8 weeks once the control set is in place.",[16,2392,2393],{},"External consulting help is common. Expect $15,000 to $50,000 for a consultant-supported Level 2 self-assessment project, including SSP drafting, gap analysis, and evidence organization. Large environments with complex scope can run higher.",[11,2395,2397],{"id":2396},"the-c3pao-path-what-it-actually-entails","The C3PAO path: what it actually entails",[16,2399,2400],{},"A C3PAO assessment is a formal third-party engagement. Assessors from a Cyber AB-accredited C3PAO evaluate your organization against the same NIST SP 800-171 objectives a self-assessment uses, but with an independent, documented, and externally defensible methodology.",[16,2402,2403],{},"A typical C3PAO engagement runs:",[34,2405,2406,2412,2418,2423,2429,2435,2440],{},[37,2407,2408,2411],{},[30,2409,2410],{},"C3PAO selection"," — choose from the published list of accredited C3PAOs. Look at their experience with organizations your size, their assessor availability, and their readiness review services.",[37,2413,2414,2417],{},[30,2415,2416],{},"Contracting and scoping"," — the C3PAO defines the scope of the assessment, the timeline, and the logistics.",[37,2419,2420,2422],{},[30,2421,93],{}," (optional but common) — a formal mock assessment that identifies gaps before the real assessment begins. This is typically a separate engagement.",[37,2424,2425,2428],{},[30,2426,2427],{},"Evidence collection and document review"," — two to four weeks of the C3PAO reviewing your SSP, policies, procedures, and evidence artifacts.",[37,2430,2431,2434],{},[30,2432,2433],{},"Assessment execution"," — one to three weeks of on-site or virtual assessor work including interviews, observations, and control testing.",[37,2436,2437,2439],{},[30,2438,117],{}," — the C3PAO scores each of the 110 objectives and issues one of three results: Met (full certification), Conditional (score of 88+ with a POA&M and 180-day remediation window), or Not Met (below 88, no certification).",[37,2441,2442,2445],{},[30,2443,2444],{},"Close-out"," (if Conditional) — once the POA&M items are closed within 180 days, a close-out assessment converts the Conditional into full certification.",[16,2447,2448],{},"Certification from a C3PAO is valid for three years, with annual affirmations required each year between full assessments.",[20,2450,2452],{"id":2451},"c3pao-cost-and-timeline","C3PAO cost and timeline",[16,2454,2455,2456,2459],{},"A Level 2 C3PAO assessment typically costs ",[30,2457,2458],{},"$50,000 to $150,000",", with larger or distributed environments running well above that range. The cost is driven primarily by assessor time, which scales with scope. A single-site small business with a tightly bounded CUI enclave can come in under $50,000; a multi-site defense prime can pay several hundred thousand.",[16,2461,2462,2463,2466],{},"On timeline: plan for ",[30,2464,2465],{},"9 to 12 months"," from the decision to engage a C3PAO to a certification in hand. That accounts for readiness work, scheduling (C3PAO assessors are in high demand as enforcement ramps), the assessment itself, and any POA&M remediation.",[16,2468,2469],{},"Readiness reviews are a separate cost — typically $20,000 to $75,000 — and are strongly recommended. Going into a formal C3PAO assessment without a readiness review often means learning about gaps the expensive way.",[11,2471,2473],{"id":2472},"how-to-decide","How to decide",[16,2475,2476],{},"For most organizations, there is no decision to make — the contracting officer tells you which path applies. But where you do have latitude (for example, when you are preparing in advance of a contract being awarded), consider:",[120,2478,2479,2485,2491,2496],{},[37,2480,2481,2484],{},[30,2482,2483],{},"Contract eligibility."," If you want to be competitive on contracts that require C3PAO certification, you need C3PAO certification. A self-assessment does not let you bid on those contracts.",[37,2486,2487,2490],{},[30,2488,2489],{},"Customer expectations."," Some primes require their subcontractors to hold C3PAO certification even when the prime itself could self-assess, because they want independent verification across their supply chain.",[37,2492,2493,2495],{},[30,2494,1097],{}," Self-assessments are government representations. Organizations that are uncertain about their NIST SP 800-171 posture may prefer the defensibility of a third-party assessment.",[37,2497,2498,2501],{},[30,2499,2500],{},"Budget and timeline."," Self-assessment is cheaper and faster. For organizations where a Level 2 self-assessment is genuinely acceptable, it is the rational choice.",[11,2503,792],{"id":791},[16,2505,2506],{},"The self-assessment vs C3PAO decision shapes everything downstream: your budget, your hiring plan, your vendor selection (C3PAOs, readiness consultants, tooling), your evidence rigor, and your internal audit cadence. Organizations that assume \"we'll just self-assess\" and then discover a key contract requires C3PAO certification are typically 9 to 18 months away from being bid-eligible on that contract. That timeline is rarely recoverable in a tight competition.",[16,2508,2509],{},"The defensive move is to run your program as if C3PAO certification is coming, even if you start on the self-assessment path. Your evidence quality, SSP rigor, and POA&M hygiene will all be better — and if the path changes, you are ready.",[11,2511,802],{"id":801},[120,2513,2514,2520,2526,2532,2538,2544],{},[37,2515,2516,2519],{},[30,2517,2518],{},"Treating self-assessment as a lighter bar."," The assessment methodology is identical. Self-assessment is cheaper because you skip the C3PAO fees, not because the work is smaller.",[37,2521,2522,2525],{},[30,2523,2524],{},"Inflating the SPRS score."," Every over-scored objective is a potential False Claims Act exposure. Conservative scoring is the safe posture.",[37,2527,2528,2531],{},[30,2529,2530],{},"Waiting to engage a C3PAO."," Assessor availability is the constraint. Organizations that wait until a contract requires certification typically cannot schedule in time.",[37,2533,2534,2537],{},[30,2535,2536],{},"Skipping the readiness review."," A formal readiness review surfaces problems when you can still fix them cheaply. A failed C3PAO assessment is a much more expensive way to find the same gaps.",[37,2539,2540,2543],{},[30,2541,2542],{},"Ignoring the 180-day POA&M window."," Conditional certifications revoke automatically if POA&M items are not closed. Track closures like a deadline because that is what they are.",[37,2545,2546,2549],{},[30,2547,2548],{},"Forgetting the annual affirmation."," Between C3PAO assessments, a senior official must affirm continued compliance each year. Missing an affirmation lapses your certification.",[11,2551,371],{"id":370},[16,2553,2554,2555,1928],{},"episki supports both CMMC assessment paths. For self-assessments, the platform drafts your SSP, tracks your SPRS score in real time, and produces the evidence package a DoD audit would expect. For C3PAO engagements, episki provides a scoped assessor portal — your C3PAO gets read-only access organized by assessment objective, which cuts assessor billable hours substantially. POA&M items are tracked with 180-day countdowns and owners so conditional certifications do not lapse. ",[376,2556,381],{"href":378,"rel":2557},[380],{"title":384,"searchDepth":385,"depth":385,"links":2559},[2560,2561,2566,2569,2572,2573,2574,2575],{"id":2303,"depth":385,"text":2304},{"id":2310,"depth":385,"text":2311,"children":2562},[2563,2564,2565],{"id":2314,"depth":390,"text":2315},{"id":2321,"depth":390,"text":2322},{"id":2331,"depth":390,"text":2332},{"id":2338,"depth":385,"text":2339,"children":2567},[2568],{"id":2386,"depth":390,"text":2387},{"id":2396,"depth":385,"text":2397,"children":2570},[2571],{"id":2451,"depth":390,"text":2452},{"id":2472,"depth":385,"text":2473},{"id":791,"depth":385,"text":792},{"id":801,"depth":385,"text":802},{"id":370,"depth":385,"text":371},"When CMMC Level 1 or Level 2 self-assessment is acceptable vs when a C3PAO third-party assessment is required, including costs, timelines, and False Claims Act exposure.",{"items":2578},[2579,2582,2585,2588],{"label":2580,"content":2581},"Is CMMC Level 2 self-assessment always an option?","No. Level 2 splits into two paths based on the sensitivity of the CUI involved in the contract. Less sensitive CUI can be verified via self-assessment. More sensitive CUI and most critical programs require C3PAO third-party certification. The contracting officer specifies which path applies in the solicitation.",{"label":2583,"content":2584},"How long does a C3PAO assessment take?","Expect two to six months of preparation plus the assessment itself, which is typically a two- to four-week engagement. Most organizations start engaging a C3PAO nine to twelve months before they need a certification in hand.",{"label":2586,"content":2587},"What does a C3PAO assessment cost?","CMMC Level 2 C3PAO assessments typically run $50,000 to $150,000 or more depending on scope, the number of sites, and the complexity of the environment. Small organizations with a tightly scoped CUI boundary fall at the low end; larger organizations with distributed environments pay significantly more.",{"label":2589,"content":2590},"What is the False Claims Act risk of self-assessment?","A self-assessment submitted to SPRS is a representation to the government. If the score is materially inaccurate, the organization and its officers face False Claims Act liability. Several defense contractors have settled FCA claims specifically tied to misrepresented NIST SP 800-171 scores — with settlements ranging from hundreds of thousands to tens of millions of dollars.",{},"\u002Fframeworks\u002Fcmmc\u002Fself-assessment-vs-third-party",[899,414,413],[904,416,2595,1235],"dfars-relationship",{"title":2597,"description":2598},"CMMC Self-Assessment vs C3PAO: When to Do Which, Costs & Timeline","Deciding between CMMC self-assessment and C3PAO third-party certification. Level 1 and Level 2 paths compared with realistic costs, timeline expectations, and FCA risk.","5.frameworks\u002Fcmmc\u002Fself-assessment-vs-third-party","VYYrIKbdgMK3-DnN-xxyvUJdV5WICVSFnaDuSdsoe0I",{"id":2602,"title":2603,"body":2604,"description":2899,"extension":405,"faq":2900,"frameworkSlug":407,"lastUpdated":408,"meta":2914,"navigation":410,"path":2915,"relatedTerms":2916,"relatedTopics":2919,"seo":2920,"stem":2923,"__hash__":2924},"frameworkTopics\u002F5.frameworks\u002Fcmmc\u002Fsubcontractor-requirements.md","CMMC Subcontractor Requirements",{"type":8,"value":2605,"toc":2884},[2606,2610,2613,2616,2620,2623,2634,2637,2641,2644,2648,2651,2655,2658,2696,2699,2703,2706,2738,2742,2745,2765,2769,2772,2804,2807,2809,2812,2832,2835,2837,2875,2877],[11,2607,2609],{"id":2608},"cmmc-flow-down-the-one-rule-every-prime-must-internalize","CMMC flow-down: the one rule every prime must internalize",[16,2611,2612],{},"If you are a prime contractor holding a DoD contract that requires CMMC, the certification is not a you problem — it is a supply chain problem. The moment you share Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) with a subcontractor, your subcontractor inherits the same CMMC-driven obligations you carry. That is flow-down, and it is the operational cornerstone of the entire CMMC program.",[16,2614,2615],{},"Flow-down is not new to defense contracting. DFARS 252.204-7012 has required flow-down of safeguarding obligations since 2017. What CMMC adds is the verification step: before you share covered information with a subcontractor, you must confirm the subcontractor holds the CMMC level the data demands. This page walks through how that works in practice and where it goes wrong.",[11,2617,2619],{"id":2618},"how-cmmc-flow-down-works","How CMMC flow-down works",[16,2621,2622],{},"The CMMC flow-down model is straightforward in principle. Every time a contractor shares FCI or CUI with another organization, three things must be true:",[34,2624,2625,2628,2631],{},[37,2626,2627],{},"The receiving organization must hold a CMMC certification at the appropriate level for the information being shared.",[37,2629,2630],{},"The receiving organization's certification must be current and visible in the Supplier Performance Risk System (SPRS).",[37,2632,2633],{},"The flow-down obligation cascades — if the receiving organization then shares covered information with another tier, they face the same verification duty.",[16,2635,2636],{},"This last point is what gives CMMC its depth. A prime may have ten direct subcontractors, but each of those subcontractors may have their own subs. If CUI is flowing through the chain, every layer needs certification. The DoD's economic analysis assumed this reach when estimating that roughly 80,000 organizations would pursue CMMC Level 2.",[20,2638,2640],{"id":2639},"the-level-is-set-by-the-data-not-the-contract","The level is set by the data, not the contract",[16,2642,2643],{},"A common misconception is that every subcontractor on a Level 2 contract needs Level 2 certification. That is only true for subcontractors that actually handle CUI. If a prime subcontracts a janitorial services company that will never see CUI, no certification is required. If the prime shares only FCI (not CUI) with a small parts vendor, the parts vendor only needs Level 1. The CMMC level is determined by the sensitivity of the information flowed to the subcontractor, not by the prime's own level.",[20,2645,2647],{"id":2646},"the-assessment-type-is-set-by-the-level-not-the-tier","The assessment type is set by the level, not the tier",[16,2649,2650],{},"Likewise, tier depth does not change assessment rigor. A tier-three subcontractor that handles sensitive CUI on a contract requiring Level 2 C3PAO certification needs Level 2 C3PAO certification — the same as the prime. Being further down the chain does not unlock a lighter assessment.",[11,2652,2654],{"id":2653},"prime-contractor-responsibilities","Prime contractor responsibilities",[16,2656,2657],{},"The prime carries most of the operational burden in CMMC flow-down. At a minimum, a prime must:",[120,2659,2660,2666,2672,2678,2684,2690],{},[37,2661,2662,2665],{},[30,2663,2664],{},"Include CMMC clauses in every subcontract that touches covered information."," The subcontract should pass through DFARS 252.204-7012, -7019, -7020, and -7021 where applicable, and should specify the CMMC level the subcontractor must hold.",[37,2667,2668,2671],{},[30,2669,2670],{},"Minimize the CUI footprint."," Only share CUI with subcontractors that genuinely need it. Every additional subcontractor with CUI access is another CMMC certification to verify and monitor.",[37,2673,2674,2677],{},[30,2675,2676],{},"Verify CMMC status before sharing covered information."," Check SPRS. Do not rely on a subcontractor's word or a dated certificate PDF.",[37,2679,2680,2683],{},[30,2681,2682],{},"Track certification expirations."," CMMC certifications expire after three years (with annual affirmations in between). A certification current at contract award may lapse mid-contract.",[37,2685,2686,2689],{},[30,2687,2688],{},"Document the flow-down decisions."," If you choose not to flow CMMC down to a particular subcontractor because they will not see covered information, document that decision. If the DoD ever audits the flow-down, you want a paper trail.",[37,2691,2692,2695],{},[30,2693,2694],{},"Respond to supply chain risk."," If a subcontractor loses certification, is breached, or fails an annual affirmation, the prime needs a plan. That may mean substituting suppliers or isolating the at-risk subcontractor from CUI flows.",[16,2697,2698],{},"Most primes centralize these duties in a supply chain security function or a joint responsibility between procurement and GRC. Automation helps — tracking certification status across dozens or hundreds of subcontractors is not a spreadsheet-friendly exercise.",[11,2700,2702],{"id":2701},"subcontractor-responsibilities","Subcontractor responsibilities",[16,2704,2705],{},"If you are the subcontractor, the obligations are symmetrical:",[120,2707,2708,2714,2720,2726,2732],{},[37,2709,2710,2713],{},[30,2711,2712],{},"Understand which contract clauses apply to you."," Ask the prime for the flow-down language explicitly. Assume DFARS 252.204-7012 at minimum; the other clauses depend on the data you will see.",[37,2715,2716,2719],{},[30,2717,2718],{},"Identify the CMMC level you need."," Based on whether you will see FCI, less-sensitive CUI, or more-sensitive CUI, determine whether Level 1, Level 2 self-assessment, or Level 2 C3PAO applies.",[37,2721,2722,2725],{},[30,2723,2724],{},"Keep your SPRS entry current."," This is how the prime will verify you. A stale SPRS score is a flow-down failure even if your posture is strong.",[37,2727,2728,2731],{},[30,2729,2730],{},"Flow-down further if you engage your own subs."," If you sub-subcontract CUI work, you become the \"prime\" for your own flow-down obligations.",[37,2733,2734,2737],{},[30,2735,2736],{},"Report incidents upstream."," DFARS 252.204-7012 requires rapid (72-hour) incident reporting to the DoD. In practice, most primes require subcontractors to notify them first so the prime can coordinate.",[20,2739,2741],{"id":2740},"cmmc-for-small-subcontractors","CMMC for small subcontractors",[16,2743,2744],{},"Small businesses are the group most strained by CMMC flow-down. Many small suppliers do not have dedicated security staff, have never submitted an SPRS score, and lack the budget for a C3PAO assessment. There are a few practical levers:",[120,2746,2747,2753,2759],{},[37,2748,2749,2752],{},[30,2750,2751],{},"Reduce scope."," If the small subcontractor can do their work without touching CUI, structure the engagement that way. Send redacted drawings. Use an enclave.",[37,2754,2755,2758],{},[30,2756,2757],{},"Pursue Level 1 only."," Many small suppliers can limit their exposure to FCI only, which keeps them at Level 1 (self-assessment) and sidesteps Level 2 entirely.",[37,2760,2761,2764],{},[30,2762,2763],{},"Share infrastructure."," Some primes offer subcontractors access to a CUI enclave — a shared, pre-certified environment where the subcontractor can do CUI work without hosting CUI on their own systems. This transfers much of the certification burden to the enclave operator.",[11,2766,2768],{"id":2767},"tier-based-assessment-in-practice","Tier-based assessment in practice",[16,2770,2771],{},"Tiered CMMC flow-down looks simple on a diagram and complicated in reality. Consider a typical example:",[120,2773,2774,2780,2786,2792,2798],{},[37,2775,2776,2779],{},[30,2777,2778],{},"Prime:"," Large defense integrator holding a Level 2 C3PAO contract. Certified at Level 2 C3PAO.",[37,2781,2782,2785],{},[30,2783,2784],{},"Tier-1 sub:"," Engineering firm designing a subsystem. Receives CUI (drawings, specifications). Needs Level 2 C3PAO.",[37,2787,2788,2791],{},[30,2789,2790],{},"Tier-2 sub:"," Machine shop fabricating parts from the drawings. Receives CUI (drawings only). Needs Level 2 — possibly self-assessment if the contract allows.",[37,2793,2794,2797],{},[30,2795,2796],{},"Tier-2 sub (separate):"," Tooling vendor providing fixtures. Receives FCI (basic contract info) but no CUI. Needs Level 1.",[37,2799,2800,2803],{},[30,2801,2802],{},"Tier-3 sub:"," Heat treatment service used by the machine shop. Receives no covered information (parts only, no drawings). No CMMC required.",[16,2805,2806],{},"The prime does not verify the tier-3 heat treater directly — that is the tier-2 machine shop's flow-down duty. But the prime is still exposed if any link in the chain mishandles covered information, which is why supply chain visibility is a board-level concern for large defense integrators.",[11,2808,792],{"id":791},[16,2810,2811],{},"Subcontractor flow-down is not a one-time project. It lives in three operational rhythms:",[120,2813,2814,2820,2826],{},[37,2815,2816,2819],{},[30,2817,2818],{},"Pre-award."," Every new subcontract that might involve covered information needs a CMMC flow-down decision before the contract is signed. Do not award first and reconcile later.",[37,2821,2822,2825],{},[30,2823,2824],{},"In-flight."," Certifications expire. Subcontractors merge, spin off divisions, or lose key personnel. Your flow-down register needs to live alongside your broader third-party risk program.",[37,2827,2828,2831],{},[30,2829,2830],{},"At renewal."," Contract option years and recompetes are the moment to re-verify every supplier's CMMC status and close any drift.",[16,2833,2834],{},"Organizations that already run a mature vendor risk management program have a head start — CMMC flow-down is a specialization of the same discipline. Organizations without that foundation will need to stand one up.",[11,2836,802],{"id":801},[120,2838,2839,2845,2851,2857,2863,2869],{},[37,2840,2841,2844],{},[30,2842,2843],{},"Assuming certification status is static."," A subcontractor that was Level 2 certified last year may not be today. Check SPRS on a recurring schedule.",[37,2846,2847,2850],{},[30,2848,2849],{},"Over-sharing CUI."," Primes sometimes flow CUI to subcontractors who do not need it \"just in case.\" Every unnecessary share creates a new CMMC obligation to track.",[37,2852,2853,2856],{},[30,2854,2855],{},"Forgetting the CMMC clauses at subcontract modification."," When an existing subcontract is modified to add scope involving CUI, the CMMC clauses must be added too. A modification is the easiest place for flow-down to be missed.",[37,2858,2859,2862],{},[30,2860,2861],{},"Relying on certificates instead of SPRS."," PDF certificates can be doctored or stale. SPRS is the authoritative source.",[37,2864,2865,2868],{},[30,2866,2867],{},"Treating COTS vendors as subcontractors."," Commercial off-the-shelf product providers are explicitly excluded from CMMC. Do not burn effort chasing certifications that are not required.",[37,2870,2871,2874],{},[30,2872,2873],{},"Ignoring cloud service providers."," The cloud providers hosting your CUI are inside your CMMC boundary. They need their own FedRAMP authorization or CMMC certification at the appropriate level.",[11,2876,371],{"id":370},[16,2878,2879,2880,2883],{},"episki maintains a subcontractor flow-down register inside your CMMC workspace. Each supplier is tracked with their required CMMC level, current SPRS score, certification expiration, and the specific subcontracts where CUI flows. When a certification is expiring or a score drifts, episki alerts you before it affects an active contract. For primes running dozens or hundreds of subcontractor relationships, this turns CMMC flow-down from a spreadsheet problem into a managed program. ",[376,2881,381],{"href":378,"rel":2882},[380]," to map your flow-down obligations.",{"title":384,"searchDepth":385,"depth":385,"links":2885},[2886,2887,2891,2892,2895,2896,2897,2898],{"id":2608,"depth":385,"text":2609},{"id":2618,"depth":385,"text":2619,"children":2888},[2889,2890],{"id":2639,"depth":390,"text":2640},{"id":2646,"depth":390,"text":2647},{"id":2653,"depth":385,"text":2654},{"id":2701,"depth":385,"text":2702,"children":2893},[2894],{"id":2740,"depth":390,"text":2741},{"id":2767,"depth":385,"text":2768},{"id":791,"depth":385,"text":792},{"id":801,"depth":385,"text":802},{"id":370,"depth":385,"text":371},"How CMMC flow-down works — what primes must require of subcontractors, how tiered certification applies, SPRS verification, and common flow-down mistakes.",{"items":2901},[2902,2905,2908,2911],{"label":2903,"content":2904},"Do all subcontractors need CMMC certification?","Only subcontractors that process, store, or transmit FCI or CUI as part of their subcontract need CMMC certification. Subcontractors that provide commercial off-the-shelf products or perform work that never touches covered information are excluded.",{"label":2906,"content":2907},"Does a subcontractor need the same CMMC level as the prime?","Not necessarily. The subcontractor needs the CMMC level that corresponds to the information the prime flows down to them. A prime at Level 2 can share only FCI with a subcontractor, which means that subcontractor only needs Level 1. The level is tied to the data shared, not the prime's certification.",{"label":2909,"content":2910},"Who is responsible for verifying subcontractor CMMC status?","The prime contractor — or any higher-tier contractor flowing information down — is responsible for verifying that the receiving subcontractor holds the required CMMC level before sharing FCI or CUI. Verification is done through SPRS, which displays current assessment scores and certification status.",{"label":2912,"content":2913},"Can a prime flow down more than one CMMC clause?","Yes. DFARS 252.204-7012 (safeguarding), 252.204-7019 and -7020 (SPRS scoring), and 252.204-7021 (CMMC certification) all flow down when covered information is shared. Primes typically include the full set in their subcontracts so the subcontractor inherits the same framework of obligations.",{},"\u002Fframeworks\u002Fcmmc\u002Fsubcontractor-requirements",[899,2917,2918],"third-party-risk","vendor-risk-management",[418,416,2595,1234],{"title":2921,"description":2922},"CMMC Subcontractor Requirements: Flow-Down Rules and Prime Obligations","CMMC flow-down explained. What prime contractors must require of subcontractors, tier-based CMMC certification, SPRS verification, and practical guidance for supply chain compliance.","5.frameworks\u002Fcmmc\u002Fsubcontractor-requirements","Xyw8pJB_I5UgbqnvZPaHAi8jHkMjkr20WBPhy9V9BX0",{"id":2926,"title":2927,"body":2928,"description":3197,"extension":405,"faq":406,"frameworkSlug":407,"lastUpdated":408,"meta":3198,"navigation":410,"path":3199,"relatedTerms":3200,"relatedTopics":3202,"seo":3203,"stem":3206,"__hash__":3207},"frameworkTopics\u002F5.frameworks\u002Fcmmc\u002Fwho-needs-cmmc.md","Who Needs CMMC",{"type":8,"value":2929,"toc":3177},[2930,2934,2942,2945,2949,2953,2956,2960,2963,2969,2973,2976,2980,2983,2987,2990,2994,2997,2999,3002,3006,3019,3025,3027,3030,3049,3054,3058,3061,3087,3091,3094,3114,3118,3121,3141,3145,3148,3168,3170],[11,2931,2933],{"id":2932},"who-is-required-to-get-cmmc-certified","Who is required to get CMMC certified?",[16,2935,2936,2937,206,2939,2941],{},"Any organization that processes, stores, or transmits ",[30,2938,449],{},[30,2940,481],{}," as part of a Department of Defense contract or subcontract will need CMMC certification. The required level depends on the type of information handled.",[16,2943,2944],{},"This is not limited to large defense primes. The requirement flows down through the entire supply chain, reaching small and mid-size businesses that may be several tiers removed from the DoD.",[11,2946,2948],{"id":2947},"organizations-that-need-cmmc","Organizations that need CMMC",[20,2950,2952],{"id":2951},"prime-contractors","Prime contractors",[16,2954,2955],{},"Organizations that contract directly with the DoD are the most obvious candidates. If your contract involves handling FCI or CUI — which the vast majority of DoD contracts do — you will need CMMC certification at the level specified in the solicitation.",[20,2957,2959],{"id":2958},"subcontractors-all-tiers","Subcontractors (all tiers)",[16,2961,2962],{},"CMMC requirements flow down to subcontractors at every tier. If a prime contractor shares FCI or CUI with a subcontractor, that subcontractor must hold the appropriate CMMC certification. This flow-down continues through every layer of the supply chain.",[16,2964,2965,2968],{},[30,2966,2967],{},"Example:"," A DoD contract requires Level 2 certification. The prime contractor engages a subcontractor to build a software component and shares CUI design specifications. That subcontractor must also achieve Level 2. If the subcontractor further subcontracts work and shares CUI, the next-tier sub must also be certified.",[20,2970,2972],{"id":2971},"cloud-service-providers","Cloud service providers",[16,2974,2975],{},"Cloud service providers (CSPs) that host, process, or store FCI or CUI for DoD contractors need CMMC certification at the level corresponding to the information they handle. CSPs supporting CUI workloads typically need to be FedRAMP authorized at the Moderate baseline or higher, which provides significant overlap with CMMC Level 2 requirements.",[20,2977,2979],{"id":2978},"managed-service-providers-and-it-vendors","Managed service providers and IT vendors",[16,2981,2982],{},"Organizations providing managed IT services, managed security services, or IT infrastructure to defense contractors may need CMMC certification if they have access to FCI or CUI through their service delivery. This includes managed SOC providers, helpdesk services with access to contractor systems, and backup or disaster recovery providers handling contractor data.",[20,2984,2986],{"id":2985},"foreign-suppliers","Foreign suppliers",[16,2988,2989],{},"CMMC applies to foreign organizations in the defense supply chain that handle FCI or CUI. However, the Cyber AB is working to establish mutual recognition agreements and international assessment frameworks. Foreign suppliers should monitor Cyber AB guidance for their specific country and engage early with their prime contractor to understand requirements.",[11,2991,2993],{"id":2992},"understanding-fci-and-cui","Understanding FCI and CUI",[16,2995,2996],{},"The distinction between FCI and CUI determines your minimum CMMC level.",[20,2998,449],{"id":448},[16,3000,3001],{},"FCI is information that is provided by or generated for the government under a contract to develop or deliver a product or service. It does not include information provided by the government to the public or simple transactional information (like contract award data).",[16,3003,3004],{},[30,3005,457],{},[120,3007,3008,3011,3014,3016],{},[37,3009,3010],{},"Contract specifications and requirements documents",[37,3012,3013],{},"Technical drawings shared by the government for manufacturing",[37,3015,465],{},[37,3017,3018],{},"Internal communications about contract deliverables",[16,3020,3021,3024],{},[30,3022,3023],{},"Minimum CMMC level:"," Level 1 (17 practices, self-assessment)",[20,3026,481],{"id":480},[16,3028,3029],{},"CUI is information that requires safeguarding or dissemination controls pursuant to law, regulation, or government-wide policy. It is more sensitive than FCI but not classified. CUI categories relevant to defense include:",[120,3031,3032,3034,3037,3040,3043,3046],{},[37,3033,500],{},[37,3035,3036],{},"Export-controlled information (ITAR, EAR)",[37,3038,3039],{},"Critical infrastructure security information",[37,3041,3042],{},"Naval nuclear propulsion information",[37,3044,3045],{},"Operations security information",[37,3047,3048],{},"Personnel security information",[16,3050,3051,3053],{},[30,3052,3023],{}," Level 2 (110 practices, self-assessment or C3PAO depending on sensitivity)",[20,3055,3057],{"id":3056},"how-to-identify-cui-in-your-environment","How to identify CUI in your environment",[16,3059,3060],{},"CUI should be marked by the originator with CUI markings per 32 CFR Part 2002. In practice, marking is inconsistent. To identify CUI in your environment:",[34,3062,3063,3069,3075,3081],{},[37,3064,3065,3068],{},[30,3066,3067],{},"Review your contract"," — look for DFARS clause 252.204-7012 (Safeguarding Covered Defense Information), which indicates CUI is present",[37,3070,3071,3074],{},[30,3072,3073],{},"Check data received from the DoD"," — look for CUI markings, export control notices, or distribution limitation statements",[37,3076,3077,3080],{},[30,3078,3079],{},"Ask your contracting officer"," — if you are unsure whether information qualifies as CUI, request clarification",[37,3082,3083,3086],{},[30,3084,3085],{},"Err on the side of caution"," — treat ambiguous information as CUI until confirmed otherwise",[11,3088,3090],{"id":3089},"flow-down-requirements","Flow-down requirements",[16,3092,3093],{},"Flow-down is one of the most operationally complex aspects of CMMC. When a prime contractor (or any tier) shares FCI or CUI with a subcontractor, they must:",[34,3095,3096,3102,3108],{},[37,3097,3098,3101],{},[30,3099,3100],{},"Include CMMC requirements in the subcontract"," — the subcontract must specify the required CMMC level",[37,3103,3104,3107],{},[30,3105,3106],{},"Verify subcontractor certification"," — before sharing FCI or CUI, confirm the subcontractor holds a valid CMMC certification at the required level via SPRS",[37,3109,3110,3113],{},[30,3111,3112],{},"Monitor ongoing compliance"," — subcontractor certifications expire and must be renewed. Primes should track subcontractor certification status",[20,3115,3117],{"id":3116},"reducing-flow-down-burden","Reducing flow-down burden",[16,3119,3120],{},"Organizations can limit the number of subcontractors that need CMMC certification by:",[120,3122,3123,3129,3135],{},[37,3124,3125,3128],{},[30,3126,3127],{},"Minimizing CUI sharing"," — only share CUI with subcontractors that genuinely need it for their work",[37,3130,3131,3134],{},[30,3132,3133],{},"Using secure enclaves"," — provide subcontractors access to CUI through controlled environments rather than transferring data to their systems",[37,3136,3137,3140],{},[30,3138,3139],{},"Consolidating suppliers"," — fewer suppliers with CUI access means fewer CMMC certifications to track",[11,3142,3144],{"id":3143},"who-does-not-need-cmmc","Who does NOT need CMMC?",[16,3146,3147],{},"CMMC is not required for:",[120,3149,3150,3156,3162],{},[37,3151,3152,3155],{},[30,3153,3154],{},"Commercially available off-the-shelf (COTS) suppliers"," — organizations that only provide COTS products are explicitly excluded from CMMC requirements",[37,3157,3158,3161],{},[30,3159,3160],{},"Contracts that do not involve FCI or CUI"," — purely public information or non-sensitive contract work does not trigger CMMC",[37,3163,3164,3167],{},[30,3165,3166],{},"Non-DoD federal contracts"," — CMMC is a DoD program. Other federal agencies have their own cybersecurity requirements (though some are considering adopting CMMC-like models)",[11,3169,371],{"id":370},[16,3171,3172,3173,3176],{},"episki simplifies CMMC scoping by helping you identify where FCI and CUI flow through your environment and which systems fall within your assessment boundary. The subcontractor flow-down tracker monitors certification status across your supply chain and alerts you when a subcontractor's certification is expiring. For organizations at multiple supply chain tiers, episki maintains separate scoping views for each contract while reusing shared controls. ",[376,3174,381],{"href":378,"rel":3175},[380]," to map your CMMC scope.",{"title":384,"searchDepth":385,"depth":385,"links":3178},[3179,3180,3187,3192,3195,3196],{"id":2932,"depth":385,"text":2933},{"id":2947,"depth":385,"text":2948,"children":3181},[3182,3183,3184,3185,3186],{"id":2951,"depth":390,"text":2952},{"id":2958,"depth":390,"text":2959},{"id":2971,"depth":390,"text":2972},{"id":2978,"depth":390,"text":2979},{"id":2985,"depth":390,"text":2986},{"id":2992,"depth":385,"text":2993,"children":3188},[3189,3190,3191],{"id":448,"depth":390,"text":449},{"id":480,"depth":390,"text":481},{"id":3056,"depth":390,"text":3057},{"id":3089,"depth":385,"text":3090,"children":3193},[3194],{"id":3116,"depth":390,"text":3117},{"id":3143,"depth":385,"text":3144},{"id":370,"depth":385,"text":371},"Which organizations need CMMC certification — prime contractors, subcontractors, cloud service providers, and anyone handling FCI or CUI for the Department of Defense.",{},"\u002Fframeworks\u002Fcmmc\u002Fwho-needs-cmmc",[407,1596,3201],"fci",[416,1233,904],{"title":3204,"description":3205},"Who Needs CMMC Certification — Contractors, Subcontractors, and Suppliers","Determine whether your organization needs CMMC certification. Covers prime contractors, subcontractors, cloud providers, and flow-down requirements for the defense supply chain.","5.frameworks\u002Fcmmc\u002Fwho-needs-cmmc","5GwCg1yaY6XzaYvy6_KyjXso4s9zfiZUmnymQ6MXrw4",{"id":3209,"title":3210,"advantages":3211,"body":3233,"checklist":3630,"cta":3639,"description":384,"extension":405,"faq":3642,"hero":3660,"meta":3675,"name":3676,"navigation":410,"path":3677,"resources":3678,"seo":3691,"slug":407,"stats":3694,"stem":3704,"__hash__":3705},"frameworks\u002F5.frameworks\u002Fcmmc.md","Cmmc",[3212,3219,3226],{"title":3213,"description":3214,"bullets":3215},"NIST 800-171 control mapping","Every CMMC Level 2 practice is linked to its NIST SP 800-171 source requirement with pre-written narratives.",[3216,3217,3218],"14 control families mapped to 110 security requirements","AI-drafted implementation narratives and testing procedures","Gap analysis highlights missing controls before your assessment",{"title":3220,"description":3221,"bullets":3222},"Assessment preparation workspace","Whether you self-assess or engage a C3PAO, episki organizes evidence and scoring in one place.",[3223,3224,3225],"POA&M tracking with 180-day close-out reminders","Scoring methodology aligned to DoD assessment guide","Assessor portal with scoped read-only access",{"title":3227,"description":3228,"bullets":3229},"Cross-framework reuse","Controls mapped to CMMC automatically satisfy overlapping NIST CSF, ISO 27001, and FedRAMP requirements.",[3230,3231,3232],"Unified control graph eliminates duplicate documentation","Evidence collected once, reused across every framework","Framework coverage dashboard shows gaps at a glance",{"type":8,"value":3234,"toc":3613},[3235,3239,3242,3245,3249,3256,3267,3276,3280,3287,3318,3321,3325,3337,3347,3350,3353,3370,3382,3385,3389,3392,3402,3408,3412,3427,3430,3434,3441,3467,3471,3497,3501,3508,3512,3519,3522,3529,3533,3536,3574,3578,3610],[11,3236,3238],{"id":3237},"what-is-cmmc","What is CMMC?",[16,3240,3241],{},"The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense's verification program for ensuring that every organization in the defense industrial base adequately protects sensitive federal information. CMMC takes the cybersecurity standards the DoD has required for years and turns them into a verifiable certification that contractors must hold before a contract can be awarded.",[16,3243,3244],{},"Before CMMC, defense contractors were expected to comply with DFARS clause 252.204-7012 and the 110 security requirements in NIST SP 800-171 on the honor system. They self-attested. A 2018 DoD Inspector General report and the 2019 MITRE \"Deliver Uncompromised\" study both found the self-attestation model was failing — contractors claimed compliance they had not achieved, and nation-state adversaries were quietly stealing terabytes of Controlled Unclassified Information (CUI) from the supply chain. CMMC is the DoD's response: instead of trust, the Pentagon now requires verification.",[20,3246,3248],{"id":3247},"cmmc-10-to-cmmc-20","CMMC 1.0 to CMMC 2.0",[16,3250,3251,3252,3255],{},"The first version of CMMC — sometimes called CMMC 1.0 — was announced in January 2020. It had ",[30,3253,3254],{},"five maturity levels",", added its own unique practices and maturity processes on top of NIST SP 800-171, and would have required third-party assessment for almost everyone in the defense supply chain. Industry pushback was substantial. Small businesses said the compliance burden was unaffordable. Cybersecurity teams argued that the custom CMMC practices and \"maturity processes\" diverged from established standards without clear security benefit.",[16,3257,3258,3259,3262,3263,3266],{},"In November 2021 the DoD announced ",[30,3260,3261],{},"CMMC 2.0",", a streamlined successor. CMMC 2.0 collapsed the five levels into ",[30,3264,3265],{},"three",", eliminated the custom CMMC practices, and aligned Level 2 directly with NIST SP 800-171 so there is no daylight between the two. It also re-introduced self-assessment as a compliant path for many contracts — a concession to cost that CMMC 1.0 did not allow.",[16,3268,3269,3270,3272,3273,3275],{},"The CMMC 2.0 program rule (32 CFR Part 170) was published in the Federal Register on October 15, 2024, and took effect on ",[30,3271,1263],{},". The companion DFARS rule (48 CFR) was published on September 10, 2025, and took effect on ",[30,3274,1273],{}," — the moment CMMC moved from a program on paper to an enforceable contract requirement. When we talk about \"CMMC\" today, we mean CMMC 2.0 as enforced through DFARS.",[20,3277,3279],{"id":3278},"the-three-cmmc-levels","The three CMMC levels",[16,3281,3282,3283,3286],{},"CMMC uses a tiered model so that a small contractor handling a bill of materials gets a proportionate requirement, while a prime contractor engineering a weapons system gets a much heavier one. Each CMMC level builds on the one below it. ",[376,3284,3285],{"href":1951},"See the full breakdown of CMMC levels"," for control counts, assessment types, and scoping rules.",[120,3288,3289,3299,3308],{},[37,3290,3291,3294,3295,3298],{},[30,3292,3293],{},"Level 1 — Foundational."," Covers the basic safeguarding of Federal Contract Information (FCI). It requires 17 practices drawn directly from FAR 52.204-21. Any organization that processes FCI under a DoD contract must meet Level 1. It is verified through an ",[30,3296,3297],{},"annual self-assessment"," with a senior official affirming the results in the Supplier Performance Risk System (SPRS).",[37,3300,3301,3304,3305,3307],{},[30,3302,3303],{},"Level 2 — Advanced."," Protects Controlled Unclassified Information (CUI). It requires all ",[30,3306,1731],{}," from NIST SP 800-171 Rev 2 across 14 control families. Level 2 has two assessment paths — self-assessment for less sensitive CUI, and third-party C3PAO assessment for more sensitive CUI or critical programs. Level 2 is where most defense contractors will land.",[37,3309,3310,3313,3314,3317],{},[30,3311,3312],{},"Level 3 — Expert."," Reserved for the most sensitive DoD programs where advanced persistent threats are a credible risk. It includes every Level 2 requirement ",[30,3315,3316],{},"plus 24 enhanced requirements"," selected from NIST SP 800-172. Level 3 is verified through a government-led DIBCAC assessment and requires a valid Level 2 C3PAO certification as a prerequisite.",[16,3319,3320],{},"The CMMC level you need is determined by the specific solicitation or contract — not by company size or industry. A small engineering firm with a CUI-sensitive subcontract may need Level 2 C3PAO, while a larger prime on a less sensitive contract may only need Level 1.",[20,3322,3324],{"id":3323},"nist-sp-800-171-is-the-heart-of-cmmc","NIST SP 800-171 is the heart of CMMC",[16,3326,3327,3328,3331,3332,3336],{},"CMMC Level 2 is a ",[30,3329,3330],{},"direct one-to-one mapping"," to NIST SP 800-171 Rev 2. There are no extra practices, no CMMC-specific maturity processes, no layered-on requirements. Every CMMC Level 2 practice corresponds to a single NIST SP 800-171 security requirement. This alignment was intentional: it made CMMC easier to implement and easier to audit, and it meant organizations that had been working toward ",[376,3333,3335],{"href":3334},"\u002Fglossary\u002Fnist","NIST"," SP 800-171 compliance since 2017 did not have to start over.",[16,3338,3339,3340,3343,3344,3346],{},"The 110 requirements are organized into 14 control families including Access Control, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, System and Communications Protection, and System and Information Integrity. CMMC Level 3 layers 24 additional enhanced requirements on top, drawn from NIST SP 800-172. ",[376,3341,3342],{"href":2287},"See the detailed NIST SP 800-171 mapping"," for the full control family breakdown and cross-framework overlap with ",[376,3345,2149],{"href":2148}," and ISO 27001.",[20,3348,3349],{"id":418},"Who needs CMMC?",[16,3351,3352],{},"Any organization that processes, stores, or transmits FCI or CUI as part of a DoD contract or subcontract will need CMMC certification. That is a much broader population than \"defense contractors\" in the traditional sense. CMMC applies to:",[120,3354,3355,3358,3361,3364,3367],{},[37,3356,3357],{},"Prime contractors holding contracts directly with the DoD",[37,3359,3360],{},"Subcontractors at every tier in the supply chain",[37,3362,3363],{},"Cloud service providers hosting DoD contractor data",[37,3365,3366],{},"Managed service providers and IT vendors with access to FCI or CUI",[37,3368,3369],{},"Foreign suppliers in the defense industrial base handling covered information",[16,3371,3372,3373,3376,3377,3381],{},"CMMC flow-down is one of the most important operational realities. If a prime contractor shares CUI with a subcontractor, that subcontractor must hold the same CMMC level. If that subcontractor further shares CUI with a tier-three supplier, the tier-three supplier must also be certified. CMMC's reach extends deep into the supply chain. ",[376,3374,3375],{"href":3199},"See who needs CMMC"," for detailed scoping guidance, and our ",[376,3378,3380],{"href":3379},"\u002Findustry\u002Fgovernment","government industry page"," for broader public-sector compliance context.",[16,3383,3384],{},"Roughly 80,000 organizations are expected to pursue CMMC Level 2, and a few thousand the most stringent CMMC Level 3 — numbers from the DoD's own economic analysis of the CMMC rule.",[20,3386,3388],{"id":3387},"the-cmmc-assessment-process","The CMMC assessment process",[16,3390,3391],{},"CMMC assessments come in three flavors that align to the three CMMC levels: self-assessment, C3PAO third-party assessment, and DIBCAC government-led assessment. Regardless of type, the assessment methodology is the same — scoring is based on the DoD Assessment Methodology and NIST SP 800-171A objectives.",[16,3393,3394,3395,3397,3398,3401],{},"A CMMC Level 2 C3PAO assessment typically runs through five stages: scoping, readiness review, evidence collection and review, on-site or virtual assessment, and scoring with any final findings. A Level 2 assessment starts with a score of 110 and subtracts points for each unmet objective. A score of 110 yields full certification. A score of ",[30,3396,222],{}," with remaining gaps documented in a Plan of Action and Milestones (POA&M) yields a ",[30,3399,3400],{},"conditional"," certification with a 180-day remediation window. A score below 88 yields no certification at all.",[16,3403,3404,3407],{},[376,3405,3406],{"href":411},"See the full CMMC assessment process"," for scoring details, POA&M rules, and what you can and cannot defer.",[20,3409,3411],{"id":3410},"c3paos-and-certified-assessors","C3PAOs and certified assessors",[16,3413,3414,3415,3418,3419,3422,3423,3426],{},"Third-party CMMC assessments are conducted by ",[30,3416,3417],{},"CMMC Third-Party Assessment Organizations (C3PAOs)"," accredited by the Cyber AB (the Cyber Accreditation Body, formerly the CMMC Accreditation Body). C3PAOs employ ",[30,3420,3421],{},"Certified CMMC Assessors (CCAs)"," and ",[30,3424,3425],{},"Certified CMMC Professionals (CCPs)"," who conduct the actual assessment work. CCAs must pass a certification exam administered by the Cyber AB and complete ongoing professional development.",[16,3428,3429],{},"The pool of accredited C3PAOs is deliberately limited — growing from just a handful at the start of 2024 to several dozen by early 2026. That scarcity matters. As CMMC Phase 2 enforcement begins in November 2026 and more contracts require C3PAO assessment, assessor availability will tighten. Organizations that wait to begin CMMC preparation until a contract requires it will likely find assessment slots booked six to twelve months out.",[20,3431,3433],{"id":3432},"cmmc-implementation-timeline","CMMC implementation timeline",[16,3435,3436,3437,3440],{},"CMMC enforcement follows a four-phase rollout under the DFARS rule. The rollout gradually expands CMMC requirements over four years so the assessor ecosystem can scale and contractors have time to prepare. ",[376,3438,3439],{"href":1593},"See the full CMMC implementation timeline"," for dates and milestones.",[120,3442,3443,3449,3455,3461],{},[37,3444,3445,3448],{},[30,3446,3447],{},"Phase 1 (November 2025 – November 2026)."," Active now. CMMC Level 1 and Level 2 self-assessments appear as conditions of award in select solicitations. A limited number of contracts require Level 2 C3PAO assessments at DoD discretion.",[37,3450,3451,3454],{},[30,3452,3453],{},"Phase 2 (November 2026 – November 2027)."," CMMC Level 2 C3PAO certification requirements expand significantly. Level 3 requirements begin appearing in select solicitations.",[37,3456,3457,3460],{},[30,3458,3459],{},"Phase 3 (November 2027 – November 2028)."," CMMC Level 2 and Level 3 requirements appear broadly across applicable DoD contracts.",[37,3462,3463,3466],{},[30,3464,3465],{},"Phase 4 (November 2028 onward)."," All DoD contracts requiring FCI or CUI handling include the appropriate CMMC level as a condition of award. Full CMMC enforcement.",[20,3468,3470],{"id":3469},"cmmc-and-dfars","CMMC and DFARS",[16,3472,3473,3474,3477,3478,3422,3481,3484,3485,3488,3489,3492,3493,490],{},"CMMC is the certification. DFARS is the contractual mechanism that makes the certification binding. ",[30,3475,3476],{},"DFARS 252.204-7012"," has required safeguarding of covered defense information and rapid incident reporting since 2017. ",[30,3479,3480],{},"DFARS 252.204-7019",[30,3482,3483],{},"-7020"," added the requirement to post NIST SP 800-171 assessment scores to SPRS. ",[30,3486,3487],{},"DFARS 252.204-7021",", effective November 10, 2025, added the requirement to hold the specific CMMC level called out in the solicitation before contract award. ",[376,3490,3491],{"href":1228},"See how CMMC and DFARS relate"," for the full clause-by-clause picture. For blog-length coverage of DFARS and CMMC in context, see our ",[376,3494,3496],{"href":3495},"\u002Fnow\u002Fcompliance-framework-comparison","compliance framework comparison",[20,3498,3500],{"id":3499},"self-assessment-vs-third-party-assessment","Self-assessment vs third-party assessment",[16,3502,3503,3504,3507],{},"Not every CMMC obligation requires bringing in a C3PAO. CMMC Level 1 is always a self-assessment. CMMC Level 2 splits — some contracts accept self-assessment, and some require C3PAO certification. CMMC Level 3 is always government-led by DIBCAC. Self-assessment is cheaper and faster, but it comes with False Claims Act exposure if the attestation misrepresents your posture. Third-party CMMC assessment is more expensive but produces a defensible certification. ",[376,3505,3506],{"href":2592},"Compare CMMC self-assessment vs third-party"," to decide which applies to you and how to budget.",[20,3509,3511],{"id":3510},"handling-cui-the-cmmc-way","Handling CUI the CMMC way",[16,3513,3514,3515,3518],{},"Controlled Unclassified Information sits at the center of CMMC Level 2 and CMMC Level 3. Identifying CUI in your environment, marking it correctly, applying the right access controls, and documenting the CUI boundary are all preconditions for a successful CMMC assessment. FCI and CUI are not the same thing, and the differences drive which CMMC level you need. ",[376,3516,3517],{"href":897},"See CUI handling under CMMC"," for marking rules, scoping guidance, and common mistakes.",[20,3520,3521],{"id":1235},"Subcontractor requirements",[16,3523,3524,3525,3528],{},"CMMC flow-down affects nearly every defense prime. If you share FCI or CUI with a subcontractor, the subcontractor must hold the required CMMC level before you share the data. That means primes need to track subcontractor CMMC status across their supply chain, verify SPRS entries, and plan for the long tail of small suppliers that may not have started their CMMC journey. ",[376,3526,3527],{"href":2915},"See CMMC subcontractor requirements"," for the full flow-down model and how to reduce the burden.",[20,3530,3532],{"id":3531},"getting-cmmc-ready","Getting CMMC ready",[16,3534,3535],{},"CMMC readiness is not a last-mile sprint. Most organizations need 6 to 18 months to close gaps across all 110 NIST SP 800-171 requirements and prepare for CMMC Level 2. The high-leverage moves to start today:",[34,3537,3538,3544,3550,3556,3562,3568],{},[37,3539,3540,3543],{},[30,3541,3542],{},"Scope your CMMC environment."," Map where FCI and CUI enter, flow through, and are stored in your systems. Your CMMC assessment boundary is only as good as your scoping work.",[37,3545,3546,3549],{},[30,3547,3548],{},"Complete your SSP."," A System Security Plan that documents every NIST SP 800-171 requirement — implementation status, responsible party, and evidence reference — is the backbone of any CMMC assessment.",[37,3551,3552,3555],{},[30,3553,3554],{},"Submit a SPRS score."," Even before any contract requires CMMC, a current SPRS score demonstrates good faith and exposes gaps early. DoD agencies increasingly reference SPRS scores in source selection.",[37,3557,3558,3561],{},[30,3559,3560],{},"Stand up a POA&M register."," Track every gap with an owner, a remediation plan, and a 180-day countdown. CMMC conditional certification lives or dies on POA&M closure.",[37,3563,3564,3567],{},[30,3565,3566],{},"Review your flow-down."," Inventory every subcontractor, cloud service provider, and managed service provider that touches FCI or CUI. Confirm they are on their own CMMC path.",[37,3569,3570,3573],{},[30,3571,3572],{},"Schedule a readiness review."," A mock CMMC assessment — internal or with a consultant or C3PAO — surfaces problems while there is still time to fix them.",[20,3575,3577],{"id":3576},"common-cmmc-challenges","Common CMMC challenges",[120,3579,3580,3586,3592,3598,3604],{},[37,3581,3582,3585],{},[30,3583,3584],{},"Scoping complexity."," Determining which systems, people, and processes handle CUI is often the hardest first step and the source of the most CMMC assessment rework.",[37,3587,3588,3591],{},[30,3589,3590],{},"NIST SP 800-171 gaps."," Many contractors self-attested NIST SP 800-171 compliance for years but never closed all 110 requirements. CMMC exposes that gap.",[37,3593,3594,3597],{},[30,3595,3596],{},"POA&M management."," Tracking remediation across teams within a 180-day window is hard without tooling. CMMC conditional certifications are revoked when POA&Ms go stale.",[37,3599,3600,3603],{},[30,3601,3602],{},"Subcontractor flow-down."," Primes must verify subcontractor CMMC status continuously, not once at onboarding.",[37,3605,3606,3609],{},[30,3607,3608],{},"Evidence organization."," A CMMC assessment can touch hundreds of evidence artifacts. Without a single source of truth, assessors burn billable hours chasing documents.",[16,3611,3612],{},"A structured approach that maps controls to NIST SP 800-171, reuses evidence across CMMC and other frameworks, tracks POA&M progress, and monitors the assessment timeline removes most of this friction — and that is exactly what the episki CMMC workspace is designed for.",{"title":384,"searchDepth":385,"depth":385,"links":3614},[3615],{"id":3237,"depth":385,"text":3238,"children":3616},[3617,3618,3619,3620,3621,3622,3623,3624,3625,3626,3627,3628,3629],{"id":3247,"depth":390,"text":3248},{"id":3278,"depth":390,"text":3279},{"id":3323,"depth":390,"text":3324},{"id":418,"depth":390,"text":3349},{"id":3387,"depth":390,"text":3388},{"id":3410,"depth":390,"text":3411},{"id":3432,"depth":390,"text":3433},{"id":3469,"depth":390,"text":3470},{"id":3499,"depth":390,"text":3500},{"id":3510,"depth":390,"text":3511},{"id":1235,"depth":390,"text":3521},{"id":3531,"depth":390,"text":3532},{"id":3576,"depth":390,"text":3577},{"title":3631,"description":3632,"items":3633},"CMMC readiness checklist inside episki","Everything is preloaded in your free trial so you can start scoping your assessment and closing gaps immediately.",[3634,3635,3636,3637,3638],"NIST SP 800-171 control library with mapped CMMC practices","Level 1, 2, and 3 scoping guidance and practice sets","POA&M register with risk-ranked remediation priorities","System Security Plan (SSP) template with AI drafting","Evidence library organized by control family",{"title":3640,"description":3641},"Launch your CMMC workspace today","Import your NIST 800-171 controls, map them to CMMC levels, and start closing gaps before your next assessment.",{"title":3643,"items":3644},"CMMC frequently asked questions",[3645,3648,3651,3654,3657],{"label":3646,"content":3647},"What is CMMC 2.0?","CMMC 2.0 (Cybersecurity Maturity Model Certification) is the Department of Defense's program for verifying that defense contractors protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). The final program rule took effect December 16, 2024, and DFARS contract enforcement began November 10, 2025.",{"label":3649,"content":3650},"What are the three CMMC levels?","Level 1 requires 17 basic safeguarding practices for FCI based on FAR 52.204-21. Level 2 requires 110 security practices aligned to NIST SP 800-171 Rev 2 for CUI. Level 3 adds 24 enhanced practices from NIST SP 800-172 for the most sensitive programs. Each level builds on the one below it.",{"label":3652,"content":3653},"How much does CMMC certification cost?","Costs vary by level and organization size. Level 1 requires only an annual self-assessment. Level 2 self-assessments are free but require significant preparation effort. Level 2 C3PAO assessments typically range from $50,000 to $150,000+ depending on scope. episki reduces preparation costs by automating evidence collection and control documentation.",{"label":3655,"content":3656},"When will CMMC be required in contracts?","CMMC is being phased into DoD contracts over four phases. Phase 1 began November 10, 2025, requiring Level 1 and Level 2 self-assessments in select solicitations. Phase 2 (November 2026) expands Level 2 C3PAO requirements. Phase 3 (November 2027) adds Level 3. By Phase 4 (November 2028), all applicable DoD contracts will require the appropriate CMMC level.",{"label":3658,"content":3659},"Who needs CMMC certification?","Any organization that processes, stores, or transmits FCI or CUI as part of a DoD contract or subcontract needs CMMC certification. This includes prime contractors, subcontractors at all tiers, and cloud service providers hosting DoD data. The required level depends on the sensitivity of information handled.",{"headline":3661,"title":3662,"description":3663,"links":3664},"CMMC without the guesswork","Get assessment-ready for CMMC without rebuilding your security program","episki maps NIST SP 800-171 and 800-172 controls to CMMC levels, automates evidence collection, and keeps your POA&M current so your team can focus on winning contracts.",[3665,3668],{"label":3666,"icon":3667,"to":378},"Start CMMC trial","i-lucide-rocket",{"label":3669,"icon":3670,"color":3671,"variant":3672,"to":3673,"target":3674},"Book a demo","i-lucide-message-circle","neutral","subtle","https:\u002F\u002Fcalendly.com\u002Fjustinleapline\u002Fepiski-demo","_blank",{},"CMMC","\u002Fframeworks\u002Fcmmc",{"headline":3679,"title":3679,"description":3680,"items":3681},"CMMC acceleration resources","Give leadership and contracting officers visibility into your cybersecurity posture at every stage.",[3682,3685,3688],{"title":3683,"description":3684},"Executive scorecard","Translate control work into CMMC readiness percentages and contract eligibility status.",{"title":3686,"description":3687},"Assessment readiness kit","Pre-assessment checklist, evidence package review, and mock scoring aligned to DIBCAC methodology.",{"title":3689,"description":3690},"Subcontractor flow-down tracker","Monitor which subcontractors need their own CMMC certification and track their progress.",{"title":3692,"description":3693},"CMMC Compliance Software","Prepare for CMMC Level 1, 2, and 3 assessments with pre-mapped NIST 800-171 controls, automated evidence collection, and C3PAO-ready workspaces. Start your free 14-day trial.",[3695,3698,3701],{"value":3696,"description":3697},"3 maturity levels","Pre-mapped practices for Level 1, Level 2, and Level 3 with assessment-type guidance for each.",{"value":3699,"description":3700},"110 practices","Full NIST SP 800-171 Rev 2 control set mapped to CMMC Level 2 objectives out of the box.",{"value":3702,"description":3703},"Phase 1 live now","DFARS enforcement began November 2025. Level 1 and Level 2 self-assessments already required in select solicitations.","5.frameworks\u002Fcmmc","APy1MM_8-5_unEn-D_R-70YqqDsOLlJ3S3APZbab4kY",[3707,3841],{"id":3708,"title":3709,"body":3710,"description":384,"extension":405,"lastUpdated":408,"meta":3825,"navigation":410,"path":3826,"relatedFrameworks":3827,"relatedTerms":3832,"seo":3836,"slug":413,"stem":3839,"term":3715,"__hash__":3840},"glossary\u002F8.glossary\u002Fgrc.md","Grc",{"type":8,"value":3711,"toc":3816},[3712,3716,3723,3727,3730,3744,3748,3751,3765,3769,3788,3792,3795,3809,3813],[11,3713,3715],{"id":3714},"what-is-grc","What is GRC?",[16,3717,3718,3719,3722],{},"GRC stands for ",[30,3720,3721],{},"governance, risk, and compliance"," — a coordinated approach to aligning IT and security practices with business objectives, managing risk, and meeting regulatory requirements.",[20,3724,3726],{"id":3725},"governance","Governance",[16,3728,3729],{},"Governance defines the policies, roles, and decision-making structures that guide how an organization operates. In a security context, governance includes:",[120,3731,3732,3735,3738,3741],{},[37,3733,3734],{},"Establishing security policies and standards",[37,3736,3737],{},"Assigning ownership for controls and programs",[37,3739,3740],{},"Setting risk appetite and tolerance levels",[37,3742,3743],{},"Board-level oversight of security posture",[20,3745,3747],{"id":3746},"risk-management","Risk management",[16,3749,3750],{},"Risk management is the process of identifying, assessing, and treating threats that could affect the organization. Common activities include:",[120,3752,3753,3756,3759,3762],{},[37,3754,3755],{},"Maintaining a risk register with likelihood and impact scores",[37,3757,3758],{},"Prioritizing remediation based on business impact",[37,3760,3761],{},"Tracking treatment plans with owners and deadlines",[37,3763,3764],{},"Reviewing risk posture on a recurring schedule",[20,3766,3768],{"id":3767},"compliance","Compliance",[16,3770,3771,3772,3776,3777,3776,3779,3783,3784,490],{},"Compliance means meeting the requirements of external standards, regulations, and contractual obligations. Common compliance frameworks include ",[376,3773,3775],{"href":3774},"\u002Fframeworks\u002Fsoc2","SOC 2",", ",[376,3778,2225],{"href":2224},[376,3780,3782],{"href":3781},"\u002Fframeworks\u002Fhipaa","HIPAA",", and ",[376,3785,3787],{"href":3786},"\u002Fframeworks\u002Fpci","PCI DSS",[20,3789,3791],{"id":3790},"why-grc-matters","Why GRC matters",[16,3793,3794],{},"Without a coordinated approach, organizations end up with fragmented policies, duplicated controls, and gaps between what auditors expect and what teams actually do. A GRC program brings these disciplines together so that:",[120,3796,3797,3800,3803,3806],{},[37,3798,3799],{},"Controls are mapped once and reused across frameworks",[37,3801,3802],{},"Risk decisions inform which controls get priority",[37,3804,3805],{},"Evidence is collected continuously rather than scrambled before audits",[37,3807,3808],{},"Leadership has visibility into security posture and compliance status",[20,3810,3812],{"id":3811},"grc-software","GRC software",[16,3814,3815],{},"GRC platforms like episki centralize controls, evidence, risk registers, and auditor collaboration in one workspace. Instead of managing compliance in spreadsheets, teams can assign owners, track evidence, and run programs across multiple frameworks simultaneously.",{"title":384,"searchDepth":385,"depth":385,"links":3817},[3818],{"id":3714,"depth":385,"text":3715,"children":3819},[3820,3821,3822,3823,3824],{"id":3725,"depth":390,"text":3726},{"id":3746,"depth":390,"text":3747},{"id":3767,"depth":390,"text":3768},{"id":3790,"depth":390,"text":3791},{"id":3811,"depth":390,"text":3812},{},"\u002Fglossary\u002Fgrc",[3828,3829,3830,3831,2289],"soc2","iso27001","hipaa","pci",[3833,1231,3834,3835],"risk-register","audit-trail","evidence-collection",{"title":3837,"description":3838},"What is GRC? Governance, Risk, and Compliance Explained","GRC stands for governance, risk, and compliance. Learn how GRC programs help organizations manage risk, meet regulatory requirements, and align security with business goals.","8.glossary\u002Fgrc","z7uTPh4PsV0D9njj62M4FXnwjHgD1TiZCXJGfk_tnG8",{"id":3842,"title":3843,"body":3844,"description":384,"extension":405,"lastUpdated":408,"meta":3920,"navigation":410,"path":3334,"relatedFrameworks":3921,"relatedTerms":3922,"seo":3923,"slug":899,"stem":3926,"term":3849,"__hash__":3927},"glossary\u002F8.glossary\u002Fnist.md","Nist",{"type":8,"value":3845,"toc":3913},[3846,3850,3853,3857,3883,3887,3890,3904,3906],[11,3847,3849],{"id":3848},"what-is-nist","What is NIST?",[16,3851,3852],{},"NIST (National Institute of Standards and Technology) is a non-regulatory agency of the United States Department of Commerce that develops and publishes standards, guidelines, and best practices for technology and cybersecurity. NIST's publications are among the most widely referenced resources in information security worldwide, influencing both government and private sector organizations.",[20,3854,3856],{"id":3855},"key-nist-publications","Key NIST publications",[120,3858,3859,3865,3871,3877],{},[37,3860,3861,3864],{},[30,3862,3863],{},"NIST Cybersecurity Framework (CSF)"," — a voluntary framework organized around five core functions (Identify, Protect, Detect, Respond, Recover) that provides a common language for managing cybersecurity risk. Widely adopted by organizations of all sizes.",[37,3866,3867,3870],{},[30,3868,3869],{},"NIST SP 800-53"," — a comprehensive catalog of security and privacy controls for federal information systems. Often used as a reference by private organizations building security programs.",[37,3872,3873,3876],{},[30,3874,3875],{},"NIST SP 800-171"," — security requirements for protecting Controlled Unclassified Information (CUI) in non-federal systems, required for defense contractors.",[37,3878,3879,3882],{},[30,3880,3881],{},"NIST SP 800-37"," — the Risk Management Framework (RMF) that guides organizations through a structured process for managing security risk.",[20,3884,3886],{"id":3885},"why-nist-matters-for-compliance","Why NIST matters for compliance",[16,3888,3889],{},"While NIST frameworks are voluntary for most private organizations, they serve as the foundation or reference point for many compliance requirements:",[120,3891,3892,3895,3898,3901],{},[37,3893,3894],{},"Federal agencies are required to follow NIST guidelines",[37,3896,3897],{},"Defense contractors must comply with NIST SP 800-171 (enforced through CMMC)",[37,3899,3900],{},"Many ISO 27001 and SOC 2 control mappings reference NIST publications",[37,3902,3903],{},"Cyber insurance providers increasingly reference NIST CSF alignment",[20,3905,371],{"id":370},[16,3907,3908,3909,490],{},"episki supports NIST CSF as a framework and provides control mappings between NIST and other standards like ISO 27001 and SOC 2. Learn more on our ",[376,3910,3912],{"href":3911},"\u002Fframeworks","compliance platform",{"title":384,"searchDepth":385,"depth":385,"links":3914},[3915],{"id":3848,"depth":385,"text":3849,"children":3916},[3917,3918,3919],{"id":3855,"depth":390,"text":3856},{"id":3885,"depth":390,"text":3886},{"id":370,"depth":390,"text":371},{},[2289,3829],[1230,1231,3833],{"title":3924,"description":3925},"What is NIST? Definition & Compliance Guide","NIST (National Institute of Standards and Technology) is a US government agency that publishes widely used cybersecurity frameworks and guidelines, including the NIST Cybersecurity Framework (CSF).","8.glossary\u002Fnist","idXqSffZxcBoBTjIYfNZL0FTQ8f6G2o2elS2ekn1Xds",[3929,4475],{"id":3930,"title":3931,"body":3932,"description":384,"extension":405,"lastUpdated":408,"meta":4464,"navigation":410,"path":4465,"relatedFrameworks":4466,"relatedTerms":4467,"seo":4470,"slug":901,"stem":4473,"term":3937,"__hash__":4474},"glossary\u002F8.glossary\u002Faccess-control.md","Access Control",{"type":8,"value":3933,"toc":4450},[3934,3938,3941,3945,3948,3974,3978,3984,3990,3996,4002,4006,4009,4015,4032,4038,4052,4058,4069,4073,4076,4123,4127,4130,4144,4148,4151,4174,4178,4181,4230,4234,4237,4350,4353,4356,4385,4389,4395,4398,4434,4437,4440,4443,4445],[11,3935,3937],{"id":3936},"what-is-access-control","What is Access Control?",[16,3939,3940],{},"Access control is the set of policies, procedures, and technical mechanisms that regulate who can access systems, data, and resources within an organization. It ensures that only authorized individuals can view, modify, or interact with sensitive information and critical systems. Access control is one of the most fundamental and universally required security controls across every major compliance framework.",[20,3942,3944],{"id":3943},"core-principles","Core principles",[16,3946,3947],{},"Access control is built on several foundational principles:",[120,3949,3950,3956,3962,3968],{},[37,3951,3952,3955],{},[30,3953,3954],{},"Least privilege"," — users are granted only the minimum access necessary to perform their job functions",[37,3957,3958,3961],{},[30,3959,3960],{},"Separation of duties"," — critical tasks are divided among multiple individuals to prevent any single person from having unchecked authority",[37,3963,3964,3967],{},[30,3965,3966],{},"Need to know"," — access to information is restricted to those who require it for a specific purpose",[37,3969,3970,3973],{},[30,3971,3972],{},"Default deny"," — access is denied by default unless explicitly granted",[20,3975,3977],{"id":3976},"types-of-access-control","Types of access control",[16,3979,3980,3983],{},[30,3981,3982],{},"Role-Based Access Control (RBAC)"," — access is determined by the user's role within the organization. Roles are defined with specific permissions, and users are assigned to roles. This is the most common model in enterprise environments.",[16,3985,3986,3989],{},[30,3987,3988],{},"Attribute-Based Access Control (ABAC)"," — access decisions are based on attributes of the user, the resource, and the environment (e.g., department, location, time of day, device type).",[16,3991,3992,3995],{},[30,3993,3994],{},"Discretionary Access Control (DAC)"," — resource owners decide who can access their resources. Common in file systems where owners set permissions.",[16,3997,3998,4001],{},[30,3999,4000],{},"Mandatory Access Control (MAC)"," — access is controlled by the system based on security labels and clearance levels. Common in government and military environments.",[20,4003,4005],{"id":4004},"access-control-components","Access control components",[16,4007,4008],{},"A complete access control program addresses:",[16,4010,4011,4014],{},[30,4012,4013],{},"Authentication"," — verifying the identity of users:",[120,4016,4017,4020,4023,4026,4029],{},[37,4018,4019],{},"Passwords and passphrases",[37,4021,4022],{},"Multi-factor authentication (MFA)",[37,4024,4025],{},"Single sign-on (SSO)",[37,4027,4028],{},"Biometric authentication",[37,4030,4031],{},"Certificate-based authentication",[16,4033,4034,4037],{},[30,4035,4036],{},"Authorization"," — determining what authenticated users can do:",[120,4039,4040,4043,4046,4049],{},[37,4041,4042],{},"Permission assignments",[37,4044,4045],{},"Role definitions",[37,4047,4048],{},"Access control lists",[37,4050,4051],{},"Policy enforcement points",[16,4053,4054,4057],{},[30,4055,4056],{},"Access lifecycle management"," — managing access throughout the user lifecycle:",[120,4059,4060,4063,4066],{},[37,4061,4062],{},"Provisioning (granting access when hired or role changes)",[37,4064,4065],{},"Review (periodic access certification)",[37,4067,4068],{},"Deprovisioning (revoking access upon termination or role change)",[20,4070,4072],{"id":4071},"access-control-in-compliance-frameworks","Access control in compliance frameworks",[16,4074,4075],{},"Every major framework requires access control:",[120,4077,4078,4085,4097,4109,4116],{},[37,4079,4080,4084],{},[30,4081,4082],{},[376,4083,3775],{"href":3774}," — CC6.1 through CC6.8 cover logical and physical access controls",[37,4086,4087,4091,4092,4096],{},[30,4088,4089],{},[376,4090,2225],{"href":2224}," — ",[376,4093,4095],{"href":4094},"\u002Fglossary\u002Fannex-a","Annex A"," controls A.5.15 through A.5.18 and A.8.2 through A.8.5 address access management",[37,4098,4099,4103,4104,4108],{},[30,4100,4101],{},[376,4102,3782],{"href":3781}," — the ",[376,4105,4107],{"href":4106},"\u002Fframeworks\u002Fhipaa\u002Fsecurity-rule","Security Rule"," requires access controls for ePHI (45 CFR 164.312(a))",[37,4110,4111,4115],{},[30,4112,4113],{},[376,4114,3787],{"href":3786}," — Requirements 7 and 8 address access restriction and user identification",[37,4117,4118,4122],{},[30,4119,4120],{},[376,4121,2149],{"href":2148}," — PR.AC covers identity management, authentication, and access control",[20,4124,4126],{"id":4125},"access-reviews","Access reviews",[16,4128,4129],{},"Regular access reviews (also called access certifications) are a critical control:",[120,4131,4132,4135,4138,4141],{},[37,4133,4134],{},"Review user access rights periodically (quarterly is common for sensitive systems)",[37,4136,4137],{},"Verify that access aligns with current job responsibilities",[37,4139,4140],{},"Identify and remove excessive or unnecessary access",[37,4142,4143],{},"Document review results and remediation actions",[20,4145,4147],{"id":4146},"common-access-control-weaknesses","Common access control weaknesses",[16,4149,4150],{},"Even well-designed access control programs can degrade over time without ongoing attention. Watch for these common issues:",[120,4152,4153,4156,4159,4162,4165,4168,4171],{},[37,4154,4155],{},"Excessive permissions that accumulate over time (privilege creep)",[37,4157,4158],{},"Shared or generic accounts that prevent individual accountability",[37,4160,4161],{},"Delayed deprovisioning when employees leave or change roles",[37,4163,4164],{},"Lack of MFA on critical systems and remote access paths",[37,4166,4167],{},"Inconsistent access review processes with no documented remediation",[37,4169,4170],{},"Service accounts with standing privileged access and no rotation schedule",[37,4172,4173],{},"Lack of visibility into SaaS application access outside the corporate IdP",[20,4175,4177],{"id":4176},"implementing-access-control-in-practice","Implementing access control in practice",[16,4179,4180],{},"Effective access control programs start with planning and build toward automation. The following steps provide a practical roadmap for organizations at any maturity level:",[34,4182,4183,4189,4195,4201,4207,4213,4224],{},[37,4184,4185,4188],{},[30,4186,4187],{},"Map your environment"," — inventory all systems, applications, and data repositories that require access controls. You cannot protect what you have not identified. Include SaaS applications, cloud infrastructure, on-premises servers, databases, file shares, and third-party integrations.",[37,4190,4191,4194],{},[30,4192,4193],{},"Define roles based on job functions"," — create roles that reflect organizational responsibilities, not individual users. Align roles to the principle of least privilege so each role includes only the permissions required for that function. Review role definitions annually and whenever organizational structure changes.",[37,4196,4197,4200],{},[30,4198,4199],{},"Centralize authentication with SSO"," — implement single sign-on using SAML 2.0 or OpenID Connect (OIDC) to unify identity across cloud and on-premises systems. Centralized authentication reduces password sprawl and gives security teams a single point of enforcement. Ensure all business-critical applications are integrated with your SSO provider before considering the rollout complete.",[37,4202,4203,4206],{},[30,4204,4205],{},"Layer MFA on all critical systems"," — require multi-factor authentication for remote access, privileged accounts, email, cloud consoles, and any system that touches sensitive data. Phishing-resistant methods such as FIDO2 hardware keys are preferred over SMS-based codes. At a minimum, enforce MFA on identity providers, admin consoles, and VPN access.",[37,4208,4209,4212],{},[30,4210,4211],{},"Automate provisioning and deprovisioning"," — connect your HR system to your identity provider (IdP) and use SCIM or directory sync to automate account creation, role assignment, and account removal. When an employee is terminated in the HR system, access should be revoked within minutes, not days. Automation eliminates the human error that leads to orphaned accounts and privilege creep.",[37,4214,4215,4218,4219,4223],{},[30,4216,4217],{},"Build an access request and approval workflow"," — establish a formal process where users request access with documented business justification, managers approve, and the request is logged for audit. This creates an ",[376,4220,4222],{"href":4221},"\u002Fglossary\u002Faudit-trail","audit trail"," that satisfies compliance requirements.",[37,4225,4226,4229],{},[30,4227,4228],{},"Monitor and log access events"," — collect authentication and authorization logs centrally. Monitor for anomalies such as failed login attempts, access from unusual locations, and privilege escalation. Logs are essential for incident response and audit evidence.",[20,4231,4233],{"id":4232},"access-control-requirements-by-framework","Access control requirements by framework",[16,4235,4236],{},"Different frameworks address the same access control concepts with different control references. The table below maps common requirements to their framework-specific identifiers:",[1446,4238,4239,4256],{},[1449,4240,4241],{},[1452,4242,4243,4246,4248,4250,4252,4254],{},[1455,4244,4245],{},"Requirement",[1455,4247,3775],{},[1455,4249,2225],{},[1455,4251,3782],{},[1455,4253,3787],{},[1455,4255,2149],{},[1462,4257,4258,4278,4297,4316,4333],{},[1452,4259,4260,4263,4266,4269,4272,4275],{},[1467,4261,4262],{},"Unique user IDs",[1467,4264,4265],{},"CC6.1",[1467,4267,4268],{},"A.5.16",[1467,4270,4271],{},"§164.312(a)(2)(i)",[1467,4273,4274],{},"Req 8.2.1",[1467,4276,4277],{},"PR.AC-1",[1452,4279,4280,4283,4285,4288,4291,4294],{},[1467,4281,4282],{},"MFA",[1467,4284,4265],{},[1467,4286,4287],{},"A.8.5",[1467,4289,4290],{},"Addressable",[1467,4292,4293],{},"Req 8.4",[1467,4295,4296],{},"PR.AC-7",[1452,4298,4299,4301,4304,4307,4310,4313],{},[1467,4300,4126],{},[1467,4302,4303],{},"CC6.2",[1467,4305,4306],{},"A.5.18",[1467,4308,4309],{},"§164.312(a)(1)",[1467,4311,4312],{},"Req 7.2",[1467,4314,4315],{},"PR.AC-4",[1452,4317,4318,4320,4323,4326,4328,4331],{},[1467,4319,3954],{},[1467,4321,4322],{},"CC6.3",[1467,4324,4325],{},"A.5.15",[1467,4327,4309],{},[1467,4329,4330],{},"Req 7.1",[1467,4332,4315],{},[1452,4334,4335,4338,4340,4342,4345,4348],{},[1467,4336,4337],{},"Deprovisioning",[1467,4339,4303],{},[1467,4341,4306],{},[1467,4343,4344],{},"§164.312(a)(2)(ii)",[1467,4346,4347],{},"Req 8.2.6",[1467,4349,4277],{},[16,4351,4352],{},"Organizations subject to multiple frameworks can use this mapping to build a unified access control program that satisfies overlapping requirements without duplicating effort.",[16,4354,4355],{},"A few notes on framework-specific nuances:",[120,4357,4358,4363,4371,4378],{},[37,4359,4360,4362],{},[30,4361,3782],{}," treats MFA as an \"addressable\" implementation specification, meaning covered entities must implement it or document why an equivalent alternative is reasonable. In practice, most organizations implement MFA because the risk of not doing so is difficult to justify.",[37,4364,4365,4370],{},[30,4366,4367,4369],{},[376,4368,3787],{"href":3786}," v4.0"," expanded MFA requirements (Req 8.4) to include all access into the cardholder data environment, not just remote access. Organizations processing card data should verify their MFA coverage meets the updated scope.",[37,4372,4373,4377],{},[30,4374,4375],{},[376,4376,3775],{"href":3774}," does not prescribe specific technologies but evaluates whether the controls in place are suitably designed and operating effectively. Auditors will look for evidence that access control policies are enforced consistently.",[37,4379,4380,4384],{},[30,4381,4382],{},[376,4383,2149],{"href":2148}," provides a flexible, risk-based approach. The PR.AC subcategory identifiers map to more detailed controls in NIST SP 800-53, which organizations can reference for implementation guidance.",[20,4386,4388],{"id":4387},"zero-trust-and-access-control","Zero trust and access control",[16,4390,4391,4392,490],{},"Traditional access control models assume that users inside the network perimeter can be trusted. Zero trust architecture rejects that assumption entirely: ",[30,4393,4394],{},"never trust, always verify",[16,4396,4397],{},"In a zero trust model, every access request is authenticated, authorized, and encrypted regardless of where it originates. Key principles include:",[120,4399,4400,4406,4412,4422,4428],{},[37,4401,4402,4405],{},[30,4403,4404],{},"Continuous verification"," — access decisions are re-evaluated throughout a session, not just at login. Changes in user behavior, location, or risk score can trigger step-up authentication or session termination.",[37,4407,4408,4411],{},[30,4409,4410],{},"Micro-segmentation"," — network resources are divided into small, isolated zones so that compromising one segment does not grant lateral access to others.",[37,4413,4414,4417,4418,4421],{},[30,4415,4416],{},"Device posture checks"," — the security state of the connecting device (patch level, endpoint protection status, disk ",[376,4419,902],{"href":4420},"\u002Fglossary\u002Fencryption",") is evaluated before access is granted.",[37,4423,4424,4427],{},[30,4425,4426],{},"Identity-centric perimeter"," — the network perimeter is replaced by identity as the primary security boundary. Every user, device, and workload must prove its identity before accessing any resource.",[37,4429,4430,4433],{},[30,4431,4432],{},"Least privilege enforcement at the session level"," — access grants are scoped to the specific resource and action needed, and they expire when the session ends or conditions change.",[16,4435,4436],{},"NIST SP 800-207 defines the zero trust architecture and provides guidance on implementation. Many compliance frameworks are increasingly aligning their access control requirements with zero trust principles, making it a forward-looking strategy for organizations building or modernizing their access control programs.",[16,4438,4439],{},"Zero trust is not a single product but an architectural approach that spans identity, network, endpoints, and data.",[16,4441,4442],{},"Adopting zero trust does not require replacing your existing access control infrastructure overnight. Most organizations begin by enforcing MFA universally, segmenting their most sensitive assets, and adding device posture checks to their conditional access policies. Over time, these incremental improvements compound into a mature zero trust posture.",[20,4444,371],{"id":370},[16,4446,4447,4448,490],{},"episki tracks access control policies, monitors review schedules, and documents access provisioning and deprovisioning activities. The platform sends reminders for periodic access reviews and maintains evidence for auditors. Learn more on our ",[376,4449,3912],{"href":3911},{"title":384,"searchDepth":385,"depth":385,"links":4451},[4452],{"id":3936,"depth":385,"text":3937,"children":4453},[4454,4455,4456,4457,4458,4459,4460,4461,4462,4463],{"id":3943,"depth":390,"text":3944},{"id":3976,"depth":390,"text":3977},{"id":4004,"depth":390,"text":4005},{"id":4071,"depth":390,"text":4072},{"id":4125,"depth":390,"text":4126},{"id":4146,"depth":390,"text":4147},{"id":4176,"depth":390,"text":4177},{"id":4232,"depth":390,"text":4233},{"id":4387,"depth":390,"text":4388},{"id":370,"depth":390,"text":371},{},"\u002Fglossary\u002Faccess-control",[407,3828,3829,3830,3831,2289],[4468,3834,902,4469],"minimum-necessary-rule","user-entity-controls",{"title":4471,"description":4472},"Access Control in Compliance: RBAC, MFA & Least Privilege","Access control restricts system and data access to authorized users. Learn RBAC, MFA, least privilege, and requirements across SOC 2, ISO 27001, HIPAA, and PCI DSS.","8.glossary\u002Faccess-control","aw9J1nXzlNuRVpTr3vx46B0ijrBB9hLxb3SnjmXE6cE",{"id":4476,"title":4477,"body":4478,"description":384,"extension":405,"lastUpdated":408,"meta":4708,"navigation":410,"path":4709,"relatedFrameworks":4710,"relatedTerms":4711,"seo":4713,"slug":4716,"stem":4717,"term":4483,"__hash__":4718},"glossary\u002F8.glossary\u002Fchange-management.md","Change Management",{"type":8,"value":4479,"toc":4697},[4480,4484,4487,4491,4494,4511,4515,4518,4524,4544,4550,4564,4570,4581,4587,4598,4604,4615,4619,4636,4640,4660,4663,4666,4670,4673,4690,4692],[11,4481,4483],{"id":4482},"what-is-change-management","What is Change Management?",[16,4485,4486],{},"Change management is the structured process of planning, approving, implementing, and reviewing changes to an organization's information systems, infrastructure, and applications. The goal is to ensure that changes are made in a controlled manner, minimizing the risk of unintended disruptions, security vulnerabilities, or compliance violations.",[20,4488,4490],{"id":4489},"why-change-management-matters","Why change management matters",[16,4492,4493],{},"Uncontrolled changes are a leading cause of system outages, security incidents, and compliance failures. Without a formal change management process:",[120,4495,4496,4499,4502,4505,4508],{},[37,4497,4498],{},"Untested changes can introduce bugs or vulnerabilities",[37,4500,4501],{},"Unauthorized modifications can compromise security controls",[37,4503,4504],{},"Conflicting changes can cause system instability",[37,4506,4507],{},"Auditors cannot verify that changes were properly authorized and tested",[37,4509,4510],{},"Troubleshooting becomes difficult without a record of what changed",[20,4512,4514],{"id":4513},"components-of-a-change-management-process","Components of a change management process",[16,4516,4517],{},"An effective change management program includes:",[16,4519,4520,4523],{},[30,4521,4522],{},"Change request"," — a formal submission describing the proposed change, including:",[120,4525,4526,4529,4532,4535,4538,4541],{},[37,4527,4528],{},"Description of the change",[37,4530,4531],{},"Business justification",[37,4533,4534],{},"Risk assessment",[37,4536,4537],{},"Rollback plan",[37,4539,4540],{},"Testing plan",[37,4542,4543],{},"Implementation timeline",[16,4545,4546,4549],{},[30,4547,4548],{},"Review and approval"," — changes are reviewed by appropriate stakeholders:",[120,4551,4552,4555,4558,4561],{},[37,4553,4554],{},"Technical review for feasibility and impact",[37,4556,4557],{},"Security review for potential risks",[37,4559,4560],{},"Management approval based on risk and priority",[37,4562,4563],{},"Change Advisory Board (CAB) review for significant changes",[16,4565,4566,4569],{},[30,4567,4568],{},"Testing"," — changes are tested in a non-production environment before deployment:",[120,4571,4572,4575,4578],{},[37,4573,4574],{},"Functional testing to verify the change works as intended",[37,4576,4577],{},"Regression testing to confirm existing functionality is not broken",[37,4579,4580],{},"Security testing when the change affects security-relevant systems",[16,4582,4583,4586],{},[30,4584,4585],{},"Implementation"," — changes are deployed following the approved plan:",[120,4588,4589,4592,4595],{},[37,4590,4591],{},"During designated maintenance windows when appropriate",[37,4593,4594],{},"With monitoring for unexpected issues",[37,4596,4597],{},"With rollback procedures ready if problems occur",[16,4599,4600,4603],{},[30,4601,4602],{},"Post-implementation review"," — after deployment, verify:",[120,4605,4606,4609,4612],{},[37,4607,4608],{},"The change achieved its intended outcome",[37,4610,4611],{},"No unintended side effects occurred",[37,4613,4614],{},"Documentation is updated to reflect the change",[20,4616,4618],{"id":4617},"change-management-in-compliance-frameworks","Change management in compliance frameworks",[120,4620,4621,4626,4631],{},[37,4622,4623,4625],{},[30,4624,3775],{}," — CC8.1 requires that changes to infrastructure, data, software, and procedures are authorized, designed, developed, configured, documented, tested, approved, and implemented",[37,4627,4628,4630],{},[30,4629,2225],{}," — control A.8.32 addresses change management, requiring that changes to information processing facilities and systems be subject to change management procedures",[37,4632,4633,4635],{},[30,4634,3787],{}," — Requirement 6.5 requires change control processes for all system components in the cardholder data environment",[20,4637,4639],{"id":4638},"types-of-changes","Types of changes",[120,4641,4642,4648,4654],{},[37,4643,4644,4647],{},[30,4645,4646],{},"Standard changes"," — pre-approved, low-risk, routine changes that follow a documented procedure (e.g., updating a standard software package)",[37,4649,4650,4653],{},[30,4651,4652],{},"Normal changes"," — changes that require the full change management process including review and approval",[37,4655,4656,4659],{},[30,4657,4658],{},"Emergency changes"," — urgent changes needed to resolve incidents or critical issues, typically with streamlined approval followed by retrospective documentation",[20,4661,3960],{"id":4662},"separation-of-duties",[16,4664,4665],{},"A key control within change management is separation of duties — the person who develops a change should not be the same person who approves or deploys it to production. This prevents unauthorized or untested changes from reaching production systems.",[20,4667,4669],{"id":4668},"evidence-for-auditors","Evidence for auditors",[16,4671,4672],{},"Auditors reviewing change management look for:",[120,4674,4675,4678,4681,4684,4687],{},[37,4676,4677],{},"Change request records with documented approvals",[37,4679,4680],{},"Evidence of testing before production deployment",[37,4682,4683],{},"Separation of duties between development, approval, and deployment",[37,4685,4686],{},"Rollback plans for significant changes",[37,4688,4689],{},"Post-implementation reviews",[20,4691,371],{"id":370},[16,4693,4694,4695,490],{},"episki tracks change management activities, integrates with ticketing and CI\u002FCD systems, and maintains audit-ready evidence of change approvals, testing, and deployment. The platform maps change management controls to SOC 2, ISO 27001, and PCI DSS requirements. Learn more on our ",[376,4696,3912],{"href":3911},{"title":384,"searchDepth":385,"depth":385,"links":4698},[4699],{"id":4482,"depth":385,"text":4483,"children":4700},[4701,4702,4703,4704,4705,4706,4707],{"id":4489,"depth":390,"text":4490},{"id":4513,"depth":390,"text":4514},{"id":4617,"depth":390,"text":4618},{"id":4638,"depth":390,"text":4639},{"id":4662,"depth":390,"text":3960},{"id":4668,"depth":390,"text":4669},{"id":370,"depth":390,"text":371},{},"\u002Fglossary\u002Fchange-management",[407,3828,3829,3831],[3834,901,3835,4712],"control-objectives",{"title":4714,"description":4715},"What is Change Management? Definition & Compliance Guide","Change management is the process of controlling modifications to systems and infrastructure to prevent unauthorized changes and maintain security and stability.","change-management","8.glossary\u002Fchange-management","MZV3L_rIEeDWEcb7LqUgqGcph8GigqVqO-mrCT3DsV4",[4720,4982],{"id":5,"title":6,"body":4721,"description":404,"extension":405,"faq":406,"frameworkSlug":407,"lastUpdated":408,"meta":4978,"navigation":410,"path":411,"relatedTerms":4979,"relatedTopics":4980,"seo":4981,"stem":422,"__hash__":423},{"type":8,"value":4722,"toc":4960},[4723,4725,4727,4729,4731,4735,4757,4759,4761,4763,4767,4811,4813,4815,4819,4825,4829,4831,4833,4835,4837,4839,4841,4855,4863,4865,4867,4869,4871,4885,4887,4909,4911,4913,4923,4925,4927,4953,4955],[11,4724,14],{"id":13},[16,4726,18],{},[20,4728,23],{"id":22},[16,4730,26],{},[16,4732,4733],{},[30,4734,32],{},[34,4736,4737,4741,4745,4749,4753],{},[37,4738,4739,42],{},[30,4740,41],{},[37,4742,4743,48],{},[30,4744,47],{},[37,4746,4747,54],{},[30,4748,53],{},[37,4750,4751,60],{},[30,4752,59],{},[37,4754,4755,66],{},[30,4756,65],{},[16,4758,69],{},[20,4760,73],{"id":72},[16,4762,76],{},[16,4764,4765],{},[30,4766,32],{},[34,4768,4769,4773,4777,4781,4785,4789,4807],{},[37,4770,4771,88],{},[30,4772,87],{},[37,4774,4775,94],{},[30,4776,93],{},[37,4778,4779,100],{},[30,4780,99],{},[37,4782,4783,106],{},[30,4784,105],{},[37,4786,4787,112],{},[30,4788,111],{},[37,4790,4791,118,4793],{},[30,4792,117],{},[120,4794,4795,4799,4803],{},[37,4796,4797,127],{},[30,4798,126],{},[37,4800,4801,133],{},[30,4802,132],{},[37,4804,4805,139],{},[30,4806,138],{},[37,4808,4809,145],{},[30,4810,144],{},[20,4812,149],{"id":148},[16,4814,152],{},[16,4816,4817],{},[30,4818,157],{},[120,4820,4821,4823],{},[37,4822,162],{},[37,4824,165],{},[16,4826,4827],{},[30,4828,32],{},[16,4830,172],{},[11,4832,176],{"id":175},[20,4834,180],{"id":179},[16,4836,183],{},[20,4838,187],{"id":186},[16,4840,190],{},[120,4842,4843,4847,4853],{},[37,4844,195,4845,199],{},[30,4846,198],{},[37,4848,202,4849,206,4851],{},[30,4850,205],{},[30,4852,209],{},[37,4854,212],{},[16,4856,215,4857,219,4859,223,4861,227],{},[30,4858,218],{},[30,4860,222],{},[30,4862,226],{},[20,4864,231],{"id":230},[16,4866,234],{},[11,4868,238],{"id":237},[16,4870,241],{},[120,4872,4873,4877,4881],{},[37,4874,4875,249],{},[30,4876,248],{},[37,4878,4879,255],{},[30,4880,254],{},[37,4882,4883,261],{},[30,4884,260],{},[20,4886,265],{"id":264},[120,4888,4889,4893,4897,4901,4903,4907],{},[37,4890,270,4891,274],{},[30,4892,273],{},[37,4894,277,4895,281],{},[30,4896,280],{},[37,4898,284,4899,288],{},[30,4900,287],{},[37,4902,291],{},[37,4904,294,4905,298],{},[30,4906,297],{},[37,4908,301],{},[20,4910,305],{"id":304},[16,4912,308],{},[120,4914,4915,4917,4919,4921],{},[37,4916,313],{},[37,4918,316],{},[37,4920,319],{},[37,4922,322],{},[11,4924,326],{"id":325},[16,4926,329],{},[34,4928,4929,4933,4937,4941,4945,4949],{},[37,4930,4931,337],{},[30,4932,336],{},[37,4934,4935,343],{},[30,4936,342],{},[37,4938,4939,349],{},[30,4940,348],{},[37,4942,4943,355],{},[30,4944,354],{},[37,4946,4947,361],{},[30,4948,360],{},[37,4950,4951,367],{},[30,4952,366],{},[11,4954,371],{"id":370},[16,4956,374,4957,382],{},[376,4958,381],{"href":378,"rel":4959},[380],{"title":384,"searchDepth":385,"depth":385,"links":4961},[4962,4967,4972,4976,4977],{"id":13,"depth":385,"text":14,"children":4963},[4964,4965,4966],{"id":22,"depth":390,"text":23},{"id":72,"depth":390,"text":73},{"id":148,"depth":390,"text":149},{"id":175,"depth":385,"text":176,"children":4968},[4969,4970,4971],{"id":179,"depth":390,"text":180},{"id":186,"depth":390,"text":187},{"id":230,"depth":390,"text":231},{"id":237,"depth":385,"text":238,"children":4973},[4974,4975],{"id":264,"depth":390,"text":265},{"id":304,"depth":390,"text":305},{"id":325,"depth":385,"text":326},{"id":370,"depth":385,"text":371},{},[407,413,414],[416,417,418],{"title":420,"description":421},{"id":425,"title":426,"body":4983,"description":881,"extension":405,"faq":5290,"frameworkSlug":407,"lastUpdated":408,"meta":5296,"navigation":410,"path":897,"relatedTerms":5297,"relatedTopics":5298,"seo":5299,"stem":908,"__hash__":909},{"type":8,"value":4984,"toc":5271},[4985,4987,4989,4991,4993,4995,4997,4999,5003,5013,5017,5019,5024,5026,5056,5060,5062,5064,5066,5068,5090,5092,5094,5096,5118,5120,5122,5152,5154,5156,5158,5188,5190,5192,5214,5216,5220,5222,5224,5226,5228,5230,5264,5266],[11,4986,432],{"id":431},[16,4988,435],{},[16,4990,438],{},[11,4992,442],{"id":441},[16,4994,445],{},[20,4996,449],{"id":448},[16,4998,452],{},[16,5000,5001],{},[30,5002,457],{},[120,5004,5005,5007,5009,5011],{},[37,5006,462],{},[37,5008,465],{},[37,5010,468],{},[37,5012,471],{},[16,5014,5015,477],{},[30,5016,476],{},[20,5018,481],{"id":480},[16,5020,484,5021,490],{},[376,5022,489],{"href":487,"rel":5023},[380],[16,5025,493],{},[120,5027,5028,5032,5036,5040,5044,5048,5052],{},[37,5029,5030,501],{},[30,5031,500],{},[37,5033,5034,507],{},[30,5035,506],{},[37,5037,5038],{},[30,5039,512],{},[37,5041,5042],{},[30,5043,517],{},[37,5045,5046],{},[30,5047,522],{},[37,5049,5050,528],{},[30,5051,527],{},[37,5053,5054,534],{},[30,5055,533],{},[16,5057,5058,539],{},[30,5059,476],{},[20,5061,543],{"id":542},[16,5063,546],{},[11,5065,550],{"id":549},[16,5067,553],{},[120,5069,5070,5078,5082,5086],{},[37,5071,5072,561,5074,566,5076,570],{},[30,5073,560],{},[563,5075,565],{},[563,5077,569],{},[37,5079,5080,576],{},[30,5081,575],{},[37,5083,5084,582],{},[30,5085,581],{},[37,5087,5088,588],{},[30,5089,587],{},[16,5091,591],{},[20,5093,595],{"id":594},[16,5095,598],{},[120,5097,5098,5102,5106,5110,5114],{},[37,5099,5100,606],{},[30,5101,605],{},[37,5103,5104,612],{},[30,5105,611],{},[37,5107,5108,618],{},[30,5109,617],{},[37,5111,5112,624],{},[30,5113,623],{},[37,5115,5116,630],{},[30,5117,629],{},[11,5119,634],{"id":633},[16,5121,637],{},[120,5123,5124,5128,5132,5136,5140,5144,5148],{},[37,5125,5126,645],{},[30,5127,644],{},[37,5129,5130,651],{},[30,5131,650],{},[37,5133,5134,657],{},[30,5135,656],{},[37,5137,5138,663],{},[30,5139,662],{},[37,5141,5142,669],{},[30,5143,668],{},[37,5145,5146,675],{},[30,5147,674],{},[37,5149,5150,681],{},[30,5151,680],{},[16,5153,684],{},[11,5155,688],{"id":687},[16,5157,691],{},[120,5159,5160,5164,5168,5172,5176,5180,5184],{},[37,5161,5162,699],{},[30,5163,698],{},[37,5165,5166,705],{},[30,5167,704],{},[37,5169,5170,711],{},[30,5171,710],{},[37,5173,5174,717],{},[30,5175,716],{},[37,5177,5178,723],{},[30,5179,722],{},[37,5181,5182,729],{},[30,5183,728],{},[37,5185,5186,735],{},[30,5187,734],{},[11,5189,739],{"id":738},[16,5191,742],{},[120,5193,5194,5198,5202,5206,5210],{},[37,5195,5196,750],{},[30,5197,749],{},[37,5199,5200,756],{},[30,5201,755],{},[37,5203,5204,762],{},[30,5205,761],{},[37,5207,5208,768],{},[30,5209,767],{},[37,5211,5212,774],{},[30,5213,773],{},[20,5215,778],{"id":777},[16,5217,781,5218,785],{},[30,5219,784],{},[16,5221,788],{},[11,5223,792],{"id":791},[16,5225,795],{},[16,5227,798],{},[11,5229,802],{"id":801},[120,5231,5232,5236,5240,5244,5248,5252,5256,5260],{},[37,5233,5234,810],{},[30,5235,809],{},[37,5237,5238,816],{},[30,5239,815],{},[37,5241,5242,822],{},[30,5243,821],{},[37,5245,5246,828],{},[30,5247,827],{},[37,5249,5250,834],{},[30,5251,833],{},[37,5253,5254,840],{},[30,5255,839],{},[37,5257,5258,846],{},[30,5259,845],{},[37,5261,5262,852],{},[30,5263,851],{},[11,5265,371],{"id":370},[16,5267,857,5268,861],{},[376,5269,381],{"href":378,"rel":5270},[380],{"title":384,"searchDepth":385,"depth":385,"links":5272},[5273,5274,5279,5282,5283,5284,5287,5288,5289],{"id":431,"depth":385,"text":432},{"id":441,"depth":385,"text":442,"children":5275},[5276,5277,5278],{"id":448,"depth":390,"text":449},{"id":480,"depth":390,"text":481},{"id":542,"depth":390,"text":543},{"id":549,"depth":385,"text":550,"children":5280},[5281],{"id":594,"depth":390,"text":595},{"id":633,"depth":385,"text":634},{"id":687,"depth":385,"text":688},{"id":738,"depth":385,"text":739,"children":5285},[5286],{"id":777,"depth":390,"text":778},{"id":791,"depth":385,"text":792},{"id":801,"depth":385,"text":802},{"id":370,"depth":385,"text":371},{"items":5291},[5292,5293,5294,5295],{"label":885,"content":886},{"label":888,"content":889},{"label":891,"content":892},{"label":894,"content":895},{},[899,900,901,902],[416,418,417,904],{"title":906,"description":907},{"id":3209,"title":3210,"advantages":5301,"body":5308,"checklist":5557,"cta":5559,"description":384,"extension":405,"faq":5560,"hero":5567,"meta":5571,"name":3676,"navigation":410,"path":3677,"resources":5572,"seo":5577,"slug":407,"stats":5578,"stem":3704,"__hash__":3705},[5302,5304,5306],{"title":3213,"description":3214,"bullets":5303},[3216,3217,3218],{"title":3220,"description":3221,"bullets":5305},[3223,3224,3225],{"title":3227,"description":3228,"bullets":5307},[3230,3231,3232],{"type":8,"value":5309,"toc":5540},[5310,5312,5314,5316,5318,5322,5328,5334,5336,5340,5360,5362,5364,5370,5376,5378,5380,5392,5398,5400,5402,5404,5410,5414,5416,5424,5426,5428,5432,5450,5452,5466,5468,5472,5474,5478,5480,5484,5486,5488,5514,5516,5538],[11,5311,3238],{"id":3237},[16,5313,3241],{},[16,5315,3244],{},[20,5317,3248],{"id":3247},[16,5319,3251,5320,3255],{},[30,5321,3254],{},[16,5323,3258,5324,3262,5326,3266],{},[30,5325,3261],{},[30,5327,3265],{},[16,5329,3269,5330,3272,5332,3275],{},[30,5331,1263],{},[30,5333,1273],{},[20,5335,3279],{"id":3278},[16,5337,3282,5338,3286],{},[376,5339,3285],{"href":1951},[120,5341,5342,5348,5354],{},[37,5343,5344,3294,5346,3298],{},[30,5345,3293],{},[30,5347,3297],{},[37,5349,5350,3304,5352,3307],{},[30,5351,3303],{},[30,5353,1731],{},[37,5355,5356,3313,5358,3317],{},[30,5357,3312],{},[30,5359,3316],{},[16,5361,3320],{},[20,5363,3324],{"id":3323},[16,5365,3327,5366,3331,5368,3336],{},[30,5367,3330],{},[376,5369,3335],{"href":3334},[16,5371,3339,5372,3343,5374,3346],{},[376,5373,3342],{"href":2287},[376,5375,2149],{"href":2148},[20,5377,3349],{"id":418},[16,5379,3352],{},[120,5381,5382,5384,5386,5388,5390],{},[37,5383,3357],{},[37,5385,3360],{},[37,5387,3363],{},[37,5389,3366],{},[37,5391,3369],{},[16,5393,3372,5394,3376,5396,3381],{},[376,5395,3375],{"href":3199},[376,5397,3380],{"href":3379},[16,5399,3384],{},[20,5401,3388],{"id":3387},[16,5403,3391],{},[16,5405,3394,5406,3397,5408,3401],{},[30,5407,222],{},[30,5409,3400],{},[16,5411,5412,3407],{},[376,5413,3406],{"href":411},[20,5415,3411],{"id":3410},[16,5417,3414,5418,3418,5420,3422,5422,3426],{},[30,5419,3417],{},[30,5421,3421],{},[30,5423,3425],{},[16,5425,3429],{},[20,5427,3433],{"id":3432},[16,5429,3436,5430,3440],{},[376,5431,3439],{"href":1593},[120,5433,5434,5438,5442,5446],{},[37,5435,5436,3448],{},[30,5437,3447],{},[37,5439,5440,3454],{},[30,5441,3453],{},[37,5443,5444,3460],{},[30,5445,3459],{},[37,5447,5448,3466],{},[30,5449,3465],{},[20,5451,3470],{"id":3469},[16,5453,3473,5454,3477,5456,3422,5458,3484,5460,3488,5462,3492,5464,490],{},[30,5455,3476],{},[30,5457,3480],{},[30,5459,3483],{},[30,5461,3487],{},[376,5463,3491],{"href":1228},[376,5465,3496],{"href":3495},[20,5467,3500],{"id":3499},[16,5469,3503,5470,3507],{},[376,5471,3506],{"href":2592},[20,5473,3511],{"id":3510},[16,5475,3514,5476,3518],{},[376,5477,3517],{"href":897},[20,5479,3521],{"id":1235},[16,5481,3524,5482,3528],{},[376,5483,3527],{"href":2915},[20,5485,3532],{"id":3531},[16,5487,3535],{},[34,5489,5490,5494,5498,5502,5506,5510],{},[37,5491,5492,3543],{},[30,5493,3542],{},[37,5495,5496,3549],{},[30,5497,3548],{},[37,5499,5500,3555],{},[30,5501,3554],{},[37,5503,5504,3561],{},[30,5505,3560],{},[37,5507,5508,3567],{},[30,5509,3566],{},[37,5511,5512,3573],{},[30,5513,3572],{},[20,5515,3577],{"id":3576},[120,5517,5518,5522,5526,5530,5534],{},[37,5519,5520,3585],{},[30,5521,3584],{},[37,5523,5524,3591],{},[30,5525,3590],{},[37,5527,5528,3597],{},[30,5529,3596],{},[37,5531,5532,3603],{},[30,5533,3602],{},[37,5535,5536,3609],{},[30,5537,3608],{},[16,5539,3612],{},{"title":384,"searchDepth":385,"depth":385,"links":5541},[5542],{"id":3237,"depth":385,"text":3238,"children":5543},[5544,5545,5546,5547,5548,5549,5550,5551,5552,5553,5554,5555,5556],{"id":3247,"depth":390,"text":3248},{"id":3278,"depth":390,"text":3279},{"id":3323,"depth":390,"text":3324},{"id":418,"depth":390,"text":3349},{"id":3387,"depth":390,"text":3388},{"id":3410,"depth":390,"text":3411},{"id":3432,"depth":390,"text":3433},{"id":3469,"depth":390,"text":3470},{"id":3499,"depth":390,"text":3500},{"id":3510,"depth":390,"text":3511},{"id":1235,"depth":390,"text":3521},{"id":3531,"depth":390,"text":3532},{"id":3576,"depth":390,"text":3577},{"title":3631,"description":3632,"items":5558},[3634,3635,3636,3637,3638],{"title":3640,"description":3641},{"title":3643,"items":5561},[5562,5563,5564,5565,5566],{"label":3646,"content":3647},{"label":3649,"content":3650},{"label":3652,"content":3653},{"label":3655,"content":3656},{"label":3658,"content":3659},{"headline":3661,"title":3662,"description":3663,"links":5568},[5569,5570],{"label":3666,"icon":3667,"to":378},{"label":3669,"icon":3670,"color":3671,"variant":3672,"to":3673,"target":3674},{},{"headline":3679,"title":3679,"description":3680,"items":5573},[5574,5575,5576],{"title":3683,"description":3684},{"title":3686,"description":3687},{"title":3689,"description":3690},{"title":3692,"description":3693},[5579,5580,5581],{"value":3696,"description":3697},{"value":3699,"description":3700},{"value":3702,"description":3703},{"id":5583,"title":5584,"body":5585,"comparison":5676,"competitorA":5721,"competitorB":5722,"cta":5723,"description":384,"extension":405,"faq":406,"hero":5726,"meta":5734,"navigation":410,"path":5735,"seo":5736,"slug":5739,"slugA":5740,"slugB":5741,"stem":5742,"verdict":5743,"__hash__":5747},"compareVs\u002F7.compare\u002Fvs\u002Fdrata-vs-secureframe.md","Drata Vs Secureframe",{"type":8,"value":5586,"toc":5666},[5587,5591,5594,5598,5601,5607,5610,5614,5617,5620,5623,5627,5630,5633,5637,5640,5643,5647,5650,5653,5657,5660,5663],[11,5588,5590],{"id":5589},"drata-vs-secureframe-the-closest-comparison-in-compliance","Drata vs Secureframe: the closest comparison in compliance",[16,5592,5593],{},"If Vanta is the 800-pound gorilla, Drata and Secureframe are the two challengers most often compared against each other. They target similar buyers, cover similar frameworks, and offer similar automation. The differences are real but subtle — and they matter most in how your team experiences the platform day to day.",[20,5595,5597],{"id":5596},"feature-parity-with-different-emphasis","Feature parity with different emphasis",[16,5599,5600],{},"On paper, Drata and Secureframe look nearly identical. Both automate evidence collection, monitor your compliance posture continuously, support 15+ frameworks, and provide auditor-facing portals. The overlap is so significant that choosing between them often comes down to three factors: onboarding style, dashboard experience, and pricing.",[16,5602,5603,5606],{},[30,5604,5605],{},"Onboarding style"," is the clearest differentiator. Drata leans toward self-serve. The platform guides you through integration setup, control mapping, and evidence configuration with in-app workflows. For teams with compliance experience, this speed is an advantage — you can be operational in 1–2 weeks without waiting for a human to walk you through every step.",[16,5608,5609],{},"Secureframe takes the opposite approach. Every customer gets access to dedicated compliance managers who help interpret requirements, map controls to your environment, and prepare for audit. This white-glove model adds a week or two to implementation but dramatically reduces the learning curve for first-time audit teams.",[20,5611,5613],{"id":5612},"the-dashboard-question","The dashboard question",[16,5615,5616],{},"Drata's compliance dashboard is one of its signature features. The real-time posture view shows passing and failing controls across every framework, with compliance percentages and trend data. For compliance leads who report to a CISO or board, this visual layer simplifies status updates and makes it easy to demonstrate progress.",[16,5618,5619],{},"Secureframe also provides dashboards, but they feel more functional than visual. The platform surfaces actionable items — controls that need attention, evidence that's expiring, gaps to remediate — in a task-oriented format. It's effective, but it doesn't deliver the same at-a-glance executive view that Drata provides.",[16,5621,5622],{},"For teams that need board-ready compliance reporting, Drata has the edge. For teams that care more about daily workflow and task management, Secureframe's approach may feel more productive.",[20,5624,5626],{"id":5625},"integration-depth","Integration depth",[16,5628,5629],{},"Secureframe holds a slight advantage in integration count, with 150+ connections compared to Drata's 100+. The extra integrations primarily cover developer tools, identity providers, and security platforms. For teams running complex stacks with multiple CI\u002FCD pipelines, vulnerability scanners, and endpoint management tools, Secureframe's broader integration library means less manual evidence collection.",[16,5631,5632],{},"Drata's integrations, while fewer in number, tend to offer deeper configuration options for the platforms they do support. If your stack is standard — AWS or GCP, Okta or Google Workspace, GitHub, and a common HR tool — both platforms will serve you equally well.",[20,5634,5636],{"id":5635},"pricing-opacity","Pricing opacity",[16,5638,5639],{},"Neither Drata nor Secureframe publishes pricing. Both require a sales conversation to get a quote, and both scale based on team size, framework count, and contract terms. Based on market data, Drata typically starts around $10,000–$15,000\u002Fyr while Secureframe starts slightly lower at $8,000–$12,000\u002Fyr. At scale, both reach $30,000–$50,000\u002Fyr for larger organizations.",[16,5641,5642],{},"This pricing opacity creates a frustrating buying experience. You can't model costs internally before engaging sales. You can't easily compare options. And renewal conversations often involve price increases that are hard to predict at the time of initial purchase.",[20,5644,5646],{"id":5645},"where-both-platforms-struggle","Where both platforms struggle",[16,5648,5649],{},"The irony of comparing Drata and Secureframe is that their most significant limitations are shared. Both use pricing models that punish team growth. Both rely on templated control libraries that resist customization. Both treat policy documentation as a secondary concern — something generated through forms rather than crafted through a proper writing experience.",[16,5651,5652],{},"And both lock you into their workflow assumptions. If your compliance program doesn't map cleanly to their templates — if you run hybrid frameworks, need custom controls, or want to structure programs differently than the default — you'll spend time working around the platform instead of working within it.",[20,5654,5656],{"id":5655},"the-case-for-a-different-approach","The case for a different approach",[16,5658,5659],{},"When two products are this similar, the deciding factor often isn't which one is better — it's whether either one is the right category of tool for your needs. If you want maximum automation and are comfortable with enterprise pricing, Drata and Secureframe both deliver.",[16,5661,5662],{},"But if you want flat pricing at $500\u002Fmo, a Notion-like editor for compliance documentation, and the freedom to build programs that reflect how your team actually operates — episki offers something neither Drata nor Secureframe provides. No per-seat scaling. No opaque quotes. No templated policies that read like every other company's.",[16,5664,5665],{},"Just a workspace your compliance team will use daily, at a price that doesn't make your CFO wince.",{"title":384,"searchDepth":385,"depth":385,"links":5667},[5668],{"id":5589,"depth":385,"text":5590,"children":5669},[5670,5671,5672,5673,5674,5675],{"id":5596,"depth":390,"text":5597},{"id":5612,"depth":390,"text":5613},{"id":5625,"depth":390,"text":5626},{"id":5635,"depth":390,"text":5636},{"id":5645,"depth":390,"text":5646},{"id":5655,"depth":390,"text":5656},[5677,5682,5686,5691,5696,5701,5706,5711,5716],{"feature":5678,"competitorA":5679,"competitorB":5680,"episki":5681},"Pricing model","Custom pricing, typically starting around $10,000–$15,000\u002Fyr","Custom pricing, typically starting around $8,000–$12,000\u002Fyr","Flat $500\u002Fmo or $5,000\u002Fyr with unlimited seats",{"feature":5683,"competitorA":5684,"competitorB":5684,"episki":5685},"Framework coverage","SOC 2, ISO 27001, HIPAA, PCI DSS, GDPR, and 15+ frameworks","SOC 2, ISO 27001, HIPAA, PCI DSS, NIST CSF, and custom frameworks",{"feature":5687,"competitorA":5688,"competitorB":5689,"episki":5690},"Automation depth","Automated evidence collection with real-time compliance dashboards","Automated monitoring with continuous evidence collection and alerts","AI-assisted drafting and structured workflows with manual evidence uploads",{"feature":5692,"competitorA":5693,"competitorB":5694,"episki":5695},"Integration count","100+ integrations covering major cloud and SaaS platforms","150+ integrations covering cloud, identity, HR, and developer tools","Growing integration library with focus on structured evidence reuse",{"feature":5697,"competitorA":5698,"competitorB":5699,"episki":5700},"Auditor collaboration","Auditor-facing portal with read-only access and evidence downloads","Auditor-ready evidence rooms with structured access controls","Built-in auditor portal with scoped access and Q&A threads",{"feature":5702,"competitorA":5703,"competitorB":5704,"episki":5705},"AI features","AI-assisted control mapping and compliance recommendations","AI-driven compliance recommendations and automated risk scoring","AI drafts policies, narratives, remediation steps, and questionnaire answers",{"feature":5707,"competitorA":5708,"competitorB":5709,"episki":5710},"Implementation time","1–3 weeks with self-serve setup and optional guided onboarding","2–3 weeks with guided onboarding and compliance expertise","Same-day setup with self-serve onboarding and optional demo",{"feature":5712,"competitorA":5713,"competitorB":5714,"episki":5715},"Support model","In-app chat, email support, and dedicated CSM for larger accounts","Dedicated compliance managers, email, and in-app support","Direct founder access, in-app chat, and shared Slack channels",{"feature":5717,"competitorA":5718,"competitorB":5719,"episki":5720},"Free trial","Demo-based sales process, limited free trial availability","Demo-based sales process, no public free trial","14-day free trial with full access, no credit card required","Drata","Secureframe",{"title":5724,"description":5725},"Skip the comparison. Try episki free.","14-day trial with full access. No credit card required.",{"headline":5727,"title":5728,"description":5729,"links":5730},"Drata vs Secureframe","Similar features, different approaches to compliance automation","Compare Drata and Secureframe across pricing, onboarding, and compliance workflows. Two closely matched platforms with subtle but important differences for your team.",[5731,5733],{"label":5732,"icon":3667,"to":378},"Try episki free",{"label":3669,"icon":3670,"color":3671,"variant":3672,"to":3673,"target":3674},{},"\u002Fcompare\u002Fvs\u002Fdrata-vs-secureframe",{"title":5737,"description":5738},"Drata vs Secureframe (2026): Pricing, Features & Honest Comparison","Drata vs Secureframe compared on pricing, onboarding, framework coverage, and compliance automation. See which platform fits your team — or why neither might be the best choice.","drata-vs-secureframe","drata","secureframe","7.compare\u002Fvs\u002Fdrata-vs-secureframe",{"chooseA":5744,"chooseB":5745,"chooseEpiski":5746},"Choose Drata if you value self-serve speed and visual compliance dashboards. Drata gets you operational faster and provides the clearest real-time view of your compliance posture — ideal for teams with in-house compliance knowledge.","Choose Secureframe if you want more hands-on guidance from dedicated compliance managers. Secureframe's human-led onboarding is better for teams running their first audit without experienced GRC staff.","Choose episki if you want transparent pricing, a writing-first editor, and the flexibility to structure programs your way. episki is for teams that want to own their compliance narrative without paying enterprise prices.","HuA5a0qhJVkEPHNLT6GY_VEempd7yA1ONnXItxDt-ZQ",{"id":5749,"title":5721,"advantages":5750,"body":5772,"comparison":5823,"competitor":5721,"cta":5849,"description":384,"extension":405,"hero":5852,"meta":5861,"navigation":410,"path":5862,"seo":5863,"slug":5740,"stem":5866,"__hash__":5867},"compare\u002F7.compare\u002Fdrata.md",[5751,5758,5765],{"title":5752,"description":5753,"bullets":5754},"One flat price for everything","episki includes unlimited frameworks, teammates, and portals for a single monthly or annual fee. No tiers, no negotiations.",[5755,5756,5757],"Add frameworks without upgrading to a higher tier","Invite auditors, customers, and stakeholders at no extra cost","Predictable billing that does not scale with headcount",{"title":5759,"description":5760,"bullets":5761},"Connected programs and assessments","episki treats compliance as connected work. Programs, assessments, controls, tasks, and issues link together so nothing falls through the cracks.",[5762,5763,5764],"Run recurring programs and one-time assessments side by side","Tasks inherit context from parent controls and programs","Evidence attaches once and stays available across every framework",{"title":5766,"description":5767,"bullets":5768},"Fast, keyboard-driven workspace","episki is built for people who spend hours in the tool. Keyboard shortcuts, global search, and a rich editor make daily compliance work feel fast.",[5769,5770,5771],"Navigate between programs, controls, and evidence without lifting your hands","Inline editing for policies, narratives, and response drafts","Dark mode and responsive layout for any screen",{"type":8,"value":5773,"toc":5818},[5774,5778,5781,5784,5804,5808,5811,5815],[11,5775,5777],{"id":5776},"why-teams-evaluate-drata-alternatives","Why teams evaluate Drata alternatives",[16,5779,5780],{},"Drata has built a comprehensive compliance automation platform with strong automated evidence collection and a wide library of supported frameworks. It works well for organizations that want continuous monitoring with minimal manual intervention.",[16,5782,5783],{},"Some teams look for alternatives when they need:",[120,5785,5786,5792,5798],{},[37,5787,5788,5791],{},[30,5789,5790],{},"Simpler pricing"," — Drata's tiered pricing based on framework count and company size can make budgeting unpredictable, especially for organizations running multiple frameworks or growing quickly.",[37,5793,5794,5797],{},[30,5795,5796],{},"Unified program management"," — teams managing overlapping compliance programs want controls, evidence, and tasks connected across frameworks in a single workspace rather than managed as separate compliance tracks.",[37,5799,5800,5803],{},[30,5801,5802],{},"A daily-use workspace"," — compliance teams that spend significant time writing, reviewing, and collaborating want an editor and navigation experience that feels productive rather than transactional.",[11,5805,5807],{"id":5806},"when-drata-might-be-the-better-fit","When Drata might be the better fit",[16,5809,5810],{},"Drata is a strong choice for teams that prioritize automated continuous monitoring and need a platform with deep integration coverage across cloud, identity, HR, and development tools. If your primary concern is automating evidence collection and you operate in a well-defined framework like SOC 2 or ISO 27001, Drata's automation depth is compelling.",[11,5812,5814],{"id":5813},"when-episki-shines","When episki shines",[16,5816,5817],{},"episki is designed for teams that view compliance as ongoing, cross-functional work rather than a monitoring dashboard. If you run multiple programs, collaborate with auditors directly in the tool, and want a workspace that feels as fast as your engineering tools, episki delivers a different kind of compliance experience.",{"title":384,"searchDepth":385,"depth":385,"links":5819},[5820,5821,5822],{"id":5776,"depth":385,"text":5777},{"id":5806,"depth":385,"text":5807},{"id":5813,"depth":385,"text":5814},[5824,5826,5827,5831,5835,5838,5841,5845],{"feature":5678,"episki":5681,"competitor":5825},"Tiered pricing based on framework count and company size",{"feature":5683,"episki":5685,"competitor":5684},{"feature":5828,"episki":5829,"competitor":5830},"Control management","Linked control graph with cross-framework reuse and ownership","Control library with automated testing and monitoring",{"feature":5832,"episki":5833,"competitor":5834},"Evidence collection","Manual uploads with structured ownership and reuse across frameworks","Automated evidence collection with 100+ integrations",{"feature":5836,"episki":5705,"competitor":5837},"AI assistance","AI-powered compliance automation",{"feature":3747,"episki":5839,"competitor":5840},"Risk registers with remediation tracking tied to controls","Built-in risk management with scoring and treatment plans",{"feature":5842,"episki":5843,"competitor":5844},"Editor experience","Notion-like rich text editor with inline editing","Structured forms and workflow-based interface",{"feature":5846,"episki":5847,"competitor":5848},"Collaboration","Built-in auditor portal, customer portals, and team workspaces","Auditor-facing dashboards and team collaboration features",{"title":5850,"description":5851},"Try episki side by side with Drata","Start a free trial with all features enabled. Import your controls and see the difference.",{"headline":5853,"title":5854,"description":5855,"links":5856},"episki vs Drata","How episki compares to Drata for compliance teams","A head-to-head on pricing, workflow design, and framework flexibility. See why teams that want a faster, more collaborative compliance workspace switch from Drata to episki.",[5857,5859],{"label":5858,"icon":3667,"to":378},"Start free trial",{"label":5860,"icon":3670,"color":3671,"variant":3672,"to":3673,"target":3674},"See a live demo",{},"\u002Fcompare\u002Fdrata",{"title":5864,"description":5865},"episki vs Drata (2026): Pricing, Flexibility & Why Teams Switch","Compare episki and Drata on pricing, workflow design, and framework flexibility. See why compliance teams switch from Drata to episki.","7.compare\u002Fdrata","rehdI9NC6n1m3mFaD-M9xGliPjg5awlPauCt-LCW_es",{"id":5869,"title":5870,"api":406,"authors":5871,"body":5877,"category":6055,"date":6056,"description":6057,"extension":405,"features":406,"fixes":406,"highlight":406,"image":6058,"improvements":406,"meta":6060,"navigation":410,"path":6062,"seo":6063,"stem":6064,"__hash__":6065},"posts\u002F3.now\u002Fdefined-roles-pci-compliance-mistakes.md","Defined Roles in PCI: The Compliance Mistakes That Fly Under the Radar",[5872],{"name":5873,"to":5874,"avatar":5875},"Justin Leapline","https:\u002F\u002Fwww.linkedin.com\u002Fin\u002Fjustinleapline\u002F",{"src":5876},"\u002Fimages\u002Fjustinleapline.png",{"type":8,"value":5878,"toc":6047},[5879,5885,5888,5891,5894,5897,5900,5902,5906,5916,5919,5922,5925,5927,5931,5934,5937,5940,5943,5945,5949,5957,5960,5963,5966,5968,5972,5975,5978,5981,5983,5987,5990,5993,5996,5999,6001,6005,6008,6011,6014,6016,6021,6033,6039,6041],[5880,5881,5882],"blockquote",{},[16,5883,5884],{},"When it comes to PCI DSS, most organizations focus on the technical controls — encryption, access management, logging. But one of the most persistent failure points isn't technical at all. It's the question of who owns what. Undefined or poorly assigned roles quietly undermine even the most well-resourced compliance programs. This post breaks down the most common role-related mistakes security leaders make in PCI — and what to do differently.",[5886,5887],"hr",{},[16,5889,5890],{},"Most PCI compliance failures don't happen because teams don't know the standard.",[16,5892,5893],{},"They happen because nobody agreed on who was responsible for following it.",[16,5895,5896],{},"It sounds simple. In practice, it's one of the hardest problems in compliance programs — and one of the least discussed. When a QSA walks in for an assessment and finds gaps, the root cause is often not a missing control. It's a missing owner.",[16,5898,5899],{},"For CISOs leading PCI programs, role clarity isn't a nice-to-have. It's the foundation everything else sits on.",[5886,5901],{},[11,5903,5905],{"id":5904},"mistake-1-treating-pci-ownership-as-an-it-problem","Mistake #1: Treating PCI Ownership as an IT Problem",[16,5907,5908,5910,5911,5915],{},[376,5909,3787],{"href":3786}," governs the entire ",[376,5912,5914],{"href":5913},"\u002Fglossary\u002Fcardholder-data-environment","cardholder data environment"," — and the cardholder data environment touches far more than IT.",[16,5917,5918],{},"It includes how sales teams handle card data over the phone. How finance processes refunds. How third-party vendors connect to your systems. How HR onboards employees who access payment infrastructure. And yet, in most organizations, PCI ownership sits almost exclusively with the security or IT team — while the business units that handle cardholder data daily operate with little awareness of their own obligations.",[16,5920,5921],{},"This creates a structural gap. Controls get implemented technically but not operationally. Policies exist on paper but aren't followed in practice because the people they govern don't know they apply to them.",[16,5923,5924],{},"The fix isn't adding more controls. It's expanding the ownership model. Every team that touches cardholder data needs a defined role in the compliance program — with accountability, not just awareness.",[5886,5926],{},[11,5928,5930],{"id":5929},"mistake-2-confusing-responsible-with-accountable","Mistake #2: Confusing \"Responsible\" with \"Accountable\"",[16,5932,5933],{},"One of the most reliable ways to spot a broken compliance program is to ask two people on the same team who owns a specific PCI requirement. If you get two different answers — or two blank stares — you have an accountability problem.",[16,5935,5936],{},"The distinction between responsibility and accountability matters here. Responsibility is operational: this person performs the task. Accountability is governance: this person owns the outcome. In PCI, these roles are often blurred or duplicated, which means that when something goes wrong, nobody is clearly on the hook — and when audits come around, multiple people claim ownership of the same control without any of them actually running it.",[16,5938,5939],{},"The RACI model (Responsible, Accountable, Consulted, Informed) is a well-worn solution to this problem — but only when applied with rigor. A RACI matrix that was built two years ago and hasn't been updated since an acquisition, a reorg, or a new product launch is often worse than no RACI at all. It creates false confidence.",[16,5941,5942],{},"PCI role assignments need to be reviewed every time the business changes — not just every time the standard does.",[5886,5944],{},[11,5946,5948],{"id":5947},"mistake-3-letting-vendor-relationships-create-ownership-gaps","Mistake #3: Letting Vendor Relationships Create Ownership Gaps",[16,5950,5951,5952,5956],{},"PCI DSS Requirement 12.8 is clear: organizations are responsible for managing the compliance of all ",[376,5953,5955],{"href":5954},"\u002Fglossary\u002Fthird-party-risk","third-party service providers"," who have access to cardholder data. In practice, many organizations interpret this requirement as \"get a copy of their AOC and file it.\"",[16,5958,5959],{},"That's not management. That's documentation.",[16,5961,5962],{},"The gap shows up when a vendor has a breach, when a third-party integration introduces a vulnerability, or when an assessor asks how the organization monitors the compliance posture of its vendors — and the answer is \"we check their certificate once a year.\"",[16,5964,5965],{},"Vendor ownership in PCI requires a named internal owner for each critical third-party relationship. Someone who understands what that vendor does, what data they access, what their contractual security obligations are, and what the escalation path looks like if something goes wrong. Without that, vendor risk exists on paper but is managed by nobody.",[5886,5967],{},[11,5969,5971],{"id":5970},"mistake-4-role-assignments-that-dont-survive-personnel-changes","Mistake #4: Role Assignments That Don't Survive Personnel Changes",[16,5973,5974],{},"PCI roles are often documented at the person level — \"Sarah owns firewall management,\" \"Marco is responsible for log review\" — rather than at the function level. When Sarah leaves or Marco moves to a different team, the role doesn't transfer cleanly. Institutional knowledge walks out the door, and the new person inherits a responsibility they weren't briefed on.",[16,5976,5977],{},"This is especially dangerous in small security teams, where one person often carries multiple PCI functions. When that person leaves without a proper transition, entire sections of the compliance program can become effectively unowned — sometimes for months before anyone notices.",[16,5979,5980],{},"Sustainable role assignment means documenting at the position level, not the individual level. It means keeping role documentation alive and connected to onboarding processes, so that new team members understand their compliance obligations from day one. And it means building succession into the program architecture, not treating it as an afterthought.",[5886,5982],{},[11,5984,5986],{"id":5985},"mistake-5-assuming-the-ciso-owns-everything-that-isnt-assigned-elsewhere","Mistake #5: Assuming the CISO Owns Everything That Isn't Assigned Elsewhere",[16,5988,5989],{},"In many organizations, the CISO is the implicit owner of last resort. If a PCI requirement doesn't have a clear owner, it defaults upward — and eventually lands on the security leader's desk.",[16,5991,5992],{},"This is a governance problem masquerading as an efficiency problem. When the CISO is the catch-all for unassigned compliance obligations, two things happen: the CISO is spending time on operational tasks that should be delegated, and the organization's compliance program lacks the distributed ownership structure it needs to function at scale.",[16,5994,5995],{},"The CISO's role in PCI should be strategic: defining the program, setting the accountability structure, owning the relationship with assessors, and reporting to the board on risk posture. The moment the CISO is personally responsible for reviewing firewall rule changes or validating log configurations, something in the ownership model has broken down.",[16,5997,5998],{},"A well-structured PCI program distributes operational ownership to the teams closest to the work — and gives the CISO visibility into all of it without requiring their direct involvement in any of it.",[5886,6000],{},[11,6002,6004],{"id":6003},"what-getting-it-right-actually-looks-like","What Getting It Right Actually Looks Like",[16,6006,6007],{},"The organizations that manage PCI compliance most effectively share a few traits. Their role assignments are documented at the function level and reviewed on a regular cadence. Their business unit owners understand their obligations — not just their technical ones. Their vendor relationships have named internal owners with active oversight responsibilities. And their CISO has clear visibility into the program without being buried in its day-to-day operations.",[16,6009,6010],{},"None of this requires a larger team. It requires a more deliberate structure.",[16,6012,6013],{},"PCI compliance isn't won or lost in the technical controls. It's won or lost in the clarity of who owns them, who monitors them, and who is accountable when they fail.",[5886,6015],{},[16,6017,6018],{},[30,6019,6020],{},"Is your PCI ownership model as clear as you think it is?",[16,6022,6023,6024,6028,6029,6032],{},"At ",[376,6025,6027],{"href":6026},"\u002F","episki",", we help security leaders build compliance programs where accountability is real — not just documented. From role mapping to third-party oversight to board-level reporting, we work alongside your team to make sure your ",[376,6030,6031],{"href":3786},"PCI"," program holds up when it matters most.",[16,6034,6035],{},[376,6036,6038],{"href":3673,"rel":6037},[380],"Let's talk →",[5886,6040],{},[16,6042,6043],{},[6044,6045,6046],"em",{},"Compliance on paper isn't compliance. It's paperwork.",{"title":384,"searchDepth":385,"depth":385,"links":6048},[6049,6050,6051,6052,6053,6054],{"id":5904,"depth":385,"text":5905},{"id":5929,"depth":385,"text":5930},{"id":5947,"depth":385,"text":5948},{"id":5970,"depth":385,"text":5971},{"id":5985,"depth":385,"text":5986},{"id":6003,"depth":385,"text":6004},"craft","2026-04-15","Unclear ownership is one of the most common — and costly — failures in PCI compliance. Here's what security leaders get wrong about defining roles, and how to fix it.",{"src":6059},"\u002Fimages\u002Fblog\u002FPCI.jpg",{"slug":6061},"defined-roles-pci-compliance-mistakes","\u002Fnow\u002Fdefined-roles-pci-compliance-mistakes",{"title":5870,"description":6057},"3.now\u002Fdefined-roles-pci-compliance-mistakes","0u0CncSJsrHMYJZWMH_BzWgau-vuQTBQ7NdBBVQMz7Q",{"id":6067,"title":6068,"advantages":6069,"body":6091,"checklist":6098,"cta":6107,"description":6095,"extension":405,"faq":406,"hero":6110,"meta":6118,"name":6119,"navigation":410,"path":6120,"resources":6121,"seo":6134,"slug":6137,"stats":6138,"stem":6148,"__hash__":6149},"industries\u002F6. industry\u002F1.healthcare.md","Healthcare",[6070,6077,6084],{"title":6071,"description":6072,"bullets":6073},"PHI-aware control mapping","Map administrative, technical, and physical safeguards to your stack without rebuilding every audit.",[6074,6075,6076],"Track EHR, identity, and cloud evidence with structured ownership","Track segmentation, backups, and log retention against HIPAA safeguards","Map once for HIPAA and reuse for HITRUST or regional requirements",{"title":6078,"description":6079,"bullets":6080},"Clinician-friendly workflows","Keep nurses, clinicians, and ops aligned without burying them in tickets.",[6081,6082,6083],"Role-aware tasks routed to the right owner with due dates","Playbooks show “what good looks like” for PHI handling","Attestations and approvals captured inline for auditors",{"title":6085,"description":6086,"bullets":6087},"Auditor and partner collaboration","Give regulators, payers, and partners scoped access instead of email threads.",[6088,6089,6090],"Auditor portal with threaded Q&A per safeguard","Secure uploads with expirations and access controls","Exports for SOC 2, PCI, or privacy questionnaires",{"type":8,"value":6092,"toc":6096},[6093],[16,6094,6095],{},"Healthcare buyers move fast when they trust your safeguards. episki keeps PHI protections documented, monitored, and shareable without slowing product or patient care.",{"title":384,"searchDepth":385,"depth":385,"links":6097},[],{"title":6099,"description":6100,"items":6101},"Healthtech compliance checklist","Use this inside your trial to assign owners, attach evidence, and track renewals.",[6102,6103,6104,6105,6106],"HIPAA safeguard library mapped to your systems","BAA tracker with renewal reminders and risk scoring","Incident response runbooks with timelines and owners","Access, logging, and backup verification tasks","Third-party risk reviews tied to PHI data flows",{"title":6108,"description":6109},"Launch a healthtech-ready workspace","Connect your stack, invite stakeholders, and show PHI protections the same day.",{"headline":6111,"title":6112,"description":6113,"links":6114},"HIPAA-grade governance without slowing clinicians","Keep PHI protections provable across cloud apps, clinics, and vendors","episki maps safeguards, automates evidence, and gives auditors scoped access so healthtech teams can keep shipping.",[6115,6117],{"label":6116,"icon":3667,"to":378},"Start healthtech trial",{"label":3669,"icon":3670,"color":3671,"variant":3672,"to":3673,"target":3674},{},"healthcare and healthtech","\u002Findustry\u002Fhealthcare",{"headline":6122,"title":6122,"description":6123,"items":6124},"Healthcare enablement kit","Keep leadership, clinicians, and auditors aligned on the same story.",[6125,6128,6131],{"title":6126,"description":6127},"PHI data flow deck","Share sanitized diagrams plus segmentation notes for customers and partners.",{"title":6129,"description":6130},"Board + payer brief","Summarize control health, incidents, and remediation in plain language.",{"title":6132,"description":6133},"Auditor-ready workspace","Prebuilt template for requests, evidence, and walkthrough scheduling.",{"title":6135,"description":6136},"Healthcare Compliance Software","HIPAA-ready GRC for healthtech teams. Map safeguards, track PHI evidence, and collaborate with auditors in one secure workspace. Start your free trial.","healthcare",[6139,6142,6145],{"value":6140,"description":6141},"30-day rollout","Move from baseline controls to monitored safeguards in under a month.",{"value":6143,"description":6144},"PHI-safe sharing","Role-based portals keep BAAs, policies, and diagrams organized and protected.",{"value":6146,"description":6147},"Continuous watch","Drift detection across access, logging, vendors, and incidents.","6. industry\u002F1.healthcare","831E5Bdk5x1SUBhE8YrTZtQjqMJj9Q3vjQivX_AG0IQ",1776395340768]