Hero Background
November 18, 2025

Answering the Top 10 Questions from Our CMMC Readiness Webinar

Kevin Hancock
Topics: Aerospace & DefenseCMMC ComplianceCompliance & Risk Management

Insights for the Defense Industrial Base (DIB) from the Perspective of Primes, Suppliers, and Compliance Experts 

CMMC 2.0 is here, and if you work with contracts in the Defense Industrial Base (DIB), you need to be compliant. However, for many organizations, understanding what is required can feel too complicated or daunting, so we have done our best to answer the key questions being asked. With the right guidance, understanding, and staying on top of CMMC requirements, compliance is achievable.  

With CMMC 2.0 now officially live, compliance is no longer optional; it’s a contractual obligation. Yet with new requirements, changing rules, and inconsistent guidance, it’s understandable that many are wondering where to start. 

We hosted a CMMC Readiness Webinar with Aviation Week to provide clarity on what CMMC requires and share strategies from primes, suppliers, and compliance experts to move forward with confidence. 

 

Aviation Week 2025 Webinar

 

The strong level of engagement made it clear that CMMC readiness is top of mind, and people have questions. Participants shared a record number of queries on everything from secure file sharing and SPRS scores to how CMMC applies to small businesses and subcontractors. 

In this blog, we’ve compiled and answered the top 10 most frequently asked questions from the webinar, with guidance to help your organization build a plan for CMMC compliance with confidence. 

1. Are legacy markings like ITAR or FOUO considered CUI? 

The best answer is not necessarily, but in many cases they are. 

Legacy markings such as ITAR (International Traffic in Arms Regulations), FOUO (For Official Use Only), and SBU (Sensitive But Unclassified) don’t automatically qualify as Controlled Unclassified Information (CUI) under the Department of Defense’s current framework. However, if data with these markings relates to defense contracts, sensitive government operations, or export controls, it most likely does fall under the CUI category. 

How should contractors handle legacy markings? 

Always verify with your prime contractor or contracting officer which data elements in your environment qualify as CUI under your contract. They can clarify which specific elements fall within scope. 

Quick tip: If you’re unsure, treat it like CUI until you receive clarification, and make sure to document those conversations in your System Security Plan (SSP). 

2. Are trade secrets considered CUI? 

Only if they’re tied to a federal contract. 

In most cases, Intellectual Property (IP) law protects trade secrets related to your internal operations or commercial products, but they are not classified as CUI. However, if you submit your trade secrets as deliverables or develop them under a DoD-funded program, they may be designated as CUI. 

When trade secrets become CUI 

Trade secrets could be considered CUI in situations such as: 

  • A technical drawing or design included in a DoD contract deliverable 
  • Manufacturing processes or software code developed specifically for a government-funded project 
  • Export-controlled data covered under ITAR or EAR that’s also classified as CUI 

In these cases, context is everything. The same piece of information might not be CUI internally but would be considered CUI once it becomes part of a DoD contract or is governed by DFARS 252.204-7012. 

Bottom line: If trade secrets are shared with the government under contract, they could be CUI. 

3. Which assessment guide should I use; NIST 800-171A or the CMMC 2.0 Assessment Guide?

Use both, but for different reasons. 

The CMMC 2.0 Assessment Guide, (Level 1 or Level 2) is your go-to resource for structuring your self-assessment or third-party audit prep. It provides structure, defines scope, and outlines documentation requirements. 

Meanwhile, NIST SP 800-171A Rev. 2 serves as a technical companion, offering detailed evaluation methods for each control. 

How to use each guide effectively: 

  • Use the CMMC 2.0 Assessment Guide (Level 1 or Level 2) for structure, scoping, and documentation requirements. 
  • Use NIST SP 800-171A Rev. 2 for deeper technical evaluation methods and to validate how your controls are being implemented and assessed. 

Quick tip: Make sure your assessment approach aligns with the version specified in your contract or by your prime contractor. 

4. When was CMMC introduced, and what’s the current rollout timeline? 

CMMC was first introduced in 2019, but its foundations go back further. 

The Cybersecurity Maturity Model Certification (CMMC) was first announced in early 2019 in response to the increased threat of cyber-attacks and easy access to CUI controlled by DIB contractors and sub-contractors. The initial CMMC evolved from the requirements in NIST SP 800-171, which has governed the protection of Controlled Unclassified Information (CUI) in non-federal systems since 2017. 

The original version of CMMC was more complicated and included five levels of compliance. However, after feedback from the industry, the Department of Defense introduced CMMC 2.0 in November 2021, which streamlined the process into three levels and is more aligned with existing NIST guidance. 

Where are we now in the rollout? 

The CMMC 2.0 program has now officially become active. On September 10, 2025, the U.S. Department of Defense published the final rule in the Federal Register; the rule became effective November 10, 2025, at which point contracting officers may begin including the new contract clauses for CMMC compliance. New solicitations and contract awards may require CMMC Level 1 or Level 2 self‑assessment, or third-party certification as specified by the contract. 

What should you be doing now? 

  • Review your current cybersecurity posture against NIST 800-171 controls 
  • Identify and close any policy or documentation gaps 
  • Centralize evidence that will support future assessments 
  • Stay informed on the rulemaking progress 

Bottom line: You don’t need to wait. If you’re in the DIB, assume CMMC applies now, or soon will. 

5. If we’re a small sub-prime with limited federal work, is CMMC worth it? 

The short answer is yes, if defense contracts are even a small part of your strategic growth. 

For many small businesses, it might seem easy to just push CMMC compliance aside and focus on other priorities. But if defense contracts make up any part of your business, the CMMC standard is essential to maintaining and expanding those opportunities. 

Even if DoD contracts only make up a fraction of your revenue today, non- compliance could block you from future bids, or you will find your business removed from a prime contractor’s approved supplier list. 

Why it matters: 

CMMC requirements flow down to subcontractors, especially if your organization handles: 

  • Federal Contract Information (FCI) 
  • Controlled Unclassified Information (CUI) 

Start by understanding your scope 

The best first step is to identify the type of information you handle: 

  • FCI: CMMC Level 1 self-assessment may be sufficient 
  • CUI: you’ll likely need to meet CMMC Level 2, which may require third-party certification 

Understanding what type of information you manage and your contract obligations can help you right-size your effort and avoid surprises when a contract requires compliance on short notice. 

Bottom line: CMMC is a competitive differentiator. If defense contracts are part of your strategy, even marginally, it’s worth the investment. 

6. How do we determine which level we need, especially if we’re referred to as COTS? 

You need to look at your business model and determine if you qualify as a COTS provider and then decide if you ever have to handle sensitive contract information. 

If your business provides Commercial Off-the-Shelf (COTS) products to the commercial marketplace and which are used or provided to the DoD without modification, then you might not need CMMC compliance. This is an exemption built into the CMMC 2.0 framework to avoid placing a compliance burden on vendors who don’t actually process or store federal data. 

The problem is that COTS is often incorrectly applied, or outright misunderstood. It’s important to validate your status carefully.  

What qualifies as COTS? 

To meet the official COTS exemption under federal acquisition rules, your product must: 

  • Be sold in substantial quantities in the commercial marketplace 
  • Be provided to the government without modification 

If your product or service meets both criteria, plus, your business doesn’t handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) as part of your work, then CMMC likely doesn’t apply to your contract. 

When CMMC 2.0 still applies 

Even if you consider yourself a COTS provider, you may still fall under CMMC if you: 

  • Process purchase orders or respond to RFQs containing contract details 
  • Store or transmit FCI, which would trigger a CMMC Level 1 requirement. 
  • Handle or process CUI, which requires CMMC Level 2 certification. 

Bottom line: “COTS” isn’t a free pass. Confirm your data handling responsibilities with your prime or contracting officer. 

7. How do we work with primes or customers to identify CUI when data is legacy-marked or unclear? 

Start with your contract, and then ask your prime. 

Primes and contracting officers are responsible for designating what qualifies as CUI under the DoD CUI Registry. Don’t rely on old FOUO or ITAR labels; ask for clarity, provide examples, and document the outcome. 

Once determined, record those decisions in your System Security Plan (SSP) as part of your assessment evidence. 

Quick Tip: Legacy markings do not equal CUI. Only the DoD registry plus contract language determine what needs protection. 

8. Is there a list of CMMC third-party assessors (C3PAOs)? 

Yes, there’s an official directory you can access anytime. 

The Cyber-AB (formerly the CMMC Accreditation Body) maintains the list of authorized Certified Third-Party Assessment Organizations (C3PAOs). This directory is regularly updated to reflect organizations that are fully authorized to conduct CMMC Level 2 certification assessments. 

View the official C3PAO Marketplace here 

9. What’s the best way to transmit CUI securely, if not by email? 

Let’s face it; there are risks to sharing CUI over email. Use a secure, access-controlled file sharing solution designed for compliance, such as Exostar’s Managed Microsoft 365.  

Even if your email program uses encryption, it often lacks the access controls; audit logging, and policy enforcement needed to meet CMMC 2.0 and NIST SP 800-171 requirements. If your organization needs to transmit CUI, it’s essential to use a secure file exchange solution that is designed with compliance in mind. 

Recommended alternatives for transmitting CUI: 

  • Use an access-controlled, encrypted file-sharing platform that complies with NIST 800-171 and includes features like data expiration, download controls, and recipient authentication. 
  • Require multi-factor authentication (MFA) for all users accessing CUI to reduce the risk of unauthorized access, even if credentials are compromised. 
  • Leverage federated identity solutions that allow you to authenticate and authorize external partners without creating and managing standalone accounts. 
  • Enable audit logging and file access tracking to create a detailed record of who accessed the data, when, and what actions were taken. 

These secure methods not only reduce the risk of a data breach; they also simplify your audit process by automatically generating evidence of compliant handling and transmission practices. 

Quick Tip: Avoid sending CUI as email attachments, even encrypted ones, unless absolutely necessary and approved in your policies. Instead, use a compliant file transfer tool with encryption, user verification, and logging built in.

10. How can I use my SPRS score, and why can’t I update it in Exostar?

Exostar does not provide a way to update your SPRS score, because that has to be done directly through the DoD’s Supplier Performance Risk System portal.  

The SPRS score (Supplier Performance Risk System) reflects how well your organization complies with NIST SP 800-171 requirements. It’s a critical indicator used by the Department of Defense to evaluate supplier cybersecurity risk, and in many cases, a current SPRS score is required to be eligible for contract awards. 

While Exostar provides tools like Certification Assistant to help you calculate and track your score internally, you must submit the actual submission manually through the DoD’s official SPRS site. 

The official SPRS site is located here: https://www.sprs.csd.disa.mil/  

Next Steps: Turn CMMC Readiness into Confidence 

CMMC 2.0 compliance can feel very complicated and become very overwhelming, but this doesn’t have to be the case. While we have tried to answer as many of your questions as we can, if you still have more you may want to view our recent Q&A webinar about NIST and CMMC Self-Assessment.  

Right now, the businesses that are achieving the most success are the ones that: 

  • Start with a clear and well-documented readiness assessment 
  • Collaborate early with primes and contracting officers to define scope 
  • Use secure platforms to manage, transmit, and protect CUI 

At Exostar, we’ve built tools and programs to make that process faster, simpler, and more sustainable; whether you’re completing a self-assessment or preparing for a third-party audit. 

Let’s simplify your CMMC journey 

Our CMMC Ready Suite gives you a centralized platform to manage your entire compliance program; from policy development and SPRS scoring to evidence collection and secure collaboration. Whether you’re a prime contractor or a small supplier, we help you move from uncertainty to audit-ready with confidence. 

Ready to accelerate your CMMC readiness? Talk to an Exostar expert today

Additional Resources