Question 1

What is CMMC 2.0?

Accepted Answer

CMMC 2.0 (Cybersecurity Maturity Model Certification) is the Department of Defense's framework for verifying that defense contractors protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). The final rule became effective December 16, 2024, with phased enforcement beginning in 2025. It streamlines the original five levels into three: Level 1 (Foundational), Level 2 (Advanced), and Level 3 (Expert).

Question 2

What are the three CMMC levels?

Accepted Answer

Level 1 (Foundational) requires 17 practices for FCI protection via annual self-assessment. Level 2 (Advanced) requires 110 practices aligned to NIST SP 800-171 Rev 2 for CUI protection, assessed triennially by a C3PAO. Level 3 (Expert) requires 134 practices incorporating NIST SP 800-172 controls, assessed by DIBCAC for the highest-sensitivity CUI programs.

Question 3

When does CMMC go into effect?

Accepted Answer

The CMMC 2.0 final rule became effective December 16, 2024. Enforcement follows a phased rollout: Phase 1 begins with Level 1 and Level 2 self-assessments appearing in new contracts. Phase 2 introduces Level 2 C3PAO certification requirements. Phase 3 adds Level 3 DIBCAC assessments. Full implementation is expected by 2028.

Question 4

How long does CMMC certification take?

Accepted Answer

Timeline varies by level and current maturity. Level 1 self-assessments can be completed in weeks. Level 2 certification typically takes 6-12 months including gap remediation, evidence preparation, and C3PAO assessment scheduling. Thalorin accelerates this by automating gap analysis, generating remediation plans, and continuously collecting evidence so you're assessment-ready faster.

Question 5

Does Thalorin support CMMC Level 3?

Accepted Answer

Yes. Thalorin supports all three CMMC levels. For Level 3, the platform maps the additional NIST SP 800-172 enhanced security requirements, tracks implementation across all 134 practices, and prepares evidence packages for DIBCAC assessment. Our air-gapped deployment option ensures the platform itself meets the security requirements of high-sensitivity CUI environments.

Question 6

Can Thalorin deploy on-premises for CUI environments?

Accepted Answer

Yes. Unlike cloud-only compliance platforms, Thalorin offers cloud, on-premises, air-gapped, and hybrid deployment options. For organizations handling CUI, on-premises or air-gapped deployment ensures the compliance platform itself operates within your controlled environment with FIPS 140-2 validated cryptography.

Question 7

How does CMMC relate to NIST 800-171?

Accepted Answer

CMMC Level 2 is directly aligned with NIST SP 800-171 Rev 2 — the 110 CMMC Level 2 practices map one-to-one to the 110 security requirements in NIST 800-171. If you've already implemented NIST 800-171, you've done the technical work for CMMC Level 2. Thalorin's Feynman Engine maps these relationships automatically, so evidence collected for NIST 800-171 carries over to CMMC.

Question 8

What is a C3PAO?

Accepted Answer

A C3PAO (CMMC Third-Party Assessment Organization) is an accredited organization authorized by the CMMC Accreditation Body (the Cyber AB) to conduct Level 2 certification assessments. C3PAOs employ certified assessors who evaluate whether an organization meets all 110 Level 2 practices. Thalorin prepares your environment for C3PAO assessment with pre-assessment gap analysis and organized evidence packages.

Self-Assessment

C3PAO Certification

Level 3 DIBCAC

Full Implementation

Three levels. One path to certification.

How Thalorin supports CMMC

Gap Analysis

Practice Implementation

Evidence Automation

POA&M Management

Supply Chain Flow-Down

Continuous Monitoring

CMMC work carries over

Deploy where CUI lives

Cloud

On-Premises

Air-Gapped

Hybrid