The cybersecurity landscape for defense contractors is changing quickly and permanently. CMMC is quickly becoming a mandated reality, and only those who prepare now will be able to maintain their Department of Defense contracts in the future.

Whether you are a prime or a subcontractor, you have likely seen an increase in RFIs asking about your CMMC status. You probably have noticed flow-down clauses referencing NIST SP 800-171. You and your team have perhaps been busy with internal discussions about how to interpret the new requirements. The CMMC clock is ticking—and waiting may mean missed opportunities.

Cancel
Show Policy

Common Contractor Questions About CMMC

Many contractors are asking the same questions:

  • “Are we on the right path?”
  • “What exactly do we need to prove to whom and by when?”
  • “Can we keep our current contracts without a CMMC certification?”
  • At Smithers, we understand these are not just questions but strategic benchmarks.

    As an authorized C3PAO, we help you interpret the present and prepare for the future. With a measured and well structured approach, we help you navigate the CMMC certification process so you can meet the moment with confidence.

    Smithers C3PAO Services

    CMMC Level 2 Certification Assessments

    For contractors handling Controlled Unclassified Information (CUI), a successful Level 2 assessment is required. We evaluate your compliance with the 110 NIST SP 800-171 requirements, as outlined by the CMMC model.

    Readiness (Gap) Assessments

    Before undergoing a formal assessment, many organizations choose to identify potential gaps. Our readiness reviews are structured to simulate a real audit—without impacting your official certification timeline.

    The Continuous Assessment Process

    To learn more about our continuous assessment offering, read our page on why to choose Smithers as your C3PAO.

    Level 1 and Level 2 Assessment of the client's self-assessment.

    The assessment will be conducted using the same processes and standards as a certification assessment. A third-party assessment offers credibility to the results and supports the organization executive or officer who signs the annual affirmation.

    Common Questions for C3PAOs

    What is a SPRS Score?

    SPRS stands for Supplier Performance Risk System. It is the platform into which contractors need to add their compliance scores. Learn more about SPRS scores.

    What is ITAR?

    ITAR stands for International Traffic in Arms Regulations. Companies that are ITAR-registered is handling controlled unclassified information. Learn more about ITAR and its relationship to CMMC.

    Check out the Department of Defense CMMC FAQs

    The office of DOD CIO has posted some helpful questions and answers about CMMC.

    About Smithers

    Founded in 1925 and headquartered in Akron, Ohio, Smithers is a multinational provider of testing, consulting, information, and compliance services. With laboratories and operations in North America, Europe, and Asia, Smithers supports customers in the transportation, life science, packaging, materials, components, consumer, cannabis, dry commodities, and energy industries. Smithers delivers accurate data, on time, with high touch, by integrating science, technology, and business expertise, so customers can innovate with confidence. Smithers is an authorized C3PAO and can be found on the CyberAB Marketplace.

    Image of airplane in the sky by Joshua Hoehne on Unsplash.on

    Cancel
    Show Policy

    Download our CMMC for Manufacturers FAQs Today

    Authorized C3PAO

    New! NIST 800-171 assessment checklist!