Myths vs rules.
What people say about CMMC, checked against what the rule actually says.
Some of what circulates about CMMC is close enough to be useful shorthand. Some of it is wrong in a way that costs a contract, a POA&M window, or a false sense of coverage. Each entry below states the myth plainly, then quotes or cites the rule it is actually measured against. The myth is never this desk’s claim — it is the thing being checked.
01Eight myths, checked
None of these are edge cases — they are the misunderstandings this desk hears most often, in roughly the order they tend to cause a problem.
Myth 1 of 8
Myth
“CMMC applies to everyone, starting now.”
What the rule says
CMMC phases in over four years by rule, not all at once, and it always arrives through a specific contract clause — not a blanket industry mandate. Phase 1 began 2025-11-10 with self-assessments and affirmations in new solicitations; Phase 2 (2026-11-10) adds C3PAO certification where a solicitation requires it; Phase 3 (2027-11-10) phases in Level 3; Phase 4 (2028-11-10) reaches full implementation, including option periods on existing contracts. The System covers all four phases.
32 CFR 170.3(e)Myth 2 of 8
Myth
“Level 2 always means hiring a C3PAO.”
What the rule says
“DoD intends to include the requirement for CMMC Statuses of Level 1 (Self) or Level 2 (Self) for all applicable DoD solicitations and contracts as a condition of contract award… DoD may also, at its discretion, include the requirement for CMMC Status of Level 2 (C3PAO) in place of the Level 2 (Self) CMMC Status.” Self-assessment is the rule’s default; a C3PAO certification applies where a specific solicitation calls for it.
32 CFR 170.3(e)(1)Myth 3 of 8
Myth
“A POA&M lets you defer almost anything.”
What the rule says
Conditional status requires a score of at least 88 of 110, every open POA&M item worth just 1 point (with one named exception at 3 points), six specific requirements that can never be POA&M’d regardless of score, and a 180-day closeout clock that does not extend. Evidence, SSP & POA&M has the full mechanics.
32 CFR 170.21(a)(2), (b)Myth 4 of 8
Myth
“Our MSP handles CMMC, so it’s not really our assessment.”
What the rule says
“A non-CSP ESP does not make the client’s responsibility disappear. Its services, responsibility matrix, and the client infrastructure that connects to it become part of the assessment story.” An ESP’s services used to meet an OSA’s requirements are assessed inside the OSA’s own assessment scope — not instead of it. Scope & Boundary covers ESP and CSP roles in full.
32 CFR 170.16(c)(3); 170.17(c)(6)Myth 5 of 8
Myth
“Even a company that only sells commercial off-the-shelf products needs CMMC.”
What the rule says
Contracts exclusively for COTS items are the one clear exemption named directly in the CMMC applicability rule. The exemption is narrow — it covers the COTS contract itself, not a company’s other work — but where it applies, it applies cleanly. Glossary has the full COTS entry.
32 CFR 170.3(c); FAR 2.101Myth 6 of 8
Myth
“Once you’re certified, you’re done.”
What the rule says
A CMMC Status is a point-in-time score with two ongoing obligations layered on top — an annual affirmation at every level, and a reassessment (self or C3PAO, matching the original path) at least once every three years. Either one lapsing ends the status, whether or not the underlying security posture has changed. The Assessment covers both clocks.
32 CFR 170.16(a)(1); 170.17(a)(1); 170.22Myth 7 of 8
Myth
“CMMC requires buying new security tools.”
What the rule says
The 110 requirements describe security outcomes — access is controlled, CUI is encrypted, incidents get handled — not which product delivers them. An assessor checks whether the outcome is in place by examining documents, interviewing staff, and testing mechanisms. Which tool, if any, gets an organization there is an implementation choice the rule doesn’t make — not a line item on the vendor’s box.
NIST SP 800-171A (assessment methods); see Evidence, SSP & POA&MMyth 8 of 8
Myth
“You can self-attest at any level.”
What the rule says
Level 1 is always self-assessed. Level 2 is self-assessed or C3PAO-certified, decided by the contract. Level 3 is never self-assessed — DCMA DIBCAC, a government assessor, performs it, and only after a Final Level 2 (C3PAO) status on the same scope. The Levels has the full table.
FAR 52.204-21; 32 CFR 170.3(e)(1); 170.19(e)02Sources
| Document | What it’s for |
|---|---|
| 32 CFR 170.3 | Phase-in schedule, the Level 2 self-or-C3PAO choice, and the COTS exemption. |
| 32 CFR 170.16 / 170.17 | ESP treatment within assessment scope; self vs. certification procedure. |
| 32 CFR 170.19 | Level 3’s government-assessor-only path and its Level 2 prerequisite. |
| 32 CFR 170.21 | POA&M eligibility, limits, and the 180-day closeout clock. |
| 32 CFR 170.22 | Annual affirmation requirements. |
| FAR 52.204-21 | Level 1’s 15 requirements, always self-assessed. |
| FAR 2.101 | The commercial item / COTS definition underlying the exemption. |
| NIST SP 800-171A | The examine/interview/test assessment methods. |