CMMC

Frequently Asked Questions

Navigating the Department of Defense Cybersecurity Maturity Model Certifications process isn’t easy. You have questions and we’re committed to giving you straight-forward answers.

Your Questions Answered

What is Cybersecurity Maturity Model Certification (CMMC)?

CMMC stands for “Cybersecurity Maturity Model Certification” and is a unifying standard for the implementation of cybersecurity across the Defense Industrial Base (DIB). CMMC is a critical element of DoD’s overall Information Protection strategy. The CMMC framework includes a comprehensive and scalable certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level. CMMC is designed to provide increased assurance to the Department that a DIB company can adequately protect sensitive unclassified information, accounting for information flow down to subcontractors in a multi-tier supply chain.

Why was CMMC created?

CMMC was created to bprovide a baseline cybersecurty framework and maturity model based on data governance and driven by organizationally defined documentation, protections, and process institutionalization. DoD is migrating to the new CMMC framework in order to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB) sector. The CMMC is intended to serve as a verification mechanism to ensure that DIB companies implement appropriate cybersecurity practices and processes to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within their unclassified networks.

When is the Interim Defense Federal Acquisition Regulation Supplement (DFARS) rule implementing CMMC (DFARS case 2019-D041) effective?

The interim rule became effective on November 30, 2020. The public review and comment period for DFARS Case 2019-D041 ended on November 30, 2020. Due to its designation as a major rule change, the interim rule must also complete a Congressional Review.

Will other Federal (non-DoD) contracts use CMMC?

The initial implementation of the CMMC will only be within the DoD and will be implemented through DFARS clause 252.204-7021. Additional Federal agencies and international organizations are considering CMMC.

What is the relationship between National Institute of Standards Technology (NIST) Special Publication (SP) 800-171 and CMMC?

CMMC Level 3 includes the 110 security requirements specified in NIST SP 800-171. The CMMC Model also incorporates additional practices and processes from other standards, references, and/or sources such as NIST SP 800-53, Aerospace Industries Association (AIA) National Aerospace Standard (NAS) 9933 “Critical Security Controls for Effective Capability in Cyber Defense”, and Computer Emergency Response Team (CERT) Resilience Management Model (RMM).

How will CMMC be different from NIST SP 800-171?

Unlike NIST SP 800-171, the CMMC model possesses five levels. The model is cumulative whereby each level consists of practices and processes as well as those specified in the lower levels. The CMMC Model includes additional cybersecurity practices in addition to the security requirements specified in NIST SP 800-171. In addition to assessing a company’s implementation of cybersecurity practices, the CMMC will also assess the company’s maturity processes.

What is the CMMC-AB?

The CMMC Accreditation Body is an independent organization tasked to accredit Third-Party Assessment Organizations (3PAOs) and individual assessors. The CMMC-AB has already trained Provisional Assessors and Registered Practitioners who can help companies that are interested in becoming an authorized and accredited C3PAO. The CMMC-AB will be required to achieve compliance with the ISO/IEC 17011, Conformity Assessment – Requirements for Accreditation Bodies Accrediting Conformity Assessment Bodies.The CMMC-AB will be required to achieve compliance with the ISO/IEC 17011, Conformity Assessment – Requirements for Accreditation Bodies Accrediting Conformity Assessment Bodies.For companies interested in becoming a C3PAO, refer to the CMMC-AB website. They provide the DoD requirements and manage the registration process.

What does CMMC mean for U.S. Defense Industrial Base contractors?

Companies must have at least a Level 1 CMMC certification to qualify as a government contractor. Even subcontractors must have a CMMC certification.The DoD estimates that about 300,000 government contractors will need to be certified to be eligible for contract opportunities. If qualifying contractors prepare as early as today, it could lead to positive end results. For starters, organizations can begin documenting practices and procedures that comply with the CMMC requirements. Also, you can plan ahead and implement security controls to obtain the highest security certification – Level 5.

Will other Federal contracts require a CMMC certification?

No. Initially, the implementation of the CMMC framework will begin within the DoD. That means non-DoD contracts won’t require a CMMC certification.

When does CMMC take effect?

As of 2020, prime contractors and subcontractors need a CMMC certification to be eligible for some new DoD contracts. By 2026, all DoD contracts suppliers will require a CMMC certification prior to contract award. According to the DoD, there will be contract opportunities for every tier of the maturity model.

What CMMC level does a company need?

The CMMC maturity level that a qualifying government contractor needs to meet depends on the sensitivity of the information that they’re going to handle.

Who performs CMMC assessments?

Only an Authorized and Accredited Third-Party Assessment Organization (C3PAO) can perform CMMC assessments and issue certificates based on the results. These C3PAOs must comply with DoD requirements and ISO/IEC 17020 to be authorized to perform CMMC assessment. They need to be accredited by the CMMC Accreditation Body within 27 months from their registration. However, the CMMC-AB can authorize C3PAOs to perform assessments prior to their accreditation.

What is a CMMC Third Party Assessment organization?

Authorized and Accredited C3PAOs are responsible for conducting the CMMC assessments of DIB companies’ unclassified networks and then issuing appropriate CMMC certificates based on the results of the assessments.Authorized C3PAOs must meet DoD requirements and a subset of the ISO/IEC 17020, Conformity Assessment – Requirements for the Operation of Various Types of Bodies Performing Inspection requirements prior to being authorized to conduct CMMC assessments and issue certifications. The CMMC-AB can authorize C3PAOs to conduct CMMC assessments prior to the C3PAO achieving accreditation.Accredited C3PAOs must meet all DoD requirements and achieve full compliance with ISO/IEC 17020. C3PAOs must be accredited by the CMMC-AB within 27 months of their registration.

Who will perform the CMMC Assessments?

Only CMMC Accredidation Board (AB) authorized and accredited C3PAOs who are listed on the CMMC-AB Marketplace website will be able to conduct CMMC assessments. C3PAOs shall use only Authorized or Certified CMMC assessors for the conduct of CMMC assessments.

How will my organization become certified?

DIB companies will select one of the Authorized or Accredited C3PAOs from the CMMC-AB Marketplace website. The DIB company and the selected C3PAO will coordinate and plan the CMMC assessment as well as complete appropriate contractual agreements. After the completion of the CMMC assessment, the C3PAO will provide an assessment report and if there are no deficiencies, issue the appropriate CMMC certificate to the DIB company for the specified certification boundary. The C3PAO will also submit a copy of the assessment report and CMMC certificate to the DoD.

Are self-certification allowed?

CMMC doesn’t allow self-certification. However, qualifying contractors are encouraged to conduct self-assessments using the DoD’s Assessment Guides, which can be found on their website.

How can an organization be certified?

A DIB company can select an Authorized and Accredited C3PAO from the CMMC-AB website marketplace. Together, they will coordinate and plan for a CMMC assessment. You’ll have to indicate the level of cybersecurity maturity that you want to be assessed for. Then, you’ll set a date for the evaluation. After the assessment, the C3PAO will deliver a detailed report to the DIB company. If it finds no deficiencies in the company’s infrastructure, then it will issue an appropriate certificate. The C3PAO will also forward a copy of the report and certificate to the DoD.

Are the results of my assessment public? Does the DoD see my results?

No, the detailed results of a CMMC assessment and the specific CMMC certification levels will not be made public. The only information that will be publically available is that your company has a CMMC certification.The DoD will have access to all DIB companies’ CMMC certificates, which will be posted on the CMMC Enterprise Mission Assurance Support Services (eMASS) database and on the Supplier Performance Risk System (SPRS).

How much does a CMMC certification cost?

The cost of an assessment depends on multiple factors—CMMC level and the complexity of the DIB company’s unclassified network to name a few. The CMMC assessment costs will depend upon several factors to include the CMMC level, the complexity of the DIB company’s unclassified network for the certification boundary, and other market forces. The Department of Defense provided rough order of magnitude cost estimates for CMMC assessments as part of the Federal Register Notice for Defense Federal Acquisition Regulation Supplement (DFARS) Case 2019-D041.

What if my organization can not afford to be certified?

The costs associated with implementing CMMC requirements, supporting the CMMC assessment, and contracting with the C3PAO will be considered an allowed cost. For contracts that include the CMMC requirement, you will not be awarded the contract if you are not certified at the appropriate CMMC level at the time of contract award.

Does an organization that doesn’t handle CUI still need to be certified?

If an organization doesn’t handle CUI but possesses FCI, then it must comply with FAR clause 52.203-21. It must also have a Level 1 certification. Companies that only produce Commercial-Off-The-Shelf (COTS) products are exempt from getting a CMMC certification.

How often does an organization have to be reassessed?

A CMMC certificate is only valid for three years. To be eligible for new contract opportunities, your company needs to be reassessed every three years.

If a DIB company’s unclassified network gets compromised, will their CMMC certification be revoked?

A DIB company won’t lose its CMMC certification after a single incident. However, it’ll depend mostly on the circumstances of the cybersecurity incident. A reassessment might be required depending on the incident.

I am a subcontractor on a DoD contract. Does my organization need to be certified?

If the DoD contract has a CMMC requirement and so long as your company does not solely produce COTS products, you will need to obtain a CMMC certificate. The level of the CMMC certificate is dependent upon the type and nature of information flowed down from your prime contractor.

How will I know what level of certification is required for a contract?

The DoD will specify the required CMMC level in Requests for Information (RFIs) and Requests for Proposals (RFPs).

Will CMMC certifications and the associated third-party assessments apply to classified systems and/or classified environments within the Defense Industrial Base?

CMMC applies to only DIB contractor’s unclassified networks that process, store or transmit FCI or CUI.

What is the CMMC phased rollout plan?

The Department is implementing CMMC through a phased rollout approach. Until September 30, 2025, the Office of the Under Secretary of Defense for Acquisition and Sustainment must approve the inclusion of the CMMC requirement in any solicitation.The DoD is currently working with military Services and Defense Agencies to identify candidate programs that will implement CMMC requirements during the FY2021-FY2025 phased rollout. During the first year of the rollout, the Department will require no more than 15 new Prime acquisitions to meet CMMC requirements as part of a CMMC pilot program. These contracts will focus on mid-sized programs that require the contractor to process or store CUI (CMMC Level 3). Primes will be required to flow down the appropriate CMMC requirement to their subcontractors.For subsequent fiscal years of the rollout, the Department intends to incorporate CMMC Levels 4 and 5 on a small number of contracts while increasing the quantity of Prime acquisitions that include a CMMC requirement to the following targets:

What is CAICO?

The CMMC Assessors and Instructors Certification Organization, which is called CAICO, will be responsible for managing the training, testing, and certification of candidate assessors and instructors. To be authorized and accredited, they must be in full compliance with DoD requirements, ISO/IEC 17024, and more.

What is Controlled Unclassified Information (CUI?)

CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.A CUI Registry provides information on the specific categories and subcategories of information that the Executive branch protects. The CUI Registry can be found at: https://www.archives.gov/cui and https://www.dodcui.mil/Home/DoD-CUI-Registry/ and includes the following organizational index groupings: Critical Infrastructure, Defense, Export Control, Financial, Immigration, Intelligence, International Agreements, Law Enforcement, Legal, Natural and Cultural Resources, NATO, Nuclear, Privacy, Procurement and Acqusition, Proprietary Business Information, Provisional, Statistical, Tax. Resources, including online training to better understand CUI can be found on National Archives’ website at https://www.archives.gov/cui/training.html as well as the Department of Defense’s website https://www.dodcui.mil/.

Questions adapted courtesy of official CMMC government siteThe Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S))

Still have some questions? We’re here to help you. Send us the questions you want answered and we’ll add them to our growing list.

Let’s Talk

Why wait? Empower yourself and your business. We can do this, together.