How Does CMMC Differ from NIST SP 800-171?
CMMC is based on a tiered model comprised of three levels. Each level contains a set of practices designed to ensure that effective IT security measures are implemented to safeguard CUI. The CMMC framework encompasses the guidelines specified in NIST SP 800-171 as well as cyber security standards from various other compliance programs.
Which Level of Certification is Required for a DOD Contract?
In general, the DOD will determine the appropriate level of CMMC certification based on the contract an organization bids for. The specific level requirements will be furnished when a contractor submits a request for information (RFI) or request for proposal (RFP) for a given contract acquisition.
How is CMMC Certification Obtained?
In order to receive CMMC certification, organizations must undergo an assessment with an authorized C3PAO. Should the organization pass the audit, the C3PAO will issue a certificate in accordance with the targeted CMMC level. The certificate and the results of the audit will be forwarded to the DOD, essentially granting the company contract eligibility.
What is the Cost of CMMC Certification?
The amount a contractor pays for CMMC certification is dependent on a number of factors. The desired level of certification as well as the size and complexity of the company’s IT network is among the variables that will be considered.
What About Recertification?
CMMC certifications are generally based on a triennial lifecycle. As it stands, contractors will need to undergo reassessment every three years in order to obtain subsequent certification.
How Long Do I Have?
The DOD has targeted October 1, 2025 as the final deadline for CMMC compliance. From there, certification will be required to obtain any contracted work with the DOD. The amount of preparation required may vary greatly depending on the contract, so time is of the essence.
Are There Any Exceptions?
CMMC compliance does not apply to contractors that specialize in commercial off-the-shelf (COTS) offerings. Exclusively applicable to hardware and software programs, COTS is defined by three characteristics:
- Distribution in large quantities on the commercial marketplace
- Typically used by the general public or commercial entities for non-government applications
- Made available to government entities without alterations