CMMC Frequently Asked Questions
What Is CMMC?
The Cybersecurity Maturity Model Certification is a unifying standard for the implementation of cybersecurity across the Defense Industrial Base (DIB). It is designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
Does My Business Need To Be CMMC Compliant?
Only if you handle contracts with the government and access, handle, or create Controlled Unclassified Information (CUI) or Federal Contract Information. If you’re uncertain, contact the Office of the Under Secretary for Defense for Acquisition & Sustainment.
What Is CUI?
CUI is information created or possessed for or on behalf of the Government not intended for public release. The CUI Registry provides the specific categories and subcategories of the protected information. The CUI Registry can be found at: https://www.archives.gov/cui and https://www.dodcui.mil/Home/DoD-CUI-Registry/
Will Other Federal Contracts Use CMMC?
It is only intended for the Department of Defense and is based on DFARS clause 252.204-7021 and NIST SP 800-171.
How Is CMMC Different From NIST SP 800-171?
The components of the NIST SP 800-171 make up the majority of CMMC requirements. There are two big differences between them:
- The CMMC requires third-party verification, while the NIST SP 800-171 was based off of self-assessments, and
- Additional and enhanced security requirements have been added to the CMMC.
What Is the CMMC-AB?
The CMMC-AB is an independent organization who authorizes and accredits CMMC Third Party Assessment Organizations (C3PAOs), CMMC Assessors, and Instructor Certification Organizations (CAICO). (https://www.cmmcab.org/)
What Is a C3PAO?
Certified third-party authorization organizations responsible for conducting CMMC assessments issuing appropriate CMMC certificates based on assessment results.
Who Will Perform The Assessments?
Authorized and accredited C3PAOs listed on the CMMC-AB Marketplace website can perform CMMC assessments. C3PAOs shall use only authorized or certified CMMC assessors while conducting CMMC assessments.
How Will My Organization Become Certified?
Companies needing certification will find authorized and accredited C3PAOs from the CMMC-AB Marketplace website. Once the C3PAO is selected, they will plan the CMMC assessment and complete contractual agreements. After the completion of the assessment, the C3PAO provides an assessment report to both the client and the DoD. If no deficiencies are found they then issue the appropriate CMMC certificate.
How Much Will It Cost?
Many factors need to be considered when determining the costs. It will depend on varying factors such as the CMMC level, the certification boundary, and other market forces. The Department of Defense provided rough order of magnitude cost estimates for CMMC assessments as part of the Federal Register Notice for Defense Federal Acquisition Regulation Supplement (DFARS) Case 2019-D041. You can check the CMMC-AB Marketplace for assessors and consultants.
How Long Is A Certificate Good For?
The certification is good for three years. At that point, reassessment is required.
My Business Doesn’t Handle CUI. Should I Still Certify?
If your company is a DIB but doesn’t possess, store, or transmit CUI but possesses Federal Contract Information (FCI), it is required to meet FAR clause 52.204-21 and must be certified at a minimum of CMMC Level 1. The best way to know for certain is to contact an auditor or consultant directly.
How Will You Know What CMMC Level You Need To Be?
The specific CMMC required Level will be available in the contracts under Requests for Information (RFIs) and Requests for Proposals (RFPs).
Sources
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-172.pdf
https://cmmcab.org/marketplace/
https://www.acq.osd.mil/cmmc/docs/CMMC_ModelMain_V1.02_20200318.pdf
https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf
https://www.acquisition.gov/dfars
https://www.acq.osd.mil/cmmc/contact-us.html
https://www.cisa.gov/defense-industrial-base-sector