CMMC Frequently Asked Questions from DoD Contractors

The Cybersecurity Maturity Model Certification (CMMC) is a framework being rolled out by the Department of Defense (DoD) in an effort to combat cyber attacks and breaches. Here, we answer common questions about it.

The Who, What, and Why of CMMC Compliance

1. Who does CMMC apply to?

The CMMC requirement applies to any organization that is working with the DoD in a prime contractor or subcontractor capacity that handles Controlled Unclassified Information (CUI) and bids on work that requires a certain level of CMMC as part of the RFI or RFP.

2. What types of information fall under CMMC and how can it be protected?

In order to achieve compliance, companies need to identify the CUI within their organization and take action. For example, if a database houses CUI, measures will need to be put in place to decouple the CUI by putting it in an enclave where they must authenticate to access it.

3. Why CMMC?

To mitigate risks as they relate to both the DoD and contractors, the NIST 800-171 was developed in 2003 to provide guidelines on cybersecurity standards. But, even with these standards in place, there was no vehicle to enforce them. The CMMC certification framework has been created to enforce these standards.

Learn more: What You Should Know About CMMC

The CMMC Certification Process

1. What should I understand about the CMMC compliance process?

CMMC compliance is complex and requires IT teams to understand: 

• What security level applies to their organization and network
• The current CUI environment policies
• The documentation of standards, controls, and procedures
• Whether they are applying the controls to standards

2. How do I become CMMC compliant?

Organizations can take on CMMC compliance in-house or outsource it. It involves a deep level of understanding and navigating of the CMMC compliance levels needed for the type of work being taken on. Many organizations find outsourcing CMMC compliance to a managed security service provider to be a safe and easy approach. Third party auditors will assess compliance.

Related Article: How CMMC Compliance Gives Defense Contractors a Competitive Edge

3. What happens if I fail an audit?

If an audit is failed the organization will not be awarded a contract that includes CMMC certification as a requirement.

DoD Contract Requirements

1. How does the DoD see the certification results?

Based on the Interim rule, contractors must post their 800-171 control compliance to the Supplier Performance Risk System (SPRS) where the DoD has access to results. Audit results must be presented before a company can be awarded a contract based on CMMC level.

2. How will I know what level of CMMC is required for a contract?

The CMMC level required will be included in the RFI or RFP.

Related Article: Achieving Level 4 CMMC with ARMED™ and Microsoft GCC High

3. Can I bid on contracts without the CMMC certification?

You may bid on contracts but you will NOT be awarded the contract if you are not certified at the appropriate CMMC level required in the RFI or RFP.

Timeframe for CMMC Certification

1. When do I need to get certified?

As of November 30, 2020, the DoD is requiring contractors to possess at least a basic NIST SP-800-171 Assessment. In 2021 the DoD will begin rolling out CMMC requirements on contracts and will continue to do so through 2025. Cyber threats are constantly increasing so it is important to act fast to protect CUI as soon as possible.

Sources

Office of the Under Secretary of Defense for Acquisition & Sustainment Cybersecurity Maturity Model Certification, CMMC FAQs