CMMC FAQs
Where are details about CMMC certification spelled out?
Many sources lay out the details and requirements of CMMC. Federal Register 0750-AJ81 outlines the new requirements of the CMMC in the Defense Federal Acquisition Regulation Supplement (DFARS). The interim rule became effective on November 30, 2020.
The supplement describes the DoD Assessment Methodology and Cybersecurity Maturity Model Certification CMMC framework in order to assess contractor implementation of cybersecurity requirements and enhance the protection of unclassified information within the DoD supply chain.
The domains, practices, and processes required for the various CMMC levels 1 and 2 are codified in NIST SP800-171. Level 3 adds a subset of practices from NIST SP800-172. These standards are aimed at non-Federal computer systems and what owners of such must follow in order to store, process, or transmit Controlled Unclassified Information (CUI) or provide security protection for such systems.
What is a C3PAO and what role do they play?
C3PAO’s are CMMC Third Party Assessment Organizations. A C3PAO is certified to conduct CMMC assessments by the CMMC Accreditation Body (AB) at the appropriate CMMC level. C3PAOs provide an assessment team led by a Certified Assessor.
What is a RP/RPO and what role do they play?
A Registered Practitioner (RP) is a non-certified individual having completed basic training on the CMMC standard. RPs are associated with a Registered Provider Organization (RPO). RPs/RPOs play an important role as consultants and implementers, but it is important to understand that they are not certified to perform actual assessments.
What is NIST 800-171 and how will it be used in CMMC certification?
NIST Special Publication 800-171 (latest revision), is a standard for protecting controlled unclassified information (CUI) in nonfederal systems and organizations. The contents of this standard are at the core of the requirements for CMMC certification. NIST 800-171 contains various practices and processes detailed across various security domains. Level 1 pulls a subset of SP 800-171 practices, Level 2 requires *all* SP 800-171 practices, and Level 3 adds a subset of SP 800-172 on top of all SP 800-171 practices.
What is DFARS clause 252.204-7012 and why does it matter?
DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, is an acquisition regulation invoked in 2017 in an effort to mandate cybersecurity compliance in federal contracts. According to the OUSD(A&S), this clause “requires contractors to provide ‘adequate security’ for covered defense information that is processed, stored, or transmitted on the contractor’s internal information system or network. The Department must mark, or otherwise identify in the contract, any covered defense information that is provided to the contractor, and must ensure that the contract includes the requirement for the contractor to mark covered defense information developed in performance of the contract.”
For contract RFPs and solicitations, this clause is called out when applicable. With the arrival of CMMC, a specific CMMC certification will be specified for the level of CUI exchanged, processed, and transacted.
What is meant by controls and capability domains?
The CMMC framework provides an architecture of requirements. This architecture incorporates a host of practices or controls found across 17 domains, or families, of topics. The practices may then be further specified into capabilities that a contractor must demonstrate.
While it may sound complex, domains, processes, controls, practices, capabilities – are all terms used to describe the specific requirements of different CMMC level requirements within the CMMC framework.
Where can I view some of the controls necessary to pass the assessment?
There are numerous websites that have extracted the requirements for various controls. The Office of the Under Secretary of Defense for Acquisition & Sustainment, Cybersecurity Maturity Model Certification is an excellent starting point. From there you may refer to NIST 800-171 – latest revision, as well as other documents as reference. A best practice, however, is to work with a managed service provider or RPO to extract the precise requirements for the desired level of certification. These steps are prologue to the development of a plan and pathway to certification.
How do you know what assessment level to prepare for?
The level of certification required to compete for a solicitation will be specified in the RFP. If you are a sub-contractor, the prime will share the specific CMMC level requirements with you.
Who can help you prepare for an assessment?
A managed service provider, RPO, or other consultant may assist in the preparation for the certification. RPOs have received basic training specific to CMMC . Managed service providers and consultants might not have gone through the process to become an RPO but may still be of considerable help in preparing. Make sure the individual or organization you choose has experience in NIST 800-171 compliance at a minimum.
What happens if I fail to attain certification?
In preparing for a formal CMMC assessment, organizations will likely have ample opportunity to find any deficiencies through mock audits and other informal preparatory assessments. In the actual audit, the assessor will document all findings in a report and submit a recommendation for certification to the CMMC-AB. If there are some small areas of inadequate security practice, the organization seeking certification (OSC) may be granted up to 90 days to resolve. This is dependent on how many practices have not been met, meaning that the OSC must be close to being compliant in order to be granted the “resolution” window by the CMMC-AB. If an OSC fails enough an assessment, a recommendation will be submitted to not certify. The OSC would need to correct the deficiencies and schedule another assessment for a later date with the same or another C3PAO.
According to the Federal Register’s explanation of the audit process, a contractor may dispute the outcome of a C3PAO assessment and submit a dispute adjudication request to the CMMC-AB “along with supporting information related to claimed errors, malfeasance, or ethical lapses by the C3PAO. The CMMC-AB will follow a formal process to review the adjudication request and provide a preliminary evaluation to the contractor and C3PAO. If the contractor does not accept the CMMC-AB preliminary finding, the contractor may request an additional assessment by the CMMC-AB staff.”
What is the timeline for CMMC certification?
CMMC became effective November 30, 2020; DoD is implementing a phased rollout of CMMC. Until September 30, 2025, the clause at 252.204-7021, Cybersecurity Maturity Model Certification Requirements, is prescribed for use in solicitations and contracts, including solicitations and contracts using FAR part 12 procedures for the acquisition of commercial items, excluding acquisitions exclusively for Consumer off the Shelf (COTS) items.