FAQs for CMMC
Here is a list of frequently asked questions that we have received. Please contact us for any additional questions you may have.
The Cybersecurity Maturity Model Certification 2.0 (CMMC) is a new Department of Defense standard for implementing cybersecurity across the Defense Industrial Base. The CMMC focuses on two data types: Federal Contract Information and Controlled Unclassified Information. In conclusion, a CMMC certification will be required in order to be awarded and/or maintain DoD contracts.
Federal Contract Information (FCI) means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (for instance: on public websites) or simple transactional information, such as necessary to process payments.
Controlled Unclassified Information (CUI) is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.
We recommend checking your contractual instruments for the following clauses:
- Federal Acquisition Regulation (FAR) 52.204-21: Basic Safeguarding of Covered Contractor Information Systems
- Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012: Safeguarding Covered Defense Information and Cyber Incident Reporting
The DFARS interim rule was published on September 29, 2020 and became effective November 30, 2020. It established three new rules:
- DFARS 252.204-7019: In order to be considered for award, if the Offeror is required to implement NIST SP 800-171, the Offeror shall have a current assessment (i.e., not more than 3 years old unless a lesser time is specified in the solicitation) (see 252.204-7020) for each covered contractor information system that is relevant to the offer, contract, task order, or delivery order.
- DFARS 252.204-7020: The Contractor shall provide access to its facilities, systems, and personnel necessary for the Government to conduct a Medium or High NIST SP 800-171 DoD Assessment.
The Department views Level 1 as an opportunity to engage its contractors in developing and strengthening their approach to cybersecurity. Self-assessments will suffice to meet CMMC Level 1 requirements. Contractors will be required to conduct self-assessment on an annual basis, accompanied by an annual affirmation from a senior company official that the company is meeting requirements. The Department intends to require companies to register self-assessments and affirmations in the Supplier Performance Risk System (SPRS).
Once CMMC 2.0 is implemented, contractors will be required to obtain a third-party CMMC Level 2 assessment for a subset of acquisitions that involve information critical to national security. The DIB company will be fully responsible for obtaining the needed assessment and certification, to include coordinating and planning the CMMC assessment.
A C3PAO is an organization that has successfully passed a rigorous series of requirements to become acknowledged by the Cyber AB, on behalf of the DoD, as being objective and competent to perform assessments of organizations seeking certification (OSC).
The CMMC assessment costs depend on various factors such as CMMC level, scope, and complexity of your organization.