Frequently Asked Questions

FAQs for CMMC

Here is a list of frequently asked questions that we have received.  Please contact us for any additional questions you may have.

The Cybersecurity Maturity Model Certification 2.0 (CMMC) is a new Department of Defense standard for implementing cybersecurity across the Defense Industrial Base. The CMMC focuses on two data types: Federal Contract Information and Controlled Unclassified Information. In conclusion, A CMMC certification will be required in order to be awarded and/or maintain DoD contracts.

Federal Contract Information (FCI) means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (for instance: on public websites) or simple transactional information, such as necessary to process payments.

Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.

We recommend checking your contractual instruments for the following clauses:

  • Federal Acquisition Regulation (FAR) 52.204-21: Basic Safeguarding of Covered Contractor Information Systems
  • Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012: Safeguarding Covered Defense Information and Cyber Incident Reporting

The DFARS interim rule was published on September 29, 2020 and became effective November 30, 2020. It established three new rules:

  • DFARS 252.204-7019: Advises offerors required to implement the NIST SP 800-171 standards of the requirement to have a current (not older than three years) NIST SP 800-171 DoD Assessment on record in order to be considered for award.
  • DFARS 252.204-7020: Requires a contractor to provide the Government with access to its facilities, systems, and personnel when it is necessary for DoD to conduct or renew a higher-level Assessment.
  • DFARS 252.204-7021: Cybersecurity Maturity Model Certification Requirements, is prescribed for use in all solicitations and contracts or task orders or delivery orders, excluding those exclusively for the acquisition of Commercial-Off-The-Shelf (COTS) items.

Under the new CMMC 2.0 requirements, if you are a level 1 and only handle FCI or a small subset of companies that are required to protect CUI. You must perform a self-assessment and submit the results with an annual affirmation by a senior company official into SPRS.

 An Authorized CMMC 3rd Party Assessment Organization (C3PAO) will schedule and coordinate with your organization to perform a certification assessment. Once the assessment is completed and if there are no deficiencies, the Authorized C3PAO will issue an appropriate CMMC 2.0 certificate to your organization, which will be valid for three years.

C3PAO’s are authorized and accredited by the CMMC Accreditation Body to conduct certification assessments of Defense Industrial Base organizations.

The CMMC assessment costs depend on various factors such as CMMC level, scope, and complexity of your organization.

Additional FAQ resources-

Scroll to top