Frequently Asked Questions about the Cybersecurity Maturity Model Certification
“The theft of intellectual property and sensitive information undermines our nation’s defense posture and economy. Global costs last year are estimated at $600 billion, with an average cost per American of $4,000. It is time for action.” CMMC-AB
Do you have questions about CMMC?
We have answers!
Below are some of the most frequently asked questions regarding the Cybersecurity Maturity Model Certification. We’ve compiled and curated responses from industry sources such as the Department of Defense (DoD), the CMMC Accreditation Body (CMMC-AB), and CMMC-related institutional websites.
Have a question we didn’t answer below? Give our CMMC compliance experts a call at 469-522-2022 any time.
What is CMMC?
CMMC stands for “Cybersecurity Maturity Model Certification” and is a unifying standard for implementing cybersecurity across the Defense Industrial Base (DIB).
The CMMC framework includes a comprehensive and scalable certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level. CMMC is designed to provide increased assurance to the Department that a DIB company can adequately protect sensitive unclassified information, accounting for subcontractors’ information flow in a multi-tier supply chain.
My company is a subcontractor on a DoD contract, do I still need CMMC certification?
If the DoD contract has a CMMC requirement, and so long as your company does not solely produce COTS (Commercial Off-the-Shelf) products, you will need to obtain a CMMC certificate. The level of the CMMC certificate is dependent upon the type and nature of information, which is flowed down from your prime contractor.
What is the CMMC Framework?
The CMMC establishes five certification levels that reflect an organization’s cybersecurity infrastructure’s maturity and reliability to safeguard sensitive government information on contractors’ information systems.
The CMMC framework is built on three elements – Security Domains, Capabilities, and Controls (Practices). When combined, they prescribe best practices for the protection of an organization and associated FCI and CUI. These elements apply at five cybersecurity maturity levels (Level 1, 2, 3, 4, and 5) in the overall CMMC framework, Level 1 being the least mature and level 5 the most mature.
The five levels are tiered and build upon the processes and practices of the preceding level. Each level requires compliance with all lower levels’ elements, plus institutionalization of additional cybersecurity processes and practices.
What are the CMMC Domains?
There are 17 domains within the CMMC framework, with the majority originating from the Federal Information Processing Standards (FIPS) and NIST 800-171. The DoD added three additional domains to CMMC that were not previously part of the FIPS or NIST standards.
The CMMC Domains include:
- Access Control (AC)
- Asset Management (AM)
- Audit and Accountability (AU)
- Awareness and Training (AT)
- Configuration Management (CM)
- Identification and Authentication (IA)
- Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Personnel Security (PS)
- Physical Protection (PE)
- Recovery (RE)
- Risk Management (RM)
- Security Assessment (CA)
- Situational Awareness (SA)
- System and Communications Protection (SC)
- System and Information Integrity (SI)
What is CUI (Controlled Unclassified Information)?
According to the DoD, CUI is “information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.”
CUI examples could include intellectual property, technical drawings, blueprints, financial data, cyber vulnerability information, and other forms of data that cannot be released to the public.
You can find additional resources on CUI at the following resources: https://www.archives.gov/cui
What is Federal Contract Information (FCI) in CMMC?
FCI stands for Federal Contract Information and refers to information provided or generated by the government under a contract that is not intended for public release. FCI does not include information provided by the Government to the public.
FCI examples could include proprietary datasets developed between a contractor and third-party entities, or information from emails transmitted between the DoD and contractor, instant messaging, video conferencing, etc.
What is Cyber Hygiene?
Cyber hygiene refers to the fundamental cybersecurity practices that an organization undertakes to ensure its network and assets’ health and security. Cyber Hygiene practices are often part of a routine to protect data from theft or corruption. Cyber hygiene is regularly conducted to defend against natural deterioration and threats.
What is a DIB company?
DIB stands for Defense Industrial Base and refers to organizations that produce assets used by the armed forces. A DIB company is any organization involved in providing R&D, design, production, delivery, or maintenance of these goods and services.
When will CMMC certification be required?
The DoD is implementing CMMC through a phased approach, with requirements in RFIs having started in 2020. Currently, the Under Secretary of Defense for Acquisition and Sustainment Office must approve CMMC inclusion requirements.
In FY2021, DoD will require up to 15 new Prime acquisitions to meet CMMC requirements. This initial phase will focus on mid-sized programs that require the contractor to process or store CUI (CMMC Level 3). In subsequent fiscal years, DoD will incorporate CMMC Levels 4 and 5 on increasing contracts. All Primes will be required to include the appropriate CMMC requirements to their subcontractors.
It is expected that by 2026, all new DoD contracts will require CMMC certification at all Prime contractor and subcontractor levels.
How much will CMMC certification cost?
While the CMMC-AB has not defined the cost of a CMMC assessment, they did specify “the cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive.”
The CMMC-AB also stated that assessment costs would depend upon several factors, including the maturity level required under the contract and the complexity of the DIB organization’s network.
The DoD provided rough cost estimates for CMMC assessments as part of the Federal Register Notice for Defense Federal Acquisition Regulation Supplement (DFARS) Case 2019-D041.
What CMMC level do I need? How will I know what CMMC level is required for a contract?
The DoD will specify the required CMMC level in Requests for Information (RFIs) and Requests for Proposals (RFPs). According to the DoD, compliance at the required maturity level will be a “go/no-go decision.”
Examples of levels of CMMC certification required by organization type include:
|Level 1- Basic Cyber Hygiene||Level 2- Intermediate Cyber Hygiene||Levels 3-5- Good to progressive Cyber Hygiene|
|“Safeguard FCI”||Transition to Protect CUI||Increased protection of CUI to Reduced Risk of APTs|
|Low potential to access CUI||Some potential to access CUI, but not expected to handle CUI in their duty to fulfill the contract||Companies that are required to handle CUI includes current contracts based on NIST 800-171 criteria|
|Includes companies such as marketing agencies, plumbing, sporting goods||Printer or copier repair services, janitorial||Level requirements are based on the organization’s size and complexity, types of CUI handled, and type of access|
What if my company can’t afford to be certified? Does that mean my organization can no longer work on DoD contracts?
The costs of implementing CMMC requirements, supporting the CMMC assessment, and contracting with the C3PAO will be considered an allowed, reimbursable cost.
For contracts that include the CMMC requirement, you will not be awarded the contract if you are not certified at the appropriate CMMC level at the time of contract award.
How long does it take to achieve CMMC certification?
The CMMC-AB hasn’t released the official CMMC assessment methodology at this point, so it isn’t easy to know how long the certification process will take. The general opinion is that the CMMC certification process will take at least nine weeks, possibly more. Certification will also depend on your organization’s current cyber hygiene readiness level.
Because cyber hygiene is an evolving practice, it is highly recommended that DIB subcontractors start early to prepare by completing a CMMC Readiness assessment to ensure your organization is prepared for the CMMC audit and does not lose military contract opportunities.
How do I get CMMC certification?
DIB companies will select one of the Authorized or Accredited C3PAOs from the CMMC-AB Marketplace website. The DIB company and the selected C3PAO will coordinate and plan the CMMC assessment and complete appropriate contractual agreements.
After completion of the CMMC assessment, the C3PAO will provide an assessment report. If there are no deficiencies, the C3PAO will issue the appropriate CMMC certificate to the DIB company for the specified certification boundary.
The C3PAO will also submit a copy of the assessment report and CMMC certificate to the DoD.
Why is CMMC important?
According to the Under Secretary of Defense for Acquisition & Sustainment, The aggregate loss of Controlled Unclassified Information (CUI) from the DIB sector increases the risk to national economic security and, in turn, national security. To reduce this risk, the Department has continued to work with the DIB sector to enhance its protection of CUI in its unclassified networks.
The Council of Economic Advisers, an agency within the Executive Office of the President, estimates that malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016 [Ref: “The Cost of Malicious Cyber Activity to the U.S. Economy, CEA” in February 2018].
The Center for Strategic and International Studies (CSIS), in partnership with McAfee, reports that as much as $600 billion, nearly 1% of global GDP, may be lost to cybercrime each year. The estimate is up from a 2014 study that put global losses at about $445 billion—[Ref: “Economic Impact of Cybercrime – No Slowing Down” in February 2018].
Will other Federal (non DoD) contracts use CMMC?
The initial implementation of the CMMC will only be within the DoD and will be implemented through DFARS clause 252.204-7021.
Are the results of my CMMC assessment public? Does the DoD see my results?
The results of CMMC assessments or the level of certification level will not be made public. The only information that will be publicly available is that your company has a CMMC certification.
The DoD will have access to all DIB companies’ CMMC certificates, which will be posted on the CMMC Enterprise Mission Assurance Support Services (eMASS) database and the Supplier Performance Risk System (SPRS).
What if my company does not handle CUI, do I still need to be CMMC certified?
If you are a DIB company that does not possess, store, or transmit CUI but possesses Federal Contract Information (FCI), you are required to meet FAR clause 52.204-21 and must be certified at a minimum of CMMC Level 1.
If my organization only produces COTS products, do I still need CMMC certification?
Companies that solely produce Commercial-Off-The-Shelf (COTS) products do not require a CMMC certification.
Will there be a self-certification for CMMC?
No, there are no self-certifications for CMMC. However, DIB companies are encouraged to complete a self-assessment based on CMMC Assessment Guides before scheduling a CMMC assessment. The Department of Defense posts versions of the CMMC Assessment Guides on its website (https://www.acq.osd.mil/cmmc/index.html).
Additionally, you can take advantage of a free CMMC Readiness Planning Session with an independent auditor to start your CMMC journey.
How does CMMC compare to NIST 800-171?
CMMC Level 3 includes the 110 security requirements specified in NIST SP 800-171. The CMMC Model also incorporates additional practices and processes from other standards, references, and/or sources such as NIST SP 800-53, Aerospace Industries Association (AIA) National Aerospace Standard (NAS) 9933 “Critical Security Controls for Effective Capability in Cyber Defense,” and Computer Emergency Response Team (CERT) Resilience Management Model (RMM).
How is CMMC different from NIST 800-171?
Unlike NIST SP 800-171, the CMMC model possesses five levels. The model is cumulative, whereby each level consists of practices and processes and those specified in the lower levels. The CMMC Model includes additional cybersecurity practices and the security requirements specified in NIST SP 800-171.
In addition to assessing a company’s implementation of cybersecurity practices, the CMMC will also assess its maturity processes.
No more check-box compliance — CMMC is here.
Are you ready?
If you have questions about how CMMC will impact your organization, or not sure where to begin, we can help!
Schedule your free, no-obligation pre-audit CMMC Planning Session today.
Independent, certified auditor
Find out how CMMC will impact your organization
Gain insight, lose the confusion
Ready to get compliant and stay compliant?
is the answer.Find Out More
Don't wait for the CMMC audit to find your vulnerabilities.
Be ready for the CMMC assessment and keep your ability to bid on government contracts.