The Cybersecurity Maturity Model Certification (CMMC) is a critical framework for companies in the Defense Industrial Base (DIB). As such, many organizations have similar questions. Here's a breakdown of frequently asked questions regarding CMMC:

1. What is CMMC and why is it important?

• What it is: CMMC is a unified cybersecurity standard implemented by the U.S. Department of Defense (DoD) to enhance the protection of sensitive unclassified information (Federal Contract Information - FCI and Controlled Unclassified Information - CUI) within the DIB supply chain.

• Why it's important: It provides increased assurance to the DoD that contractors and subcontractors are protecting government information at a level commensurate with the risk of cyber threats. It's becoming a mandatory requirement for doing business with the DoD.

2. Who needs CMMC compliance?

• Anyone in the DoD supply chain: Any organization within the U.S. Department of Defense (DoD) supply chain that handles FCI or CUI needs to demonstrate CMMC compliance. This includes prime contractors and subcontractors.

• Exceptions: Generally, contracts solely for Commercial Off-the-Shelf (COTS) products might be exempt from CMMC requirements.

3. What are the CMMC levels and their requirements?

• CMMC 2.0 has three levels:

  • Level 1 (Foundational): Focuses on basic cyber hygiene and safeguarding FCI. Requires an annual self-assessment.

  • Level 2 (Advanced): Aligned with NIST SP 800-171 and focuses on protecting CUI. Requires either an annual self-assessment (for non-prioritized programs) or a triennial third-party assessment by a C3PAO (for prioritized programs/critical CUI).

  • Level 3 (Expert): Aligned with NIST SP 800-171 and a subset of NIST SP 800-172. Requires triennial assessments led by government officials (DIBCAC).

• The specific CMMC level required for a contract will be specified by the DoD in the contract.

4. When will CMMC be enforced, and what's the rollout schedule?

• CMMC 2.0 is currently in the rulemaking process. It will be implemented in contracts once the DFARS 7021 clause is finalized and after a 60-day waiting period.

• The DoD is taking a phased approach, with requirements gradually appearing in solicitations and contracts. By FY2026, it's anticipated that most DoD contracts will require CMMC certification.

5. Who conducts CMMC assessments and how long does certification last?

• Self-assessments: For CMMC Level 1 and a subset of Level 2, organizations can perform annual self-assessments.

• Third-party assessments: For most CMMC Level 2 and all Level 3, assessments are conducted by authorized and accredited Certified Third-Party Assessor Organizations (C3PAOs) or government officials (for Level 3).

• Certification validity: A CMMC certificate is generally valid for three years. Level 1 self-assessments need to be conducted annually.

6. What is the relationship between CMMC and NIST SP 800-171?

• CMMC is heavily based on NIST SP 800-171.

• CMMC Level 2 is directly aligned with the 110 controls in NIST SP 800-171.

• CMMC Level 3 builds upon NIST SP 800-171 with additional practices from NIST SP 800-172.

7. How much does CMMC compliance cost?

• The cost varies depending on the CMMC level, the complexity of your network, and market forces.

• The DoD aims for CMMC to be cost-effective, especially for small businesses at lower levels.

• Certification costs are considered an allowable, reimbursable cost in DoD contracts.

8. Can I get certified with Plan of Action & Milestones (POA&Ms)?

• For CMMC Level 2, you need a total compliance score of at least 88 out of 110 in SPRS.

• POA&Ms can only apply to controls worth 1 point. You cannot achieve certification if any POA&Ms relate to "high importance" controls (3 or 5 points in SPRS).

9. What are the consequences of non-compliance?

• Non-compliance can lead to disqualification from bidding on DoD contracts, security breaches, financial penalties, and reputational damage. Eventually, organizations without the required certification will not be awarded new DoD contracts.

10. How can my organization prepare for CMMC?

• Identify your desired CMMC level based on your projected DoD business and contracts.

• Scope your CUI environment to define system boundaries and data flow.

• Communicate flowdown requirements to your critical vendors.

• Conduct a gap assessment to identify vulnerabilities.

• Prioritize and remediate issues found in the gap assessment.

• Document your cybersecurity policies and procedures (e.g., System Security Plan, Incident Response Plan).

• Consider seeking expert guidance from CMMC consultants.