People shaking hands at a meeting
Article

Cybersecurity Maturity Model Certification (CMMC) Q&A

Authored by Mike Cullen and Matt Gilbert

Attendees of our recent webinar, “Understanding CMMC and the implications for DoD contractors,” posed some great questions during the event. Find the responses below from our CMMC specialists.

The current understanding is that any organization that obtains DoD contracts will be subject to the CMMC requirements. This includes prime contract recipients and the subcontractors. If you currently hold a DoD contract but do not intend to obtain future contracts, then CMMC will not apply, as the CMMC requirements are prospective only.

If your organization is a grant recipient, it is our current understanding that CMMC will likely apply to new grants. The key determinant is if the CMMC requirement is included by the government. The DoD is currently working on Defense Federal Acquisition Regulation Supplement (DFARS) modifications to institute CMMC. When this language is available for review, we will have further clarity. If you are not a DoD contractor, then you are not likely to have CMMC requirements initially. However, we caution that if CMMC is successful, we believe that other agencies across the federal government will look to it as a model and similarly look to adopt CMMC in the future.

According to the DoD:

“CUI is information the government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that a law, regulation, or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.

A CUI Registry provides information on the specific categories and subcategories of information that the executive branch protects. The CUI Registry can be found at: https://www.archives.gov/cui.”

The DoD also issued a memo on CUI.

The CMMC model v1 defines FCI as “information provided by or generated for the government under contractor not intended for public release.” This is similar to CUI but without the same degree of structure and definition coming from the National Archives and Records Administration. If you do not possess CUI, it is more likely that you do possess FCI. In discussions and examples from the DoD, it appears that if you possess CUI then you will likely be required to obtain CMMC level three. If you are not in possession of CUI, but as a contractor do have FCI, then you will likely be required to have level one.

This has not been clearly defined. The DoD wants to ensure that the first wave of contracts with the CMMC requirement are a manageable number that can be handled by the provisional class of assessors. Depending on the progress of the CMMC Accreditation Body (CMMC-AB) to have the assessors ready and the timeline of DoD acquisitions, the specific contracts that are part of the pathfinder program could change. It is our view that this list is not likely to be communicated until assessors have been identified and trained. Our recommendation is to stay close to your customer, and where allowed, seek their guidance. If your DoD request for information (RFI) or request for proposal (RFP) is expected this fall, be aware that it could be selected and you might need to have your CMMC completed.

The indications are that the DoD will specify in the RFI/RFP and/or in the contract the level of certification that is required. This will also help define that prime contractors (primes) and subcontractors (subs) might have different levels. Examples from DoD officials have indicated a situation where the prime is required to be level three and the subs level one. Our belief is that primes should target level three. If you are a sub, then level one might be all you require, but level three is not a bad investment to enable you to obtain prime or more significant sub roles on future DoD procurements.

No assessors have been officially named. The CMMC-AB is in the process of defining the requirements and establishing an application process for assessors and Certified Third-Party Assessment Organizations (C3PAOs). When this is completed they will authorize assessors and C3PAOs. Initially there will be a class of provisional assessors, but eventually assessors will need to hold a requisite certification and work with a C3PAO to conduct valid certification assessments. Organizations seeking certification will need to coordinate with the C3PAOs, and it is likely the CMMC-AB will maintain such a listing.

Since the CMMC-AB has not completed the assessment methodology, the final cost is unclear. The DoD also states in their FAQ on the CMMC website: “The cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive.” The cost will ultimately depend on the level that the organization is seeking, as well as the complexity, size and scale of the environment being assessed. Other factors, such as requiring expedited assessment completed by a certain time, might also impact the costs.

The concept in question here is called enclaves. A company may decide that certain basic controls such as level one or level three will be adopted for the entire organization. Then, as a contract requires greater certification, a separate lab, network, location, etc. will be defined as an enclave and be certified at a higher level. The key is to ensure that the scope of your certification matches your plan and objectives for operation going forward.

The CMMC-AB is supposed to be the central repository of CMMC certification information. We believe this will include the ability to review which organizations have obtained what level of certification. Therefore, in the future it is not likely going to be a difficult task to determine what level a sub possesses. The contract will not be awarded if the prime and key subs do not have the required certifications. In the adoption period, when a sub does not yet have a certification or the proper level, it will be imperative for the prime to understand the plans and efforts underway to obtain required certification in time for award. We advise primes to work with their subs to make sure they are on track, and potentially even review readiness efforts with them. If a sub is not on track, the prime might want to make alternative arrangements.

This is unclear. As no certifications are being issued yet, it is hard to know. We also expect that when certifications occur it could take at minimum nine weeks to cover selection of and contracting with a C3PAO to fieldwork and final issuance and approval of the certification by the CMMC-AB. It is also possible to imagine there could be a backlog of organizations seeking certifications and a waiting period to schedule the assessments. How long it takes for the organization to prepare is very dependent on the maturity of that organization’s cyber controls and the results of the self-assessments and readiness reviews that they conduct. We highly encourage an organization to conduct readiness efforts to ensure they are ready for the assessment.

If you are handling classified information or have contracts with FISMA and/or NIST SP 800-53 requirements, you are likely not impacted by CMMC for that contract. However, additional contracts or portions of your existing contract that are not subject to those higher requirements could require CMMC levels in the future.

It is not clear at this time. The assessment methodology has not been officially released by the CMMC-AB, and therefore, ability to rely is unknown. However, there is a mapping of CMMC to the other common frameworks and efforts to implement controls or conduct self-assessments of such controls could be greatly decreased as the controls are already in place and previously evaluated during your other assessments.

The DCMA established the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). They have conducted assessments, but to date, the assessments are based on NIST SP 800-171 and not CMMC. It is not officially determined if those assessments will have reciprocity with CMMC at this time.

Attend Baker Tilly’s webinar series! Our goal is to conduct monthly events. We will continue to update content on our website regularly. Information is also available on the CMMC-AB website.

Woman reviews business plan on computer
Next up

Agile auditing in an IT project environment