CMMC 2.0 FAQ
What is the availability of getting an assessment?
In CMMC 2.0 at Level 2, if you are required to complete an independent assessment you will need to do so leveraging a C3PAO. This is a free market option and assuming availability, should be easy to engage with a C3PAO. If you require Level 3, this is a government-led assessment. The process to request and the advance lead time required is not yet known.
Who is eligible for a Level 2 self- assessment?
The DoD indicated that “a subset of programs with Level 2 (“Advanced”) requirements do not involve information critical to national security, and associated contractors will only be required to conduct self-assessments.” How many programs do not involve information critical to national security? If that is a low percentage then it would be fewer companies that can use a self-assessment for Level 2. Who will make that determination? If the contracting officer is the one to make that call, do they error on the side of caution? Does making that call require more or less work for the contracting officer? Can the contracting officer decide that the prime is handling information critical to nation security but the subcontractor is not? How this will work is critical and not yet explained.
What are the requirements in the contract tied to the Program or data?
Under CMMC 1.0, it was not clear if the contract would say that CMMC Level X is required if you are on this program or if you are on the program and possess CUI. In the later case, it would allow a subcontractor who doesn’t obtain CUI to still perform on the contract with a lower level requirement. The DoD stated, “a subset of programs with Level 2 (“Advanced”) requirements do not involve information critical to national security, and associated contractors will only be required to conduct self-assessments.” So it seems they intend to allow this, but exactly how this will occur is not yet clear. Will contractors be able to decide? Will the DoD be explicit in rulemaking or the contracts?
If I have a third-party assessment, will I still need to self-assess?
This is not clear at this time, however current guidance seems to indicate you will still need to self-assess and make an affirmation each year, even if you have completed a CMMC 2.0 Level 2 or 3 with a C3PAO or government-led assessment.
When will waivers be allowed?
The DoD indicates that waivers will be “allowed on a very limited basis in select mission critical instances, upon senior leadership approval.” This statement reveals that this is not a frequent occurrence. Who receives the waivers – and how – is still to be determined.
What are the restrictions for POA&Ms?
The DoD indicated that “highest weighted requirements cannot be on POA&M list” and “DoD will establish a minimum score requirement to support certification with POA&Ms.” This means that the practices from NIST 800-171 that carry three- and five-point values in the DoD assessment methodology are likely not eligible for POA&M. Additionally, organizations would need to achieve a minimum score before becoming eligible for POA&Ms. Where that score is set is not known.