People shaking hands at a meeting
Article

Cybersecurity Maturity Model Certification (CMMC) Q&A

The CMMC is an evolving topic. Find the answers to your frequently asked questions below. This information is current as of Dec. 15, 2020.

A&S – Acquisition and sustainment

C3PAO – Certified Third-Party Assessment Organizations

CAGE code – The Commercial and Government Entity code

CMMC-AB – CMMC Accreditation Body

COTS – Commercial off–the-shelf

CUI – Controlled unclassified information

DCMA – Defense Contract Management Agency

DFARS – Defense Federal Acquisition Regulation Supplement

DIBCAC – Defense Industrial Base Cybersecurity Assessment Center

DoD – The U.S. Department of Defense

DoS – The United States Department of State

FCI – Federal contract information

FedRAMP – The Federal Risk and Authorization Management Program

FISMA – Federal Information Security Management Act

GSA – General Services Administration

HHS – The U.S. Department of Health and Human Services

HR – Human resource

MSP – Managed service provider

NIST SP – National Institute of Standards and Technology Special Publication

OSC – Organization Seeking Certification

PII – Personally identifiable information

POA&M – plan of action and milestones

Prime – Prime contractor

RFI – Request for information

RFP – Request for proposal

RMF ATOs – Risk Management Framework Authorization to Operate

SAM – The System for Award Management

SPRS – Supplier Performance Risk System

Sub – Sub contractor

How long will it take to get a CMMC?

This is unclear. As no certifications are being issued yet, it is hard to know. We also expect that when certifications occur it could take at minimum nine weeks to cover selection of and contracting with a C3PAO to fieldwork and final issuance and approval of the certification by the CMMC-AB. It is also possible to imagine there could be a backlog of organizations seeking certifications and a waiting period to schedule the assessments. How long it takes for the organization to prepare is very dependent on the maturity of that organization’s cybersecurity controls and the results of the self assessments and readiness reviews that they conduct. We highly encourage an organization to conduct readiness efforts to ensure they are ready for the assessment.

How much will an assessment cost? Is the cost reimbursable?

The DoD also states in their FAQ on the CMMC website: “The cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive.” The cost will ultimately depend on the level that the organization is seeking, as well as the complexity, size and scale of the environment being assessed. Other factors, such as requiring expedited assessment completed by a certain time, might also impact the costs.

My understanding is that assessors need to complete a determined number of Level 1 assessments before they can perform a Level 3 assessment. Does this mean a contractor will need to pay for two separate assessments to eventually be certified at a Level 3?

There is no requirement for assessors to complete a determined number of Level 1 assessments before they can conduct Level 3 assessments. There are requirements about when they can use the CMMC logos, but not to conduct the assessments. There is no need to be certified at each level if a contractor attempts to be CMMC Level 3. The organization can simply have one assessment completed against Level 3 and they will be issued a level certification if that is earned as a result of the single assessment. If a contractor does not earn a Level 3 and instead earns a Level 2, then they would need to undergo a later assessment to demonstrate they have earned Level 3.

When is a Managed Service Provider (MSP) required to be in scope? Will they need to become CMMC certified, FedRAMP or something else?

A MSP is required to be in scope when they possess FCI or CUI you your behalf. The CMMC-AB addresses this in response to the following FAQ: “Will Third-Party Providers (TPP), like Managed Service Providers (MSP), who support Organizations Seeking Certification (OSC) by contract that receive, store, and transmit* FCI/CUI data be required to be CMMC certified?"

How and when will we know which contracts are in the pathfinder program?

This has not been clearly defined. The DoD wants to ensure that the first wave of contracts with the CMMC requirement are a manageable number that can be handled by the provisional class of assessors. Depending on the progress of the CMMC-AB to have the assessors ready and the timeline of DoD acquisitions, the specific contracts that are part of the pathfinder program could change. Our recommendation is to stay close to your customer, and where allowed, seek their guidance. If your DoD RFI or RFP is expected this fall or winter, be aware that it could be selected and you might need to have your CMMC completed.

How do you comply if you're just getting started with DoD contracts? We would only set up an environment housing CUI once a project is set up. How do we achieve a basic assessment before we have an environment to assess?

You can and should develop your network and technology environment in accordance with NIST 800-171 and/or CMMC requirements. If you do not handle CUI, you can still implement the controls, policies and procedures so that you are ready to handle CUI. Having done so, you can post a score to SPRS. Doing so is required prior to being awarded a contract where your organization is going to handle CUI. Waiting to create an environment until after awarded a contract is no longer an option that seems viable. The good news - security requirements are also valuable for protecting your organization's information and therefore certainly something even solely commercial entities could benefit from.

What, if any, leverage time/cost savings in obtaining CMMC is likely if we already have a certification like ISO 27001?

It is not clear at this time. The guidance on reciprocity is not available at the time of writing, and therefore, ability to rely is unknown. However, there is a mapping of CMMC to the other common frameworks and efforts to implement controls or conduct self assessments of such controls could be greatly decreased as the controls are already in place and previously evaluated during your other assessments.

How many auditors have been certified to audit Level 1, 2 and/or 3?

As of Nov. 5, 2020, there were only 50 certified provisional assessors with an expectation of reaching 75 by Dec. 1, 2020.

Who are the assessors? Where can we find a list of assessors?

Baker Tilly Principal Matt Gilbert is provisional assessor number 19. The CMMC-AB is in the process of confirming C3PAOs. When this is completed they will post an official list of assessors and C3PAOs within their marketplace. Initially there is a class of provisional assessors, but eventually assessors will need to hold a requisite certification and work with a C3PAO to conduct valid certification assessments. OSCs will need to coordinate with the C3PAOs.

How do we know what level of security we need?

If you handle CUI you are likely to require Level 3 or above. If you only handle FCI you are likely to only need Level 1. The DoD will specify in their solicitations the associated CMMC requirements.

What is the profile of the typical contractor that will need to achieve CMMC Level 3?

There might not be a set profile but those who need to obtain CMMC Level 3 will all be entrusted and handling CUI.

What CMMC level will I need to be? How will I know?

The indications are that the DoD will specify in the RFI/RFP and/or in the contract the level of certification that is required. The DoD has indicated that contractors that handle CUI will at a minimum require Level 3. If a contractor does not handle CUI and only handles FCI they will be required to only be Level 1. This will also help define that primes and subs might have different levels. Examples from DoD officials have indicated a situation where the prime is required to be Level 3 and the subs Level 1. Our belief is that primes should target Level 3. If you are a sub, then level one might be all you require, but Level 3 is not a bad investment to enable you to obtain prime or more significant sub roles on future DoD procurements where you will be required to handle CUI.

Do we need to have one certification or can various portions of the organization be at different levels?

The concept in question here is called enclaves. A company may decide that certain basic controls such as Level 1 or Level 3 will be adopted for the entire organization. Then, as a contract requires greater certification, a separate lab, network, location, etc. will be defined as an enclave and be certified at a higher level. The key is to ensure that the scope of your certification matches your plan and objectives for operation going forward.

Can you provide some guidance on how to determine or anticipate whether a supplier will require a Level 4 or Level 5?

This is the determination of the DoD. However, to date the assessment methodology has not been completed beyond Level 3 and assessors are not specifically trained beyond Level 3. It is unlikely to see CMMC Levels 4 or 5 in the near term. Additionally, it is a requirement to complete 15 Level 3 assessments before an assessor could attempt to become certified for Levels 4 and 5.

NIST SP 800-171 has 110 practices for basic that we have to self assess. CMMC Level 1 has only 17 practices. Do we still have to self assess for all 110?

It is unclear from the question if the contractor handles CUI. If your organization handles CUI and therefore have DFARS 252.204-7012 clauses, you need to self assess against the 110 requirements of NIST 800-171, per the DoD assessment methodology. If you do not handle CUI and only have FCI you are likely to only require CMMC Level 1. The 17 practices from Level 1 also directly align to FAR 52.204-21 and should not be a new requirement.

What happens if a prime or a subcontractor doesn't submit their assessment by Nov. 30?

The interim rule released Sept. 29, 2020, states the new DFARS 252.204-7019 requires contractors to post a score to SPRS. The SPRS, a DoD website, will capture the result of the contractor’s basic assessment. This is effectively a self assessment against the 110 requirements of NIST 800-171 that were imposed as a result of DFARS 252.204-7012. If a contractor does not have the 7012 clause and does not envision future awards that include such clause they may elect not to post a score. However, if a score is not posted by Nov. 30 2020, beginning the next day the DoD or prime could withhold future awards. The exact details and impact are not yet fully known, i.e., if that is a delay in award or if it is a disqualifying event and another contractor would be awarded. Certainly, a contractor should make every effort to establish their score and post it in order to avoid such concerns.

What if a company is not 100% compliant with 800-171 by Nov. 30 2020?

The requirement is not to be 100% compliant. You are required to score yourself via the DoD assessment methodology found here:  The score you obtain should then be posted to the SPRS site.  If you are not at a perfect score of 110 you will need to specify a date by which you intend to obtain such score.

Do you need to have a recent dated assessment? Our most recent assessment is dated July 2017 and we have been meeting all the controls since that time.

It is unclear if the 2017 assessment you refer to was completed internally. If so, it could be used but is likely to raise questions. If you maintain the NIST 800-171 controls and have a strong grasp of their status, you are likely better off to update and complete a recent assessment The assessment is not intended to be a lengthy process and instead is simply reviewing the 110 requirements and determining if they are implemented.

Can the assessment be changed in SPRS as new securities are added? After we upload the basic self assessment into SPRS, can we update it as we progress in closing any of the gaps?

Yes, the contractor will have access to SPRS and can post updated scores. We strongly encourage contractors to post accurate scores and update as you make progress toward improving your security posture. A regular routine to update based on confirmed completion of items from your POA&M is a best practice.

Is the self assessment due on Dec. 1, 2020, an entity assessment or a project assessment? NIST 800-171 is project specific currently.

The basic assessment scope is determined by the contractor. It is likely an entity assessment but can be done at lower levels such as CAGE code. Those determinations are fact and circumstances based and need to be carefully considered by the contractor.

When we self-certify on November 30, 2020 at a certain level, does that hold us to what type of third-party inspection we receive? Can we change our level? And, when should we start to schedule our final third-party assessment?

The self certification is only to a basic score. It is the DoD’s prerogative to determine if they would like to have the DIBCAC perform a medium or high assessment. If that is requested, the DIBCAC will coordinate with your organization to schedule.

If we have already had a DCMA DIBCAC "medium" level assessment and we passed and received a letter stating we are compliant with NIST 800-171, is that automatically updated in SPRS? In other words, no basic assessment is required to be submitted because we have already done a higher-level DCMA assessment.

If your organization was already subject to a DIBCAC assessment, you should have obtained a score. If that score is not a perfect score of 110, then you still likely need to post a score and target date to achieve 110. Additionally, if you are aware of any changes since the DIBCAC assessment that would adversely impact your score, you should consider reflecting that as well. In those cases and/or for good measure you should consider posting a score even if it matches that of the DIBCAC. Lastly, you should confirm a score was posted by the DIBCAC in SPRS.

How is the government deciding who will be audited in 2021?

The DoD will select, at their discretion, those contracts that are subject to medium and high DIBCAC assessments. The selection is likely based on risk and tied to critical programs.

DCMA has been conducting cyber assessments. How does this relate to CMMC?

The DCMA established the DIBCAC. They have conducted assessments, but to date, the assessments are based on NIST SP 800-171 and not CMMC. It is not officially announced if those assessments will have reciprocity with CMMC at this time but this is highly likely.

Do modified COTS products count as COTS? Or products?

This is a very facts and circumstances-based answer. We recommend clarifying with your contracting officer, legal counsel and/or an expert as required. COTS is exempt from these requirements. It is likely that the detail and specification of the modification is going to determine if the COTS exemption would still apply. For illustration, purchasing a COTS product and asking for it to be painted a certain color might not be a concern. However, if the instruction is to paint it with a special type of paint or they provide detailed drawings, this additional information could constitute CUI and therefore the COTS exemption would not apply.

If we only sell COTS do we have to be CMMC Level 3 if we receive a customers credit card information?

In the context of a commercial sale, that credit card information is not likely to be considered CUI by the DoD.  Therefore, you are likely exempt.

Does CMMC only apply to technology and materials or would it also apply to in-person and/or online services, such as language training programs?

CMMC is a requirement to protect CUI and FCI. In the example cited, the existence and details of the contract that are not publicly available are likely FCI. The list of attendees and/or the content of the course if of a very technical nature could possibly be CUI. That determination would need to be made in concert with the DoD but if determined to be CUI then this contract would be subject to CMMC Level 3.

Does CMMC apply to higher education institutions, colleges and universities? Federally funded research and development centers (FFRDCs)? DoD contractors? Non-DoD contractors?

"The current understanding is that any organization that obtains DoD contracts will be subject to the CMMC requirements. This includes prime contract recipients and the subcontractors. If you currently hold a DoD contract but do not intend to obtain future contracts, then CMMC will not apply, as the CMMC requirements are prospective only.

If your organization is a grant recipient, it is our current understanding that CMMC will likely apply to new grants. The key determinant is if the CMMC requirement is included by the government. The DoD is currently working on DFARS modifications to institute CMMC. When this language is available for review, we will have further clarity. If you are not a DoD contractor, then you are not likely to have CMMC requirements initially. However, we caution that if CMMC is successful, we believe that other agencies across the federal government will look to it as a model and similarly look to adopt CMMC in the future."

If a bid/protest happens and submissions include CUI, will the law firms representing the bid/protest need to comply?

It is our understanding that regardless the circumstance, those who hold CUI should make careful consideration before sharing. Such considerations in the future might include verifying that the recipient has the appropriate CMMC level to handle the CUI.  However, if you make the data available for viewing without granting possession to that third party, you might be able to avoid the recipient needing to comply or demonstrate CMMC.

Where do the non-DoD Federal agencies (DoS, HHS, etc) stand on CMMC?

There are no formal announcements as of Nov. 5, 2020. Other agencies are talking with the DoD and paying close attention to CMMC to address their own CUI and supply chain risk management objectives. The GSA is also including references to CMMC regularly but as of Nov. 5, 2020 CMMC only applies to DoD.

How does this interface with RMF ATOs?

CMMC is designed to protect CUI and FCI. The scope is determined by the OSC. The scope could include systems that are also subject to RMF ATO processes or it may not. This determination should be made by the OSC. The organization needs to ensure that the CUI they possess is covered by the certification they possess if not covered by an ATO. If leveraging the ATO, then the contractor should specify and seek needed clarification from the DoD on this situation. This is a perfect example where during the solicitation and contract negotiation process the contractor should resolve questions and applicability such as where ATO vs CMMC is required.

How does CMMC impact classified networks or prior FISMA and/or NIST SP 800-53 requirements?

If you are handling classified information or have contracts with FISMA and/or NIST SP 800-53 requirements, you are likely not impacted by CMMC for that contract. However, additional contracts or portions of your existing contract that are not subject to those higher requirements could require CMMC levels in the future.

Is HR and PI information considered CUI?

Definitions and categories for CUI can be found at https://www.archives.gov/cui. As facts and circumstances apply to the CUI determination, we encourage contractors to discuss with their customer to make such judgments. It is our understanding that if PII or HR information is about DoD persons that would likely be considered CUI and if about the contractor’s own team that might not be CUI. However, your organization likely wants to to adequately protect the two data sets in a similar fashion where feasible. The DoD also issued instruction on CUI that can be found here: https://www.dodcui.mil/Portals/109/Documents/Policy%20Docs/DoDI%205200.48%20CUI.pdf

Where do we input our assessment? Will you need to complete the SPRS info for each CAGE code in SAM?

Assessments are to be loaded to SPRS. It is Baker Tilly's understanding that organizations will have access in SPRS to input a score associated with each of your CAGE codes. Whether you choose to do so is your prerogative. If the CAGE code handles CUI and is subject to DFARS 252.204-7012 then you are required to do so in order to obtain future awards. However, if a CAGE code does not share a common set of systems and is not handling CUI or subject to that clause you might elect not to post a score after your own careful consideration.

If contracts are public and accessible on from the internet, why are they considered CUI?

A contract alone is likely FCI and not CUI. Further, the full contents of a contract is not typically posted online, rather in the RFP or other solicitation information. FAR 52.204-21 defines FCI as “...information not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.”  CUI is defined as information that requires safeguarding or dissemination controls pursuant to and consistent with the law, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information, Dec. 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended. Source: E.O. 13556 (adapted)

What is controlled unclassified information (CUI)?

"According to the DoD:

“CUI is information the government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that a law, regulation, or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.

A CUI Registry provides information on the specific categories and subcategories of information that the executive branch protects. The CUI Registry can be found at: https://www.archives.gov/cui.”

The DoD also issued a memo on CUI."

What is federal contract information (FCI)?

The CMMC model v1 defines FCI as “information provided by or generated for the government under contractor not intended for public release.” This is similar to CUI but without the same degree of structure and definition coming from the National Archives and Records Administration. If you do not possess CUI, it is more likely that you do possess FCI. In discussions and examples from the DoD, it appears that if you possess CUI then you will likely be required to obtain CMMC level three. If you are not in possession of CUI, but as a contractor do have FCI, then you will likely be required to have level one.

How will the readiness assessment (and CMMC appraisal) work for joint ventures (JVs)?

In theory, this should have no impact on the CMMC assessment process. The JV is the OSC and they would contract with a C3PAO. The OSC would need to define a scope for the assessment. That scope if comprised of entirely JV systems then proceeds like any other assessment If the scope includes technology from the parent or other third parties, then the assessment would need to cover not only the practices and processes in place at the JV, but also at the parent or other third parties. If those parents or third parties are already certified to the right CMMC level or have other designations like FedRAMP or prior DIBCAC assessments that will likely grant reciprocity, then less effort will be required outside of the JV.

For the 15 prime contracts requiring CMMC in 2021, if I am a subcontractor, do I need to get CMMC in 2021 as well?

Yes, if you are a sub to a prime that has the DFARS 252.204-7021 clause and they flow down that clause to you because you are providing other-than COTS solutions, you will be required to obtain a CMMC level as determined by the data you handle.

If a contractor determines  a sub will not have access to CUI, is the contractor still required to flow down 7012 and then 7020?

This DoD document might be helpful to consider. It indicates that “the contractor shall include the clause in subcontracts for which performance will involve covered defense information or operationally critical support.”

Additionally, the interim rulemaking states, “Furthermore, CMMC certification requirements are required to be flowed down to subcontractors at all tiers, based on the sensitivity of the unclassified information flowed down to each subcontractor.”"

When will the list of 15 new contracts with CMMC included be published?

The DoD has not yet published this information. In a recent webinar hosted by Washington Technology, CISO A&S Katie Arrington noted that they have a list resulting from nomination by areas of the DoD. She also said the DoD wants to carefully release the details in solicitations to ensure there is adequate capacity to conduct assessments and comply with the requirements. It is Baker Tilly's view that while publishing a list is certainly desired by many contractors, it could create unintended consequences and will be unlikely to occur in the first year. Organizations may also see language in solicitations that state you have X days from date of award to obtain certification. Over time, these measures will diminish, however only as the number of C3PAOs and assessors’ capacity affords. In FY22 and beyond, organizations may see more advance warning until we approach FY26 when all solicitations will require CMMC via DFARS 252.204-7021.

What level of responsibility does my company have in ensuring that subcontractors are actually certified? Do we have to actually request their certification level? Where does the burden of proof lie?

Per the interim rule that goes into effect on Nov. 30, 2020, the CMMC results will be posted to the DoD’s SPRS system. You will be able to see your own score but not that of other contractors including subcontractors. Therefore, in the future it is going to be an important task to determine what level a sub possesses. The contract will not be awarded to the prime and future awards should not be made to the subs if they do not have the required certifications. In the adoption period, when a sub does not yet have a certification or the proper level, it will be imperative for the prime to understand the plans and efforts underway to obtain required certification in time for award. We advise primes to work with their subs to make sure they are on track, and potentially even review readiness efforts with them. If a sub is not on track, the prime might want to make alternative arrangements.

How much responsibility should a prime contractor assume for a subcontractor's compliance with this interim rule or later, with CMMC? What is the prime's responsibility to verify their subcontractors' basic assessment and CMMC certification level?

The prime contractor (prime) has several important requirements as it pertains to the “interim rule” (DFARS 252.204-7019-21) and their subcontractors (sub). The first is to flow-down the clause appropriately. The second is to ensure the sub has a score posted to SPRS or holds a CMMC at the correct level. Because this information is not available for the prime to see in SPRS and is only available to the DoD, it is imperative for the prime to develop a mechanism to comply. For many, this will include asking for evidence from the sub prior to award and/or completion of representations and certifications. Such “reps and certs” should be carefully constructed to ensure that the environment, or scope that the sub completes the contract in, is the same as score or certification.

Do subcontractors have to register a score in SPRS or is this just the prime contractor?

Yes subcontractors will be required to self assess if they handle CUI and are subject to DFARS 252.204-7012.

There are many points of clarification that need to be made by A&S on the interim rule, it's applicability, etc. Will A&S commit to formally respond to these significant comments through official channels such as the DoD A&S Q&A page?

We can’t speak for the DoD; however, there is a public comment period on the interim rule available until Nov. 30, 2020.  You can find and post comments at the Federal Register: https://www.federalregister.gov/documents/2020/09/29/2020-21123/defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of

Will the government help prime subs to get CMMC?

The DoD is providing information and resources to assist with the rollout of CMMC. In the Nov. 5, 2020 webinar, Katie Arrington noted one resource for completing the basic assessment at https://projectspectrum.io. There are also Manufacturing Extension Program grants that small entities might be able to take advantage of. Lastly, the DoD has stated that the costs are allowable.

How can I continue to stay informed related to CMMC?

Attend Baker Tilly’s webinar series! Our goal is to conduct monthly events. We will continue to update content on our website regularly. Information is also available on the CMMC-AB website.

Matt Gilbert
Principal, CISA, CRISC, CMMC Leader
Cybersecurity on laptop with mobile icons
Next up

Taking a risk-based approach to cybersecurity