How long will it take to get a CMMC?
This is unclear. As no certifications are being issued yet, it is hard to know. We also expect that when certifications occur it could take at minimum nine weeks to cover selection of and contracting with a C3PAO to fieldwork and final issuance and approval of the certification by the CMMC-AB. It is also possible to imagine there could be a backlog of organizations seeking certifications and a waiting period to schedule the assessments. How long it takes for the organization to prepare is very dependent on the maturity of that organization’s cybersecurity controls and the results of the self assessments and readiness reviews that they conduct. We highly encourage an organization to conduct readiness efforts to ensure they are ready for the assessment.
How much will an assessment cost? Is the cost reimbursable?
The DoD also states in their FAQ on the CMMC website: “The cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive.” The cost will ultimately depend on the level that the organization is seeking, as well as the complexity, size and scale of the environment being assessed. Other factors, such as requiring expedited assessment completed by a certain time, might also impact the costs.
My understanding is that assessors need to complete a determined number of Level 1 assessments before they can perform a Level 3 assessment. Does this mean a contractor will need to pay for two separate assessments to eventually be certified at a Level 3?
There is no requirement for assessors to complete a determined number of Level 1 assessments before they can conduct Level 3 assessments. There are requirements about when they can use the CMMC logos, but not to conduct the assessments. There is no need to be certified at each level if a contractor attempts to be CMMC Level 3. The organization can simply have one assessment completed against Level 3 and they will be issued a level certification if that is earned as a result of the single assessment. If a contractor does not earn a Level 3 and instead earns a Level 2, then they would need to undergo a later assessment to demonstrate they have earned Level 3.
When is a Managed Service Provider (MSP) required to be in scope? Will they need to become CMMC certified, FedRAMP or something else?
A MSP is required to be in scope when they possess FCI or CUI on your behalf. When you share such data with a third party, you will need to ensure they are able to handle and protect that information. If it is a subcontractor, they would likely have the requirements in the contract when you flow down the associated clauses. In that case, a subcontractor would need to achieve their own certification.
However, for vendors, you will need to carefully consider how you get agreements from them. If they are not a contractor that will achieve their own certification, then you may need to include them in the scope of your assessment and certification. If the DoD grants reciprocity to FedRAMP, then it would be part of how you can ensure the third party can properly protect the data. It is important to note that if a third party only views but does not take possession of the data, then it depends on the facts and circumstances.
How and when will we know which contracts are in the pathfinder program?
This has not been clearly defined. The DoD wants to ensure that the first wave of contracts with the CMMC requirement are a manageable number that can be handled by the provisional class of assessors. Depending on the progress of the CMMC-AB to have the assessors ready and the timeline of DoD acquisitions, the specific contracts that are part of the pathfinder program could change. Our recommendation is to stay close to your customer, and where allowed, seek their guidance. If your DoD RFI or RFP is expected this fall or winter, be aware that it could be selected and you might need to have your CMMC completed.
How do you comply if you're just getting started with DoD contracts? We would only set up an environment housing CUI once a project is set up. How do we achieve a basic assessment before we have an environment to assess?
You can and should develop your network and technology environment in accordance with NIST 800-171 and/or CMMC requirements. If you do not handle CUI, you can still implement the controls, policies and procedures so that you are ready to handle CUI. Having done so, you can post a score to SPRS. Doing so is required prior to being awarded a contract where your organization is going to handle CUI. Waiting to create an environment until after awarded a contract is no longer an option that seems viable. The good news - security requirements are also valuable for protecting your organization's information and therefore certainly something even solely commercial entities could benefit from.
What, if any, leverage time/cost savings in obtaining CMMC is likely if we already have a certification like ISO 27001?
It is not clear at this time. The guidance on reciprocity is not available at the time of writing, and therefore, ability to rely is unknown. However, there is a mapping of CMMC to the other common frameworks and efforts to implement controls or conduct self assessments of such controls could be greatly decreased as the controls are already in place and previously evaluated during your other assessments.
How many auditors have been certified to audit Level 1, 2 and/or 3?
Please refer to the Marketplace established by the CMMC-AB.
Who are the assessors? Where can we find a list of assessors?
Baker Tilly Principal Matt Gilbert is provisional assessor number 19. The CMMC-AB is in the process of confirming C3PAOs. When this is completed they will post an official list of assessors and C3PAOs within their Marketplace. Initially there is a class of provisional assessors, but eventually assessors will need to hold a requisite certification and work with a C3PAO to conduct valid certification assessments. OSCs will need to coordinate with the C3PAOs.