What is the availability of getting an assessment?
In CMMC 2.0 at Level 2, to complete an independent assessment, you will need to leverage a C3PAO. This is a free-market option and, assuming availability, it should be easy to engage a C3PAO. If you require Level 3,a government-led assessment, the request process and the amount of lead time required is not yet known.
How long will it take to get a CMMC?
This is unclear. As no certifications are being issued yet, it is hard to know. We also expect that when certifications occur it could take at minimum of five weeks to cover selecting and contracting with a C3PAO to fieldwork and final issuance and approval of the certification by the CMMC-AB. It is also possible to imagine there could be a backlog of organizations seeking certifications and a waiting period to schedule the assessments. How long it takes for the organization to prepare is dependent on the maturity of that organization’s cybersecurity controls and the results of the self-assessments and readiness reviews it conducts. We highly encourage an organization to conduct readiness efforts to ensure it is ready for the assessment. Many organizations that think they are ready have missed critical elements related to scoping that could cause issues in achieving certification. This is why an early self-assessment is important.
How much will an assessment cost? Is the cost reimbursable?
From the beginning, the DOD said the cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive. The cost will ultimately depend on the level that the organization is seeking as well as the complexity, size and scale of the environment being assessed. Other factors, such as requiring an expedited assessment completed by a certain time, might also impact the costs.
If I have a third-party assessment, will I still need to self-assess?
It is not clear at this time, however, the DOD said it is considering asking for contractors to annually confirm even when they have certification. Because the CMMC certification is good for three years, it makes sense that the DOD would want to have a confirmation from the contractor that its environment is still in compliance with the requirements.
My understanding is that assessors need to complete a determined number of Level 1 assessments before they can perform a Level 3 assessment. Does this mean a contractor will need to pay for two separate assessments to eventually be certified at a Level 3?
The organization can simply have one assessment completed against Level 2 and it will be issued a certification if that is earned as a result of the single assessment. That first assessment would be completed by a C3PAO. Then if the contractor needs to obtain Level 3, it would need to coordinate with the government for that assessment. Likely this will be the DIBCAC but detail and process for how to request such assessments has not been determined. At this time, it doesn’t appear the Level 3 assessment would cost the contractor, only the Level 2.
When is a Managed Service Provider (MSP) required to be in scope? Will they need to become CMMC certified, FedRAMP or something else?
An MSP is required to be in scope when it possesses FCI or CUI on your behalf. When you share such data with a third party, you will need to ensure it is able to handle and protect that information. If it is a subcontractor, it would likely have the requirements in the contract when you flow down the associated clauses. In that case, a subcontractor would need to achieve its own certification.
However, for vendors, you will need to carefully consider how you get agreements from them. If it is not a contractor that will achieve its own certification, then you may need to include it in the scope of your assessment and certification. If the DOD grants reciprocity to FedRAMP, then it would be part of how you can ensure the third party can properly protect the data. It is important to note that if a third party only views but does not take possession of the data, then it most likely would not be included in the assessment.
The scope guides specifically address external service providers. Those entities are expected to provide a shared responsibility matrix. This document would outline the shared nature of the 110 requirements of CMMC.
How and when will we know which contracts are in the pathfinder program?
The pathfinder program was a concept of CMMC 1.0. While it was not clearly defined, the DOD’s intention was to ensure the first wave of contracts with the CMMC requirement are a manageable number that can be handled by the assessors. Depending on the progress of the CMMC-AB to have the assessors ready and the timeline of DOD acquisitions, the specific contracts that are first contain the CMMC requirement are to be determined. The most important variable in this timing is the rulemaking. The DOD is on track to complete rulemaking in 2023 but how waivers will be used is still to be determined. After rulemaking is completed, our recommendation is to stay close to your customer and, where allowed, seek its guidance on if CMMC will apply.
How do you comply if you're just getting started with DoD contracts? We would only set up an environment housing CUI once a project is set up. How do we achieve a basic assessment before we have an environment to assess?
You can and should develop your network and technology environment in accordance with NIST 800-171 and/or CMMC requirements. If you do not handle CUI, you can still implement the controls, policies and procedures so that you are ready to handle CUI. Having done so, you can post a score to SPRS. Doing so is required prior to being awarded a contract where your organization is going to handle CUI. Waiting to create an environment until after you are awarded a contract is no longer an option that seems viable. The good news: Security requirements are also valuable for protecting your organization's information and, therefore, certainly something even solely commercial entities could benefit from.
What, if any, leverage time/cost savings in obtaining CMMC is likely if we already have a certification like ISO 27001?
It is not clear at this time. The guidance on reciprocity is not available at the time of writing and, therefore, the ability of the C3PAO to rely on the testing of the other assessments, such as ISO, is unknown. However, there is a mapping of CMMC to the other common frameworks, and efforts to implement controls or conduct self-assessments of such controls could be greatly decreased as the controls are already in place and previously evaluated during your other assessments.
How many auditors have been certified to audit Level 1, 2 and/or 3?
Please refer to the Marketplace established by the CMMC-AB.
Who are the assessors? Where can we find a list of assessors?
Baker Tilly Principal Matt Gilbert is provisional assessor No. 19. The CMMC-AB is in the process of confirming C3PAOs. When this is completed, it will post an official list of assessors and C3PAOs within its Marketplace. Initially, there is a class of provisional assessors, but eventually assessors will need to hold a requisite certification and work with a C3PAO to conduct valid certification assessments. OSCs will need to coordinate with the C3PAOs.