The CMMC is an evolving topic. Find the answers to your frequently asked questions below. This information is current as of Sept. 1, 2021.
A&S – Acquisition and sustainment
C3PAO – Certified Third-Party Assessment Organizations
CAGE code – The Commercial and Government Entity code
CMMC-AB – CMMC Accreditation Body
COTS – Commercial off–the-shelf
CUI – Controlled unclassified information
DCMA – Defense Contract Management Agency
DFARS – Defense Federal Acquisition Regulation Supplement
DIBCAC – Defense Industrial Base Cybersecurity Assessment Center
DoD – The U.S. Department of Defense
DoS – The United States Department of State
FCI – Federal contract information
FedRAMP – The Federal Risk and Authorization Management Program
FISMA – Federal Information Security Management Act
GSA – General Services Administration
HHS – The U.S. Department of Health and Human Services
HR – Human resource
MSP – Managed service provider
NIST SP – National Institute of Standards and Technology Special Publication
OSC – Organization Seeking Certification
PII – Personally identifiable information
POA&M – plan of action and milestones
Prime – Prime contractor
RFI – Request for information
RFP – Request for proposal
RMF ATOs – Risk Management Framework Authorization to Operate
SAM – The System for Award Management
SPRS – Supplier Performance Risk System
Sub – Sub contractor
This is unclear. As no certifications are being issued yet, it is hard to know. We also expect that when certifications occur it could take at minimum nine weeks to cover selection of and contracting with a C3PAO to fieldwork and final issuance and approval of the certification by the CMMC-AB. It is also possible to imagine there could be a backlog of organizations seeking certifications and a waiting period to schedule the assessments. How long it takes for the organization to prepare is very dependent on the maturity of that organization’s cybersecurity controls and the results of the self assessments and readiness reviews that they conduct. We highly encourage an organization to conduct readiness efforts to ensure they are ready for the assessment.
The DoD also states in their FAQ on the CMMC website: “The cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive.” The cost will ultimately depend on the level that the organization is seeking, as well as the complexity, size and scale of the environment being assessed. Other factors, such as requiring expedited assessment completed by a certain time, might also impact the costs.
There is no requirement for assessors to complete a determined number of Level 1 assessments before they can conduct Level 3 assessments. There are requirements about when they can use the CMMC logos, but not to conduct the assessments. There is no need to be certified at each level if a contractor attempts to be CMMC Level 3. The organization can simply have one assessment completed against Level 3 and they will be issued a level certification if that is earned as a result of the single assessment. If a contractor does not earn a Level 3 and instead earns a Level 2, then they would need to undergo a later assessment to demonstrate they have earned Level 3.
A MSP is required to be in scope when they possess FCI or CUI on your behalf. When you share such data with a third party, you will need to ensure they are able to handle and protect that information. If it is a subcontractor, they would likely have the requirements in the contract when you flow down the associated clauses. In that case, a subcontractor would need to achieve their own certification.
However, for vendors, you will need to carefully consider how you get agreements from them. If they are not a contractor that will achieve their own certification, then you may need to include them in the scope of your assessment and certification. If the DoD grants reciprocity to FedRAMP, then it would be part of how you can ensure the third party can properly protect the data. It is important to note that if a third party only views but does not take possession of the data, then it depends on the facts and circumstances.
This has not been clearly defined. The DoD wants to ensure that the first wave of contracts with the CMMC requirement are a manageable number that can be handled by the provisional class of assessors. Depending on the progress of the CMMC-AB to have the assessors ready and the timeline of DoD acquisitions, the specific contracts that are part of the pathfinder program could change. Our recommendation is to stay close to your customer, and where allowed, seek their guidance. If your DoD RFI or RFP is expected this fall or winter, be aware that it could be selected and you might need to have your CMMC completed.
You can and should develop your network and technology environment in accordance with NIST 800-171 and/or CMMC requirements. If you do not handle CUI, you can still implement the controls, policies and procedures so that you are ready to handle CUI. Having done so, you can post a score to SPRS. Doing so is required prior to being awarded a contract where your organization is going to handle CUI. Waiting to create an environment until after awarded a contract is no longer an option that seems viable. The good news - security requirements are also valuable for protecting your organization's information and therefore certainly something even solely commercial entities could benefit from.
It is not clear at this time. The guidance on reciprocity is not available at the time of writing, and therefore, ability to rely is unknown. However, there is a mapping of CMMC to the other common frameworks and efforts to implement controls or conduct self assessments of such controls could be greatly decreased as the controls are already in place and previously evaluated during your other assessments.
Please refer to the Marketplace established by the CMMC-AB.
Baker Tilly Principal Matt Gilbert is provisional assessor number 19. The CMMC-AB is in the process of confirming C3PAOs. When this is completed they will post an official list of assessors and C3PAOs within their Marketplace. Initially there is a class of provisional assessors, but eventually assessors will need to hold a requisite certification and work with a C3PAO to conduct valid certification assessments. OSCs will need to coordinate with the C3PAOs.
If you handle CUI you are likely to require Level 3 or above. If you only handle FCI you are likely to only need Level 1. The DoD will specify in their solicitations the associated CMMC requirements.
There might not be a set profile but those who need to obtain CMMC Level 3 will all be entrusted and handling CUI.
The indications are that the DoD will specify in the RFI/RFP and/or in the contract the level of certification that is required. The DoD has indicated that contractors that handle CUI will at a minimum require Level 3. If a contractor does not handle CUI and only handles FCI they will be required to only be Level 1. This will also help define that primes and subs might have different levels. Examples from DoD officials have indicated a situation where the prime is required to be Level 3 and the subs Level 1. Our belief is that primes should target Level 3. If you are a sub, then level one might be all you require, but Level 3 is not a bad investment to enable you to obtain prime or more significant sub roles on future DoD procurements where you will be required to handle CUI.
The concept in question here is called enclaves. A company may decide that certain basic controls such as Level 1 or Level 3 will be adopted for the entire organization. Then, as a contract requires greater certification, a separate lab, network, location, etc. will be defined as an enclave and be certified at a higher level. The key is to ensure that the scope of your certification matches your plan and objectives for operation going forward.
This is the determination of the DoD. However, to date the assessment methodology has not been completed beyond Level 3 and assessors are not specifically trained beyond Level 3. It is unlikely to see CMMC Levels 4 or 5 in the near term. Additionally, it is a requirement to complete 15 Level 3 assessments before an assessor could attempt to become certified for Levels 4 and 5.
It is unclear from the question if the contractor handles CUI. If your organization handles CUI and therefore have DFARS 252.204-7012 clauses, you need to self assess against the 110 requirements of NIST 800-171, per the DoD assessment methodology. If you do not handle CUI and only have FCI you are likely to only require CMMC Level 1. The 17 practices from Level 1 also directly align to FAR 52.204-21 and should not be a new requirement.
The interim rule released Sept. 29, 2020, states the new DFARS 252.204-7019 requires contractors to post a score to SPRS. The SPRS, a DoD website, will capture the result of the contractor’s basic assessment. This is effectively a self assessment against the 110 requirements of NIST 800-171 that were imposed as a result of DFARS 252.204-7012. If a contractor does not have the 7012 clause and does not envision future awards that include such clause they may elect not to post a score. However, if a score is not posted by Nov. 30 2020, beginning the next day the DoD or prime could withhold future awards. The exact details and impact are not yet fully known, i.e., if that is a delay in award or if it is a disqualifying event and another contractor would be awarded. Certainly, a contractor should make every effort to establish their score and post it in order to avoid such concerns.
Assessments are to be loaded to SPRS. It is Baker Tilly's understanding that organizations will have access in SPRS to input a score associated with each of your CAGE codes. Whether you choose to do so is your prerogative. If the CAGE code handles CUI and is subject to DFARS 252.204-7012 then you are required to do so in order to obtain future awards. However, if a CAGE code does not share a common set of systems and is not handling CUI or subject to that clause you might elect not to post a score after your own careful consideration.
The requirement is not to be 100% compliant. You are required to score yourself via the DoD assessment methodology found here: The score you obtain should then be posted to the SPRS site. If you are not at a perfect score of 110 you will need to specify a date by which you intend to obtain such score.
It is unclear if the 2017 assessment you refer to was completed internally. If so, it could be used but is likely to raise questions. If you maintain the NIST 800-171 controls and have a strong grasp of their status, you are likely better off to update and complete a recent assessment The assessment is not intended to be a lengthy process and instead is simply reviewing the 110 requirements and determining if they are implemented.
Yes, the contractor will have access to SPRS and can post updated scores. We strongly encourage contractors to post accurate scores and update as you make progress toward improving your security posture. A regular routine to update based on confirmed completion of items from your POA&M is a best practice.
The basic assessment scope is determined by the contractor. It is likely an entity assessment but can be done at lower levels such as CAGE code. Those determinations are fact and circumstances based and need to be carefully considered by the contractor.
The self certification is only to a basic score. It is the DoD’s prerogative to determine if they would like to have the DIBCAC perform a medium or high assessment. If that is requested, the DIBCAC will coordinate with your organization to schedule.
If your organization was already subject to a DIBCAC assessment, you should have obtained a score. If that score is not a perfect score of 110, then you still likely need to post a score and target date to achieve 110. Additionally, if you are aware of any changes since the DIBCAC assessment that would adversely impact your score, you should consider reflecting that as well. In those cases and/or for good measure you should consider posting a score even if it matches that of the DIBCAC. Lastly, you should confirm a score was posted by the DIBCAC in SPRS.
The DoD will select, at their discretion, those contracts that are subject to medium and high DIBCAC assessments. The selection is likely based on risk and tied to critical programs.
The DCMA established the DIBCAC. They have conducted assessments, but to date, the assessments are based on NIST SP 800-171 and not CMMC. It is not officially announced if those assessments will have reciprocity with CMMC at this time but this is highly likely.
This is a very facts and circumstances-based answer. We recommend clarifying with your contracting officer, legal counsel and/or an expert as required. COTS is exempt from these requirements. It is likely that the detail and specification of the modification is going to determine if the COTS exemption would still apply. For illustration, purchasing a COTS product and asking for it to be painted a certain color might not be a concern. However, if the instruction is to paint it with a special type of paint or they provide detailed drawings, this additional information could constitute CUI and therefore the COTS exemption would not apply.
In the context of a commercial sale, that credit card information is not likely to be considered CUI by the DoD. Therefore, you are likely exempt.
CMMC is a requirement to protect CUI and FCI. In the example cited, the existence and details of the contract that are not publicly available are likely FCI. The list of attendees and/or the content of the course if of a very technical nature could possibly be CUI. That determination would need to be made in concert with the DoD but if determined to be CUI then this contract would be subject to CMMC Level 3.
The current understanding is that any organization that obtains DoD contracts will be subject to the CMMC requirements. This includes prime contract recipients and the subcontractors. If you currently hold a DoD contract but do not intend to obtain future contracts, then CMMC will not apply, as the CMMC requirements are prospective only.
If your organization is a grant recipient, it is our current understanding that CMMC will likely apply to new grants. The key determinant is if the CMMC requirement is included by the government. The DoD is currently working on DFARS modifications to institute CMMC. When this language is available for review, we will have further clarity. If you are not a DoD contractor, then you are not likely to have CMMC requirements initially. However, we caution that if CMMC is successful, we believe that other agencies across the federal government will look to it as a model and similarly look to adopt CMMC in the future.
It is our understanding that regardless the circumstance, those who hold CUI should make careful consideration before sharing. Such considerations in the future might include verifying that the recipient has the appropriate CMMC level to handle the CUI. However, if you make the data available for viewing without granting possession to that third party, you might be able to avoid the recipient needing to comply or demonstrate CMMC.
There are no formal announcements as of Nov. 5, 2020. Other agencies are talking with the DoD and paying close attention to CMMC to address their own CUI and supply chain risk management objectives. The GSA is also including references to CMMC regularly but as of Nov. 5, 2020 CMMC only applies to DoD.
CMMC is designed to protect CUI and FCI. The scope is determined by the OSC. The scope could include systems that are also subject to RMF ATO processes or it may not. This determination should be made by the OSC. The organization needs to ensure that the CUI they possess is covered by the certification they possess if not covered by an ATO. If leveraging the ATO, then the contractor should specify and seek needed clarification from the DoD on this situation. This is a perfect example where during the solicitation and contract negotiation process the contractor should resolve questions and applicability such as where ATO vs CMMC is required.
If you are handling classified information or have contracts with FISMA and/or NIST SP 800-53 requirements, you are likely not impacted by CMMC for that contract. However, additional contracts or portions of your existing contract that are not subject to those higher requirements could require CMMC levels in the future.
Definitions and categories for CUI can be found at https://www.archives.gov/cui. As facts and circumstances apply to the CUI determination, we encourage contractors to discuss with their customer to make such judgments. It is our understanding that if PII or HR information is about DoD persons that would likely be considered CUI and if about the contractor’s own team that might not be CUI. However, your organization likely wants to to adequately protect the two data sets in a similar fashion where feasible. The DoD also issued instruction on CUI that can be found here: https://www.dodcui.mil/Portals/109/Documents/Policy%20Docs/DoDI%205200.48%20CUI.pdf
A contract alone is likely FCI and not CUI. Further, the full contents of a contract is not typically posted online, rather in the RFP or other solicitation information. FAR 52.204-21 defines FCI as “...information not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.” CUI is defined as information that requires safeguarding or dissemination controls pursuant to and consistent with the law, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information, Dec. 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended. Source: E.O. 13556 (adapted)
According to the DoD, CUI is information the government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that a law, regulation or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.
A CUI Registry provides information on the specific categories and subcategories of information that the executive branch protects. The DoD also issued a memo on CUI.
The CMMC model v1 defines FCI as “information provided by or generated for the government under contractor not intended for public release.” This is similar to CUI but without the same degree of structure and definition coming from the National Archives and Records Administration. If you do not possess CUI, it is more likely that you do possess FCI. In discussions and examples from the DoD, it appears that if you possess CUI then you will likely be required to obtain CMMC level three. If you are not in possession of CUI, but as a contractor do have FCI, then you will likely be required to have level one.
In theory, this should have no impact on the CMMC assessment process. The JV is the OSC and they would contract with a C3PAO. The OSC would need to define a scope for the assessment. That scope if comprised of entirely JV systems then proceeds like any other assessment If the scope includes technology from the parent or other third parties, then the assessment would need to cover not only the practices and processes in place at the JV, but also at the parent or other third parties. If those parents or third parties are already certified to the right CMMC level or have other designations like FedRAMP or prior DIBCAC assessments that will likely grant reciprocity, then less effort will be required outside of the JV.
Yes, if you are a sub to a prime that has the DFARS 252.204-7021 clause and they flow down that clause to you because you are providing other-than COTS solutions, you will be required to obtain a CMMC level as determined by the data you handle.
This DoD document might be helpful to consider. It indicates that “the contractor shall include the clause in subcontracts for which performance will involve covered defense information or operationally critical support.”
Additionally, the interim rulemaking states, “Furthermore, CMMC certification requirements are required to be flowed down to subcontractors at all tiers, based on the sensitivity of the unclassified information flowed down to each subcontractor.”"
The DoD has not yet published this information. In a recent webinar hosted by Washington Technology, CISO A&S Katie Arrington noted that they have a list resulting from nomination by areas of the DoD. She also said the DoD wants to carefully release the details in solicitations to ensure there is adequate capacity to conduct assessments and comply with the requirements. It is Baker Tilly's view that while publishing a list is certainly desired by many contractors, it could create unintended consequences and will be unlikely to occur in the first year. Organizations may also see language in solicitations that state you have X days from date of award to obtain certification. Over time, these measures will diminish, however only as the number of C3PAOs and assessors’ capacity affords. In FY22 and beyond, organizations may see more advance warning until we approach FY26 when all solicitations will require CMMC via DFARS 252.204-7021.
Per the interim rule that goes into effect on Nov. 30, 2020, the CMMC results will be posted to the DoD’s SPRS system. You will be able to see your own score but not that of other contractors including subcontractors. Therefore, in the future it is going to be an important task to determine what level a sub possesses. The contract will not be awarded to the prime and future awards should not be made to the subs if they do not have the required certifications. In the adoption period, when a sub does not yet have a certification or the proper level, it will be imperative for the prime to understand the plans and efforts underway to obtain required certification in time for award. We advise primes to work with their subs to make sure they are on track, and potentially even review readiness efforts with them. If a sub is not on track, the prime might want to make alternative arrangements.
The prime contractor (prime) has several important requirements as it pertains to the “interim rule” (DFARS 252.204-7019-21) and their subcontractors (sub). The first is to flow-down the clause appropriately. The second is to ensure the sub has a score posted to SPRS or holds a CMMC at the correct level. Because this information is not available for the prime to see in SPRS and is only available to the DoD, it is imperative for the prime to develop a mechanism to comply. For many, this will include asking for evidence from the sub prior to award and/or completion of representations and certifications. Such “reps and certs” should be carefully constructed to ensure that the environment, or scope that the sub completes the contract in, is the same as score or certification.
Yes subcontractors will be required to self assess if they handle CUI and are subject to DFARS 252.204-7012.
We can’t speak for the DoD; however, there is a public comment period on the interim rule available until Nov. 30, 2020. You can find and post comments at the Federal Register: https://www.federalregister.gov/documents/2020/09/29/2020-21123/defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of
The DoD is providing information and resources to assist with the rollout of CMMC. In the Nov. 5, 2020 webinar, Katie Arrington noted one resource for completing the basic assessment at https://projectspectrum.io. There are also Manufacturing Extension Program grants that small entities might be able to take advantage of. Lastly, the DoD has stated that the costs are allowable.
Attend Baker Tilly’s webinar series! Our goal is to conduct monthly events. We will continue to update content on our website regularly. Information is also available on the CMMC-AB website.