BEGINNER 

Q1: Who will need to comply with CMMC? Do all companies have to be assessed?

A1: There are multiple levels of CMMC. Contracting organizations which generate, process, handle, or store Controlled Unclassified Information (CUI) will almost certainly need to have their CMMC compliance assessed by a Certified Third Party Organization (C3PAO). The DoD has said that they intend to roll out assessments over the course of a three year period, beginning with “prioritized acquisitions.” 

 

Q2: How do I know if I possess a contract with CUI? 

A2: CUI is defined in 32 CFR 2002 as, “information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls,” excluding information that is classified. As discussed in this blog, DoD contracting officers are technically responsible for identifying CUI in contracts. This is not routinely practiced. Therefore, it has become the responsibility of OSCs to identify CUI in their own systems. NARA’s CUI Registry, which includes a detailed listing of CUI categories, is a good resource to support OSCs looking to identify CUI in their systems. A systematic review of active contracts is also necessary to determine if, and where, CUI rests within your organization. 

 

Q3: How will my organization know what CMMC level is required of my organization?

A3: As it stands, CMMC will include several tiered levels of certification. Determining which level of certification will be required of your organization necessitates an evaluation of the kinds of federal information you come into contact with. If you process, handle, or store Federal Contract Information (FCI), but not CUI, your business will need a CMMC L1 certification. OSCs handling CUI will need a L2 certification. To learn more about the distinctions between these categories of federal data, check out this blog post.

​

Q4: How can I get my business CMMC compliant in 30 days?

A4: The short answer: you can’t. Vendors who advertise “quick-fix” solutions are disingenuous.

 

Q5: Okay, how long does it take to be fully certified?

A5: On average, small and medium sized businesses are taking 12-18 months to fully implement the necessary security measures. In many cases, this process may take longer. 

 

Q6: When do we expect the CMMC rule to be fully in effect?

A6: There are fluidities in the rulemaking process that make it difficult to name a specific date with certainty. However, experts expect CMMC to be finalized in Q1 2025, and no later than Q3 2025. Understand that there are two different CMMC rules in process under Federal rule-making.  The first, 32CFR170 is due in its final form late September or early October.  The second, 48CFR 252.204-7021 has just been released in its draft form and is due in its final form roughly in Q1 of 2025.

​

Q7: When should I start, if I want to be compliant on time?

A7: Full compliance with DFARS 252.204-7012 and the security requirements in NIST 800-171 was mandatory as of 1 January 2018.  This forms the majority of the requirements that CMMC is assessing.  CMMC assessments are projected to begin in 2025. In general, if you want to be among the first or second wave of DIB companies with a certification, start now, as compliance generally takes between one and two years to achieve. It is also worth noting that large prime contractors are already asking subs about SPRS scores and potentiality of certification; in other words, your primes are likely to require you to become compliant before your contracting officer. 

​

Q8: How do I start prepping my business for CMMC rollout?

A8: There are two key components to starting your CMMC journey on the right foot: 1) pick the leader, and 2) track the flow of CUI through your organization.

 

1) Selecting the correct individual to head-up your CMMC compliance effort ensures cooperation from your business as a whole; for this reason, we highly recommend your project leader is not an IT employee. This is because CMMC cannot be successfully achieved with behind-the-scenes technological efforts. At its heart, this is a business challenge, not an IT challenge, and will require a senior-level leadership to be carried across the finish line.

 

2) Once your project leader has been appropriately selected, their initial course of action should include tracking CUI throughout its entire life cycle within your organization. Where does CUI enter? Is it marked? How does it flow through your systems? Do you have any subcontractors which require CUI to generate deliverables? This foundational understanding will enable team members to apply controls effectively over time. In fact, without it, you'll find it impossible to make the necessary changes to your cyber architecture. 

 

Q9: Do I have to comply with all 110 controls in NIST SP 800-171? 

A9: Yes - and more. This cannot be stressed enough, because OSCs will be assessed according to NIST 800-171A and the assessment objectives therein, not the controls listed in 171. Assessment objectives are individual requirements associated with each control. This raises the number of components required to become certified to 320.  If you work to become compliant only with the controls, you will not pass a third party assessment. 

​

​

EXPERT

Q1: How does NIST 171 R3 impact the CMMC rulemaking timeline?

A1: It doesn’t. These are separate initiatives, undertaken by NIST and the DoD, respectively. 

 

Q2: Will guidance on Level 2 self-certification (if it will be allowed and if so, what the criteria is for an OSC to qualify) come out at any point prior to the interim or proposed rule?

A2: We expect this to be established in the final CMMC rule, 32 CFR 170. In the proposed rule, self-certifications were allowed based on the discretion of the contracting officer. Additionally, in the proposed 48 CFR update, the DoD has stated “(a) The CMMC certificate or CMMC self-assessment level specified in the contract is required for all information systems, used in the performance of the contract, that will process, store, or transmit Federal contract information (FCI) or controlled unclassified information (CUI).”

​

Q3: Will foreign companies be subject to CMMC requirements?

A3: Whether or not foreign members of the DIB will be assessed against CMMC has yet to be determined by the DoD.  The proposed 48CFR CMMC regulation says, “Many respondents commented on whether CMMC will apply to foreign suppliers. Response: If the program office or requiring activity identifies a need to include a CMMC requirement in a contract, it will be included in the solicitation and resulting contract unless the contract is exclusively for COTS items. The proposed rule does not exempt foreign suppliers from CMMC requirements."

 

Q4: Does it matter what external service providers we use to support our enterprise?

A4:  Absolutely. External service providers (ESPs) are not a category explicitly defined by NIST but they are defined in the CMMC regulation. They are defined by the DoD in reference to CMMC as, “external people, technology, or facilities that the organization utilizes, including Cloud Service Providers, Managed Service Providers, Managed Security Service Providers, Cybersecurity-as-a-Service Providers.” The CMMC Assessment Process (CAP) also includes a discussion of Service Providers in Section 1.5.4., “Ascertain the Use of External Cloud Service Providers,” which equivocates Cloud Service Providers with other ESPs. Therefore, it is important for OSC’s to be mindful about all ESPs they employ, with the understanding that they will need their own CMMC certification. The proposed 32 CFR 170 CMMC rule requires that all organizations that process Security Protection Data (not defined yet) will be considered ESPs and require their own CMMC certification.  Our assessment of 32 CFR 170 as proposed is that DoD intends to mandate the CMMC certification of all MSP and MSSPs that service DIB companies.

 

Q5: When will I have to be compliant with NIST 800-171 Revision 3?

A5: Revision 3 is the current, formalized version of NIST 800-171. Revision 3 was published as a final in May of 2023.   The DoD has issued the class deviation also in May of 2024 which ties current contractual cyber requirements to Revision 2.   The length of this class deviation is listed as until canceled.  Based on the public comments of the CAICO on the time to produce CMMC training based on revision 3, and the fact that the CMMC regulation itself is tied to Revision 2, we do not anticipate the imposition of Revision 3 for several years.

 

Q6: Since 800-171 Revision 3 impacts CMMC requirements, does that mean CCPs and CCAs will need to undergo training and/or exams?

A6: The CMMC Program Management Office is considering this, but have not provided any further insights at this time. We recommend staying up to date with the new requirements, but do not expect new assessments to be required. 

​

Q7: Do I have to apply FIPS to my entire system? 

A7: No. FIPS-validated encryption is needed when used to protect the confidentiality of CUI.  In the "inside the data center" where appropriate physical controls are in place to protect the confidentiality, then FIPS is not required.