frequently asked questions
CMMC explained
DIB contractors are responsible for meeting the DoD's cybersecurity mandate, the Cyber Maturity Model Certification, a comprehensive cybersecurity framework.
Why CMMC?
The DoD launched CMMC 2.0, to protect DIB sensitive information from frequent and increasingly complex cyberattacks. Attacks often come through a third party who thinks their information is unimportant to be of interest to a hacker. Once a link in the chain gets infiltrated, the entire supply chain can fail.
When will CMMC be required?
All DoD contracts may begin as early as Fall-Winter 2023. CMMC 2.0 (announced Nov 4, 2021) is presently going through the final Federal Rulemaking process.
Do I have to be CMMC certified?
Yes, if you’re in the DIB, have a current contract with the DoD, or want to be a DoD contractor, you need to certify. Be an early adopter and beat the rush and be first in line for contract approval. There is a very limited pool of accredited CMMC Professionals. Now is the time to seek guidance from a CMMC expert!
Should I care about CMMC?
You may want to bid on a DoD contract and that is only possible with CMMC in place. Even if you are not interested in bidding, CMMC is based on the standard cybersecurity framework mandated per the White House Executive Order EO13556, 2016.
How difficult is CMMC?
It is challenging if you are not already following NIST 800-171 (DFARS 252.204-7012) regulations and do not have a rigorous security framework in place.
Do I need to hire a certified CMMC consultant?
Yes, depending on your level and current security environment. If you self-assess and fail you will be denied a conract award, and will have to go through an assessment after all. If it were easy, everyone would already meet compliance. Go to the Cyber AB Markeplace>, the directory of accredited CMMC professionals. An unaccredited third party or your in-house IT staff will not be accepted for certification.
How soon do I need to prepare before bidding on a contract?
That depends on the size and complexity of your organization. Anticipate a minimum of six+ months. Organizations that are not in a ready-to-go state should factor in an additional three-six months.
What are the steps to certification?
1. Establish Target Objectives & Resources
2. Scoping & Control Maturity Assessment
3. Risk Assessment
4. System Security Plan
5. Certify
6. Monitor & Improve
How do I know what level I am?
We will assess that for you.
Maturity Level 1 - FCI - Foundational
Maturity Level 2 - CUI - Advanced
We meet NIST 800-171 - aren't we already CMMC compliant?
If you are already in compliance with NIST 800-171 (DFARS 252.204-7012) you may self-assess and we can confirm that for you.
Is CMMC the same as ISO 27001?
All of the cybersecurity frameworks have similarities. ISO 27001 and CMMC are well aligned, which will make assessment easier. The difference is that CMMC is a US DoD mandate versus ISO 27001 is an international standard. We have both, a CMMC-CCP and an ISO 27001 Lead auditor.
Can we “limit” the scope of our environment?
The short answer is “it depends.” Contact us and let’s have a discussion surrounding your specific situation.
Are subcontractors required to maintain the same level CMMC certification as the prime?
Yes, reach out so we can learn more about your specific environment.
Is there a differentiation for non-US-owned firms?
The standard and framework itself apply equally to any provider within the Defense Supply Chain. However, some categories/subcategories of CUI (typically things like Export Control, nuclear, weapons systems, and space) may carry additional safeguarding requirements similar to or in addition to ITAR (International Traffic in Arms Regulation).
If someone in our supply chain cannot access CUI, do they need to be CMMC Certified to perform work under that contract?
Yes, per DFARS 252.204-7021, the responsibility is squarely on all entities that use subcontractors. CMMC also covers Federal Contract Information (FCI). Even if it is unmarked, but fits the definition of CUI, you still have a responsibility for treating it as such. See 32 CFR Part 2002, specifically 2002.14(b), 2002.14(c), 2002.20(7).
When will we see CMMC requirements in DoD RFPs?
CMMC requirements are already in DoD RFPs because the Rulemaking Process is quickly approaching. Per CMMC 1.0, your organization is already under DFARS regulation and you should already be compliant with NIST 800-171 and the “interim rule” that went into effect on November 30, 2020.
How much will CMMC preparation cost?
The overall cost will be on a Time & Material (T&M) basis. There are many factors to consider for cost, that without knowing the existing control environment, the type of contracts and types of FCI/CUI that may be in use as well as the desired/required Maturity Level, size of the organization, asset inventory, complexity of the infrastructure, and complexity of the network. A consultation to discuss your organization's framework will be required.
What happens after the CMMC assessment preparation?
The CMMC ecosystem has different players but they work together as a team to prevent conflict of interest.
Our goal is to prepare your organization as if it were the actual audit so that there are no surprises or delays in your assessment.
1. Audit preparation with a CMMC-CCP
2. Audit with a CCA from a Certified Third Party Assessor Organization (3CPAO)
Find a CMMC professional (CMMC-CCP) on the Cyber AB Marketplace.
Our certified CMMC consultants are some of the first 20 professionals certified in the US to prepare
the DIB for CMMMC Certification with over 30 years of experience in IT and 20 years in IT security.
Our goal is transparency, collaboration, and affordability.
Why are you passionate about CMMC Compliance?
We take our patriotic duty seriously. The time to act is now. The penalty for ignoring CMMC will be a denial of contract, and fines under the False Claims Act if you
make false attestations.
Let's get started
What is the CMMC roadmap?
There is a big shift in national security, hence, CMMC. The DIB is going to need to embrace CMMC as Zero Trust is on the roadmap by 2027. This is a term from the Cold War.
The model is maintaining strict access controls and not trusting anyone inside the network.
Cybersecurity is always evolving so we recommend finding a partner you can trust for the long haul.
Let's get started
© diverseworks 2022. All rights reserved.