UPDATES TO THE CMMC WEBSITE WILL BE LIMITED DURING THE CMMC RULEMAKING PROCESS

CMMC FAQs

About CMMC

  1. Now that CMMC 2.0 is published, will companies be required to comply with CMMC 1.0?
    1. The interim DFARS rule established a five-year phase-in period, during which CMMC compliance is only required in select pilot contracts, as approved by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)).

      Once CMMC 2.0 is codified through rulemaking, the Department will require companies to adhere to the revised CMMC framework according to requirements set forth in regulation.
  1. When will CMMC 2.0 be required for DoD contracts?
    1. The publication of materials relating to CMMC 2.0 reflect the Department’s strategic intent with respect to the CMMC program; however, CMMC 2.0 will not be a contractual requirement until the Department completes rulemaking to implement the program. The rulemaking process and timelines can take up to 24 months. CMMC 2.0 will become a contract requirement once rulemaking is completed.
  1. Why did the Department make these changes?
    1. The Department values feedback from industry, Congress, and other stakeholders and received over 850 public comments in response to the interim rule establishing CMMC 1.0. These comments focused on the need to enhance CMMC by (1) reducing costs, particularly for small businesses; (2) increasing trust in the CMMC assessment ecosystem; and (3) clarifying and aligning cybersecurity requirements to other federal requirements and commonly accepted standards. CMMC 2.0 was designed to meet these goals, which also contribute to enhancing the cybersecurity of the defense industrial base.
  1. How much will it cost to implement CMMC 2.0?
    1. The Department will publish a comprehensive cost analysis associated with each level of CMMC 2.0 as part of rulemaking. It is important to note that costs to implement cybersecurity controls are incurred due to the need to comply with contract requirements for safequarding information, as defined in FAR 52.204-21, and DFARS 252.204-7012, and are not considered to be costs for implementing CMMC, which is a program to assess the degree to which those underlying security requirements have been met. CMMC assessment costs are projected to be lower relative to CMMC 1.0 because the Department intends to (1) streamline requirements at all levels, eliminating CMMC-unique practices and maturity processes, (2) allow companies associated with the new Level 1 and some Level 2 acquisition programs to perform self-assessments rather than third-party assessments, and (3) increase oversight of the third-party assessment ecosystem.

CMMC 2.0 Model

  1. How will my organization know what CMMC level is required for a contract?
    1. Once CMMC 2.0 is implemented, DoD will specify the required CMMC level in the solicitation.
  1. What is the relationship between National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 and CMMC?
    1. Compliance with NIST standards are levied as contractual requirements via inclusion of clauses such as FAR 52.204-21 and DFARS 252.204-7012. The relationship between CMMC and the NIST standards is that CMMC requirements will result in a contractor self-assessment, or a third-party assessment, to determine whether the applicable NIST standard (as identified by the DFARS clause) has been met. The FAR clause states the basic safeguarding requirements for CMMC Level 1 compliance. Under CMMC 2.0, a Level 2 assessment will be conducted against the NIST SP 800-171 standard and a Level 3 assessment will be based on a subset of NIST SP 800-172 requirements.
  1. Will prime contractors and subcontractors be required to maintain the same CMMC level?
    1. If contractors and subcontractors are handling the same type of FCI and CUI, then the same CMMC level will apply. In cases where the prime only flows down select information, a lower CMMC level may apply to the subcontractor.
  1. Would it be safe to say that customer data is CUI and administrative data is FCI?
    1. The definition of FCI is in FAR 52.204-21 and CUI in 32 CFR Part 2002, respectively. The DoD CUI Quick Reference Guide, located at https://www.dodcui.mil, includes information on CUI. In addition, the Defense Counterintelligence and Security Agency (DCSA) provides answers to Frequently Asked Questions, available at https://www.dcsa.mil/Portals/91/Documents/CTP/CUI/21-10-13%20CUI%20FAQ%20FINAL.pdf. These FAQs describe the difference between FCI and CUI as follows: “Both CUI and FCI include information created or collected by or for the Government, as well as information received from the Government. However, while FCI is any information that is ‘not intended for public release,’ CUI is information that requires safeguarding and may also be subject to dissemination controls.”
  1. Some intelligence organizations such as NSA are not currently implementing CUI marking and are still using legacy FOUO markings. Is this going to be addressed? Using different markings with inconsistent requirements makes it very difficult for companies to manage compliance.
    1. Whether or not a DoD Component or IC Element implements CUI requirements is outside the purview of the CMMC program. The CMMC program makes no change to information marking requirements identified in the CUI program (32 CFR Part 2002 and DoDI 5200.48). A CMMC assessment is required if/when DoD CUI will be processed, stored, or transmitted on a contractor information system.

Assessments

  1. How does my company become a C3PAO?
    1. Interested organizations should reference the CMMC-AB website for additional information on becoming a candidate C3PAO.
  1. How frequently will assessments be required?
    1. Once CMMC 2.0 is implemented, self-assessments, when permitted based on the CMMC level assigned, will be required on an annual basis. When CMMC certification is required, C3PAO assessment (Level 2) or Government assessment (Level 3), will be required on a triennial basis.
  1. Who will perform third-party CMMC assessments?
    1. Once CMMC 2.0 is fully implemented, DoD will only accept CMMC assessments provided by the Government or an authorized and accredited C3PAO or certified CMMC Assessor. C3PAOs shall use only certified CMMC assessors for the conduct of CMMC assessments.
  1. Will my organization need to be certified if it does not handle CUI?
    1. Contractors are required to safeguard information by inclusion of contract clauses such as FAR 52.204-21 (for FCI) or DFARS 252.204-7012 (for CUI). DoD’s intent under the CMMC program is to require assessment against the required cybersecurity standards (i.e., NIST SP 800-171) only when safeguarding of CUI is required. For some programs or some CUI, DoD will require certification based on assessment by a C3PAO or the Government, rather than relying on a self-assessment. If a DIB company does not process, store, or transmit CUI on its unclassified network, but does process, store or handle FCI, then it must perform a CMMC Level 1 self-assessment and submit the results with an annual affirmation by a senior company official into SPRS.
  1. Who would be responsible for the management of CMMC inside a company? Would it be a security function managed by the facility security officers (FSO), or would it be an IT function managed by the company’s IT director?
    1. Mainly it is up to the leadership and layout of your organization and how those roles are defined. Who is the ultimate responsible party/parties for the cybersecurity hygiene and assessments for your organization? Cybersecurity covers personnel, facilities, and technology.
  1. Will CMMC certifications and the associated third-party assessments apply to a classified systems and / or classified environments within the Defense Industrial Base?
    1. CMMC only applies to DIB contractor’s unclassified networks that process, store or transmit FCI or CUI.
  1. How do we know if we have created CUI internally to the company? Does this have to be explicitly spelled out in a contractual agreement?
    1. Please refer to the policy documents, training materials, and quick reference guides generated by the National Archives (https://www.archives.gov/cui/training.html) and the DoD CUI program, located at https://www.dodcui.mil/Home/Training/.
  1. Will the results of my assessment be public? Will the DoD see my results?
    1. Once CMMC 2.0 is fully implemented, the DoD will have access to information and data relating to a company’s assessment, to include the assessment results and final report. The DoD will store all assessment results on the Supplier Performance Risk System (SPRS). CMMC certificates and the associated third-party assessment data will be stored in the CMMC Enterprise Mission Assurance Support Services (eMASS) database. CMMC assessment results will not be made public.
  1. How much will CMMC certification cost?
    1. The CMMC assessment costs will depend upon several factors including the CMMC level, complexity of the DIB company’s unclassified network for the certification boundary, and market forces. DoD will develop a new cost estimate associated with CMMC 2.0 program which will be published on the Federal Register as part of the rulemaking process.
  1. What is the difference between a CMMC self-assessment and a basic assessment required as part of the DoD Assessment Methodology?
    1. A CMMC self-assessment will apply to those companies that are only required to protect the information systems on which FCI is processed, stored or transmitted; and a subset of companies that are required to protect CUI. The CMMC self-assessment should be completed using the CMMC Assessment Guide for the appropriate CMMC level. A CMMC self-attestation is a representation that the offeror meets the requirements of the CMMC level required by the solicitation. The CMMC program will require an annual self-assessment and an annual affirmation by a senior company official.

      A “Basic Assessment”, as defined in DFARS clause 252.204-7020, NIST SP 800-171 DoD Assessment Requirements, means a contractor’s self-assessment of the contractor’s implementation of NIST SP 800-171 that —
      • Is based on the Contractor’s review of their system security plan(s) associated with covered contractor information system(s);
      • Is conducted in accordance with the NIST SP 800-171 DoD Assessment Methodology; and
      • Results in a confidence level of “Low” in the resulting score, because it is a self-generated score.
  1. When will we know which controls are considered "critical" and won't be allowed on a POA&M?
    1. These critical controls will be identified when the CMMC 2.0 rule is published. With the implementation of CMMC 2.0, the Department intends to allow companies to receive contract awards with a Plan of Actions and Milestones (POA&M) in place to complete CMMC requirements. The Department’s intent is to specify a baseline number of requirements that must be achieved prior to contract award, in order to allow a remaining subset to be addressed in a POA&M within a clearly defined timeline. The Department also intends to specify a small subset of requirements that cannot be on a POA&M in support of achieving a CMMC certification.
      • Allows the use of POA&Ms
      • Highest weighted requirements cannot be on POA&M list
      • DoD will establish a minimum score requirement to support certification with POA&Ms
  1. How would a company deal with operational requirements where full CMMC implementation breaks required system functionality?
    1. The sole purpose of CMMC assessments is to verify that information systems used to process, transmit, or store DoD CUI are fully capable of meeting the information security requirements in other FAR and DFARS clauses. In the case of DFARS 252.204-7012, this means providing “adequate security” to the standard described in NIST SP 800-171. The controls assessed under the CMMC model are NIST controls, and are deemed necessary to adequately safeguard DoD CUI. To the extent that an information system is not able to provide adequate information security, DoD CUI should not be processed, stored, or transitted in or on that system.
  1. Can companies leverage the commercial instance of cloud offerings, or do they have to leverage the FedRAMP instance (if available)?
    1. A. In accordance with DFARS 252.204-7012 (b)(ii)(D), companies can use commercial instances of cloud offerings as long as the cloud offering meets the security requirements equivalent to the FedRAMP Moderate baseline and as long as the provider meets the requirements of paragraphs (c)-(g) of the clause. Please refer to question #115 of the responses to industry comments regarding the DFRS implementation of 204.73, which addresses equivalency of cloud service provider security requirements to FedRAMP “Moderate.” The Q&As can be found here https://dodprocurementtoolbox.com/cms/sites/default/files/resources/2021-11/Cyber%20DFARS%20FAQs%20rev%203%20%207.30.2020%20%2B%20correction%2011.23.2021.pdf

Implementation

  1. How will CMMC apply to non-US companies?
    1. The DoD intends to maintain its existing cybersecurity requirements (as defined in FAR 52.204-21 and DFARS 252.204-7012), and enforce them where applicable. The DoD will continue to engage with our international partners regarding mutual agreement on necessary cybersecurity standards, and will ensure that foreign companies that support U.S. warfighters are equipped to safeguard FCI and CUI.
  1. What is the Department’s intent regarding acceptance agreements between CMMC and other cybersecurity standards and assessments?
    1. The Department is considering other standards acceptance, where appropriate, to satisfy CMMC requirements.