The latest announcement from the DOD confirms that CMMC is here and the Defense Industrial Base (DIB) needs to be ready. There are several new points of information in this interim version that was released on Tuesday, September 29, 2020.  One of the main points that should be carefully examined in the rule is that it gives the Accreditation Body the authority to conduct assessments on its own. It was not previously known that it would have such authority. Another new part of the regulation includes additional requirements for self-certification to National Institute of Standards and Technology Special Publication 800-171, which serves as the basis for much of CMMC. For low-risk companies, a self-certification that is submitted to the government will be required and others may need a government audit. Self-attestation to 171 is already a requirement, but now the government can inspect compliance more carefully.

 We thought it would be helpful to supply answers to some of the most frequently asked questions regarding CMMC:

1.     What is CMMC?

CMMC stands for “Cybersecurity Maturity Model Certification”. The CMMC will encompass multiple maturity levels that ranges from “Basic Cybersecurity Hygiene” to “Advanced/Progressive”. The intent is to incorporate CMMC into Defense Federal Acquisition Regulation Supplement (DFARS) and use it as a requirement for contract award.

 2.     Why is CMMC being created and implemented?

DoD is planning to migrate to the new CMMC framework in order to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB). The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ networks.

3.     When will CMMC Model Version 1.0 be released to the public?

The DoD released the CMMC Model Version 1.0 to the public on January 31, 2020. The interim version of the DoD’s new cybersecurity regulation for contractors was published Tuesday, September 29, 2020. More information on this interim version can be found here.

4.     Will other Federal (non-DOD) contracts use CMMC?

The initial implementation of the CMMC will only be within the DoD.

5.     What is the relationship between NIST SP 800-171 and CMMC?

CMMC Levels 1-3 encompass the 110 security requirements specified in NIST SP 800-171 rev1. CMMC incorporates additional practices and processes from other standards, references, and/or sources such as NIST SP 800-53, Aerospace Industries Association (AIA) National Aerospace Standard (NAS) 9933 “Critical Security Controls for Effective Capability in Cyber Defense”, and Computer Emergency Response Team (CERT) Resilience Management Model (RMM) v1.2.

6.     How will CMMC be different from NIST SP 800-171?

Unlike NIST SP 800-171, the CMMC model possesses five levels. Each level consists of practices and processes as well as those specified in lower levels.  In addition to assessing a company’s implementation of cybersecurity practices, the CMMC will also assess the company’s institutionalization of cybersecurity processes.

7.     How can we certify our organization?

The CMMC Accreditation Body (AB), a non-profit, independent organization, will accredit CMMC Third Party Assessment Organizations (C3PAOs) and individual assessors. The CMMC AB will provide the requisite information and updates on its website (www.cmmcab.org).

The CMMC AB plans to establish a CMMC Marketplace that will include a list of approved C3PAOs as well as other information. After the CMMC Marketplace is established, DIB companies will be able to select one of the approved C3PAOs and schedule a CMMC assessment for a specific level.

8.     How much does CMMC certification cost?

The CMMC assessment costs will depend upon several factors to include the CMMC level, the complexity of the DIB company’s network, and other market forces.

9.     Are the results of the assessment of my organization public? Does the DoD see my results?

No, the results of a CMMC assessment will not be made public. The only information that will be publicly available is that your company has a CMMC certification. The specific certification level will NOT be made public. The DoD, however, will have access to all DIB companies’ certification levels.

10.  If my organization has a CMMC certification and my unclassified network is compromised, do we lose our certification?

A cybersecurity incident will not automatically cause a DIB company to lose its CMMC certification. Depending upon the circumstances of the incident, the DoD program manager may direct a re-assessment.

11.  My organization does not handle Controlled Unclassified Information (CUI). Do we need to be certified anyway?

If a Defense Industrial Base (DIB) company does not possess CUI but possesses Federal Contract Information (FCI), it is required to meet FAR Clause 52.204-21 and must be certified at a minimum of CMMC Level 1. Companies that solely produce Commercial-Off-The-Shelf (COTS) products do not require a CMMC certification.

12.  How will I know what CMMC level is required for a contract?

The DoD will specify the required CMMC level in Requests for Information (RFIs) and Requests for Proposals (RFPs).

*FAQ information verified here.

 Infor’s Government SaaS environment is designed with the controls in place to meet the requirements mandated by the Federal Risk and Authorization Management Program (FedRAMP®) for a moderate impact level. In addition to FedRAMP, AWS GovCloud (US) adheres to US International Traffic in Arms Regulations (ITAR), Criminal Justice Information Services (CJIS) requirements, Impact Levels 2 and 4 of Department of Defense systems, Health Insurance Portability and Accountability Act (HIPAA), and NIST 800-53.  Adopting FedRAMP-authorized solutions that already implement the required security practices can provide an easier path to certification at a lower cost and may even enable smaller companies to target a higher Cybersecurity Maturity Model Certification (CMMC) maturity level.

It is exceedingly important that a company evaluate their practices and procedures as soon as possible so that they can be prepared for the transition and the mandatory contract requirements.

For more information on CMMC and to download valuable and free resources, please click here. There is no way around Cybersecurity Maturity Model Certification (CMMC). Godlan is ready to support you, so call 586-464-4400 or visit www.Godlan.com for further information.