Cybersecurity Maturity Model Certification (CMMC) Q&A

A&S – Acquisition and sustainment

C3PAO – Certified Third-Party Assessment Organizations

CAGE code – The Commercial and Government Entity code

CMMC-AB – CMMC Accreditation Body

COTS – Commercial off–the-shelf

CUI – Controlled unclassified information

DCMA – Defense Contract Management Agency

DFARS – Defense Federal Acquisition Regulation Supplement

DIBCAC – Defense Industrial Base Cybersecurity Assessment Center

DoD – The U.S. Department of Defense

DoS – The United States Department of State

FCI – Federal contract information

FedRAMP – The Federal Risk and Authorization Management Program

FISMA – Federal Information Security Management Act

GSA – General Services Administration

HHS – The U.S. Department of Health and Human Services

HR – Human resource

MSP – Managed service provider

NIST SP – National Institute of Standards and Technology Special Publication

OSC – Organization Seeking Certification

PII – Personally identifiable information

POA&M – plan of action and milestones

Prime – Prime contractor

RFI – Request for information

RFP – Request for proposal

RMF ATOs – Risk Management Framework Authorization to Operate

SAM – The System for Award Management

SPRS – Supplier Performance Risk System

Sub – Sub contractor

What is CUI?

According to the DOD, CUI is information the government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that a law, regulation or governmentwide policy requires or permits an agency to handle using safeguarding or dissemination controls. 

A CUI Registry provides information on the specific categories and subcategories of information that the executive branch protects. The DOD also issued a memo on CUI. 

What is federal contract information (FCI)?

FCI is defined as “information provided by or generated for the government under contractor not intended for public release.” This is similar to CUI but without the same degree of structure and definition coming from the National Archives and Records Administration. If you do not possess CUI, it is more likely that you do possess FCI. In discussions and examples from the DOD, it appears that if you possess CUI, then you will likely be required to obtain CMMC Level 3. If you are not in possession of CUI, but as a contractor do have FCI, then you will likely be required to have Level 1.

Are HR and PI information considered CUI?

First, review the definitions and categories for CUI. As facts and circumstances apply to the CUI determination, we encourage contractors to discuss with their customers to make such judgments. It is our understanding that if PII or HR information is about DOD persons, it would likely be considered CUI, but if about the contractor’s own team, it might not be CUI. Your organization will likely want to adequately protect the two data sets in a similar fashion where feasible. The DOD also issued instructions on CUI. 

If contracts are public and accessible on from the internet, why are they considered CUI?

A contract alone is likely FCI and not CUI. Further, the full content of a contract is not typically posted online, but rather in the RFP or other solicitation information. FAR 52.204-21 defines FCI as “... information not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.” CUI is defined as information that requires safeguarding or dissemination controls pursuant to and consistent with the law, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information, Dec. 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended. Source: E.O. 13556 (adapted).

What is the availability of getting an assessment?

In CMMC 2.0 at Level 2, to complete an independent assessment, you will need to leverage a C3PAO. This is a free-market option and, assuming availability, it should be easy to engage a C3PAO. If you require Level 3,a government-led assessment, the request process and the amount of lead time required is not yet known.

How long will it take to get a CMMC?

This is unclear. As no certifications are being issued yet, it is hard to know. We also expect that when certifications occur it could take at minimum of five weeks to cover selecting and contracting with a C3PAO to fieldwork and final issuance and approval of the certification by the CMMC-AB. It is also possible to imagine there could be a backlog of organizations seeking certifications and a waiting period to schedule the assessments. How long it takes for the organization to prepare is dependent on the maturity of that organization’s cybersecurity controls and the results of the self-assessments and readiness reviews it conducts. We highly encourage an organization to conduct readiness efforts to ensure it is ready for the assessment. Many organizations that think they are ready have missed critical elements related to scoping that could cause issues in achieving certification. This is why an early self-assessment is important.

How much will an assessment cost? Is the cost reimbursable?

From the beginning, the DOD said the cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive. The cost will ultimately depend on the level that the organization is seeking as well as the complexity, size and scale of the environment being assessed. Other factors, such as requiring an expedited assessment completed by a certain time, might also impact the costs.

If I have a third-party assessment, will I still need to self-assess?

It is not clear at this time, however, the DOD said it is considering asking for contractors to annually confirm even when they have certification. Because the CMMC certification is good for three years, it makes sense that the DOD would want to have a confirmation from the contractor that its environment is still in compliance with the requirements.

My understanding is that assessors need to complete a determined number of Level 1 assessments before they can perform a Level 3 assessment. Does this mean a contractor will need to pay for two separate assessments to eventually be certified at a Level 3?

The organization can simply have one assessment completed against Level 2 and it will be issued a certification if that is earned as a result of the single assessment. That first assessment would be completed by a C3PAO. Then if the contractor needs to obtain Level 3, it would need to coordinate with the government for that assessment. Likely this will be the DIBCAC but detail and process for how to request such assessments has not been determined. At this time, it doesn’t appear the Level 3 assessment would cost the contractor, only the Level 2.

When is a Managed Service Provider (MSP) required to be in scope? Will they need to become CMMC certified, FedRAMP or something else?

An MSP is required to be in scope when it possesses FCI or CUI on your behalf. When you share such data with a third party, you will need to ensure it is able to handle and protect that information. If it is a subcontractor, it would likely have the requirements in the contract when you flow down the associated clauses. In that case, a subcontractor would need to achieve its own certification.  

However, for vendors, you will need to carefully consider how you get agreements from them. If it is not a contractor that will achieve its own certification, then you may need to include it in the scope of your assessment and certification. If the DOD grants reciprocity to FedRAMP, then it would be part of how you can ensure the third party can properly protect the data. It is important to note that if a third party only views but does not take possession of the data, then it most likely would not be included in the assessment. 

The scope guides specifically address external service providers. Those entities are expected to provide a shared responsibility matrix. This document would outline the shared nature of the 110 requirements of CMMC. 

How and when will we know which contracts are in the pathfinder program?

The pathfinder program was a concept of CMMC 1.0.  While it was not clearly defined, the DOD’s intention was to ensure the first wave of contracts with the CMMC requirement are a manageable number that can be handled by the assessors. Depending on the progress of the CMMC-AB to have the assessors ready and the timeline of DOD acquisitions, the specific contracts that are first contain the CMMC requirement are to be determined. The most important variable in this timing is the rulemaking. The DOD is on track to complete rulemaking in 2023 but how waivers will be used is still to be determined. After rulemaking is completed, our recommendation is to stay close to your customer and, where allowed, seek its guidance on if CMMC will apply. 

How do you comply if you're just getting started with DoD contracts? We would only set up an environment housing CUI once a project is set up. How do we achieve a basic assessment before we have an environment to assess?

You can and should develop your network and technology environment in accordance with NIST 800-171 and/or CMMC requirements. If you do not handle CUI, you can still implement the controls, policies and procedures so that you are ready to handle CUI. Having done so, you can post a score to SPRS. Doing so is required prior to being awarded a contract where your organization is going to handle CUI. Waiting to create an environment until after you are awarded a contract is no longer an option that seems viable. The good news: Security requirements are also valuable for protecting your organization's information and, therefore, certainly something even solely commercial entities could benefit from.

What, if any, leverage time/cost savings in obtaining CMMC is likely if we already have a certification like ISO 27001?

It is not clear at this time. The guidance on reciprocity is not available at the time of writing and, therefore, the ability of the C3PAO to rely on the testing of the other assessments, such as ISO, is unknown. However, there is a mapping of CMMC to the other common frameworks, and efforts to implement controls or conduct self-assessments of such controls could be greatly decreased as the controls are already in place and previously evaluated during your other assessments.

How many auditors have been certified to audit Level 1, 2 and/or 3?

Please refer to the Marketplace established by the CMMC-AB.

Who are the assessors? Where can we find a list of assessors?

Baker Tilly Principal Matt Gilbert is provisional assessor No. 19. The CMMC-AB is in the process of confirming C3PAOs. When this is completed, it will post an official list of assessors and C3PAOs within its Marketplace. Initially, there is a class of provisional assessors, but eventually assessors will need to hold a requisite certification and work with a C3PAO to conduct valid certification assessments. OSCs will need to coordinate with the C3PAOs.

How do we know what level of security we need?

If you handle CUI, you are likely to require Level 2 or above. If you only handle FCI, you are likely to only need Level 1. It is anticipated that the DOD will specify in its solicitations the associated CMMC requirements.

What is the profile of the typical contractor that will need to achieve CMMC Level 3?

There might not be a set profile but those who need to obtain CMMC Level 3 will be entrusted with handling CUI of a more sensitive nature. By default, any CUI that is handled will require a Level 2 certification.

What CMMC level will I need to be? How will I know?

All indications are the DOD will specify in the RFI or RFP and/or in the contract, the level of certification that is required. The DOD has implied contractors that handle CUI will at a minimum require Level 2. If a contractor does not handle CUI and only handles FCI, it will be required to only be Level 1. This will also help define -the different levels primes and subs might have. DOD officials have shared examples of situations where the prime is required to be Level 2 and the subs Level 1. Our belief is that primes should target Level 2. If you are a sub, then Level 1 might be all you require, but Level 2 is not a bad investment to enable you to obtain prime or more significant sub roles on future DOD procurements where you will be required to handle CUI.

Where will the level requirements be spelled out? In the contract, tied to the program or based on the data?

CMMC will be required when a contractor is handling CUI. However, the level should be spelled out in the contract. If a contract is not handling CUI, it will likely require Level 1. It is expected that under CMMC 2.0, the contract would say that CMMC Level X is required if you are on this program or if you are on the program and possess CUI. In the latter case, it would allow a subcontractor who doesn’t obtain CUI to still perform on the contract with a lower-level requirement. The DOD stated, “a subset of programs with Level 2 (“Advanced”) requirements do not involve information critical to national security, and associated contractors will only be required to conduct self-assessments.” So, it seems the DOD intends to allow this, but exactly how it will occur is not yet clear. Will contractors be able to decide? Will the DOD be explicit in rulemaking or the contracts? 

Do we need to have one certification or can various portions of the organization be at different levels?

The concept in question here is called enclaves. A company may decide that certain basic controls such as Level 1 will be adopted for the entire organization. Then, as a contract requires greater certification, a separate lab, network, location, etc. will be defined as an enclave and be certified at a higher level. The key is to ensure the scope of your certification matches your plan and objectives for your operation going forward.

Who is eligible for a Level 2 self-assessment?

The DOD stated “a subset of programs with Level 2 (“Advanced”) requirements do not involve information critical to national security, and associated contractors will only be required to conduct self-assessments.” How many programs do not involve information critical to national security? Who will make that determination? If the contracting officer is the one to make that call, do they err on the side of caution? Does making that call require more or less work for the contracting officer? Can the contracting officer decide that the prime is handling information vital to national security but the subcontractor is not? How this will work is critical and not yet explained.  During its spring 2022 town hall sessions, the DOD clarified that most contractors will not be eligible for self-assessments.

NIST SP 800-171 has 110 practices for basic that we have to self assess. CMMC Level 1 has only 17 practices. Do we still have to self assess for all 110?

It is unclear from the question if the contractor handles CUI. If your organization handles CUI and, therefore, has DFARS 252.204-7012 clauses, you need to self-assess against the 110 requirements of NIST 800-171, per the DOD assessment methodology. If you do not handle CUI and only have FCI, you are likely to only require CMMC Level 1. The 17 practices from Level 1 also directly align to FAR 52.204-21 and should not be a new requirement.

What happens if a prime or a subcontractor doesn't submit its assessment?

The interim rule released Sept. 29, 2020, states the new DFARS 252.204-7019 requires contractors to post a score to SPRS. SPRS, a DOD website, will capture the result of the contractor’s basic assessment. This is effectively a self-assessment against the 110 requirements of NIST 800-171 that were imposed as a result of DFARS 252.204-7012. If a contractor does not have the 7012 clause and does not envision future awards that include such a clause, it may elect not to post a score. However, if a score was not posted by Nov. 30, 2020, beginning the next day, the DOD or prime could withhold future awards. Certainly, a contractor should make every effort to establish its score and post it in order to avoid such concerns.

Where do we input our assessment? Will you need to complete the SPRS info for each CAGE code in SAM?

Assessments are to be loaded to SPRS. Organizations will have access in SPRS to input a score associated with each of your CAGE codes. Whether you choose to do so is your prerogative. If the CAGE code handles CUI and is subject to DFARS 252.204-7012, then you are required to do so to obtain future awards. However, if a CAGE code does not share a common set of systems and is not handling CUI or subject to that clause, you might elect not to post a score after your own careful consideration.

What if a company is not 100% compliant with 800-171, should we post a score?

The requirement is not to be 100% compliant. You are required to score yourself via the DOD assessment methodology. The score you obtain should then be posted to the SPRS site. If you are not at a perfect score of 110, you will need to specify a date by which you intend to obtain such score.

Do you need to have a recent dated assessment? Our most recent assessment is dated July 2017 and we have been meeting all the controls since that time.

The assessment needs to be in the last three years to comply with DFARS 252.204-7019 and 7020. If you maintain the NIST 800-171 controls and have a strong grasp of their status, you are likely better off to update and complete a recent assessment so as to satisfy the three-year requirement. The assessment is not intended to be a lengthy process and instead is simply reviewing the 110 requirements and determining if they are implemented and scored accordingly.

Can the assessment be changed in SPRS as new securities are added? After we upload the basic self assessment into SPRS, can we update it as we progress in closing any of the gaps?

Yes, the contractor will have access to SPRS and can post updated scores. We strongly encourage contractors to post accurate scores and update as you make progress toward improving your security posture. A regular routine to update based on confirmed completion of items from your POA&M is a best practice.

When we self-certify on November 30, 2020 at a certain level, does that hold us to what type of third-party inspection we receive? Can we change our level? And, when should we start to schedule our final third-party assessment?

The self-certification is only to a basic score. It is the DOD’s prerogative to determine if it would like to have the DIBCAC perform a medium or high assessment. If that is requested, the DIBCAC will coordinate with your organization to schedule. There is no indication the SPRS score scope has to align to the CMMC scope. Most likely, those would need to align but certainly could have valid reasons why they might not. Until rulemaking is completed, seeking a certification is voluntary when the DOD indicates that they can start.

If we have already had a DCMA DIBCAC "medium" level assessment and we passed and received a letter stating we are compliant with NIST 800-171, is that automatically updated in SPRS? In other words, no basic assessment is required to be submitted because we have already done a higher-level DCMA assessment.

If your organization was already subject to a DIBCAC assessment, you should have obtained a score. If that score is not a perfect score of 110, then you still likely need to post a score and target date to achieve 110. Additionally, if you are aware of any changes since the DIBCAC assessment that would adversely impact your score, you should consider reflecting that as well. In those cases and/or for good measure, you should consider posting a score even if it matches that of the DIBCAC. Lastly, you should confirm a score was posted by the DIBCAC in SPRS.

How is the government deciding who will be audited?

The DOD will select, at its discretion, those contracts that are subject to medium and high DIBCAC assessments. The selection is likely based on risk and tied to critical programs.

DCMA has been conducting cyber assessments. How does this relate to CMMC?

The DCMA established the DIBCAC. It has conducted assessments, but to date, the assessments are based on NIST SP 800-171 and not CMMC. It is not officially announced if those assessments will have reciprocity with CMMC at this time but it is possible.

Do modified COTS products count as COTS? Or products?

This is a definite facts-and-circumstances-based answer. We recommend clarifying with your contracting officer, legal counsel and/or an expert as required. COTS is exempt from these requirements. It is likely the detail and specification of the modification is going to determine if the COTS exemption would still apply. For illustration, purchasing a COTS product and asking for it to be painted a certain color might not be a concern. However, if the instruction is to paint it with a special type of paint or they provide detailed drawings, this additional information could constitute CUI and, as a result, the COTS exemption would not apply.

If we only sell COTS do we have to be CMMC Level 3 if we receive a customers credit card information?

In the context of a commercial sale, that credit card information is not likely to be considered CUI by the DOD, which means you are likely exempt.

Does CMMC only apply to technology and materials or would it also apply to in-person and/or online services, such as language training programs?

CMMC is a requirement to protect CUI and FCI. In the example cited, the existence and details of the contract not publicly available are likely to be FCI. The list of attendees and/or the content of the course if of a technical nature could possibly be CUI. That resolution would need to be made in concert with the DOD but if determined to be CUI then this contract would be subject to CMMC Level 2.

Does CMMC apply to higher education institutions, colleges and universities? Federally funded research and development centers (FFRDCs)? DoD contractors? Non-DoD contractors?

The current understanding is any organization that obtains DOD contracts will be subject to the CMMC requirements. This includes prime contract recipients and the subcontractors. If you hold a DOD contract but do not intend to obtain future contracts, then CMMC will not apply, as the CMMC requirements are prospective only. 

If your organization is a grant recipient, it is our understanding that CMMC will likely apply to new grants. The key determinant is if the CMMC requirement is included by the government. The DOD is working on DFARS modifications to institute CMMC. When this language is available for review, we will have further clarity. If you are not a DOD contractor, then you are not likely to have CMMC requirements initially. However, we caution that if CMMC is successful, we believe that other agencies across the federal government will look to it as a model and similarly look to adopt CMMC in the future. 

If a bid/protest happens and submissions include CUI, will the law firms representing the bid/protest need to comply?

It is our understanding that regardless of the circumstance, those who hold CUI should make careful consideration before sharing. Such considerations in the future might include verifying the recipient has the appropriate CMMC level to handle the CUI. However, if you make the data available for viewing without granting possession to that third party, you might be able to avoid the recipient needing to comply or demonstrate CMMC.

Where do the non-DoD Federal agencies (DoS, HHS, etc) stand on CMMC?

There are no formal announcements as of this time. Other agencies are talking with the DOD and paying close attention to CMMC to address their own CUI and supply chain risk management objectives. The GSA is also including references to CMMC regularly but currently, CMMC only applies to DOD.

How does this interface with RMF ATOs?

CMMC is designed to protect CUI and FCI. The scope is determined by the OSC. The scope could include systems also subject to RMF ATO processes or it may not. This determination should be made by the OSC. The organization needs to ensure the CUI it possesses is covered by the certification it has if not covered by an ATO. If leveraging the ATO, then the contractor should specify and seek needed clarification from the DOD on this situation. This is a perfect example where during the solicitation and contract negotiation process the contractor should resolve questions and applicability such as where ATO versus CMMC is required.

How does CMMC impact classified networks or prior FISMA and/or NIST SP 800-53 requirements?

If you are handling classified information or have contracts with FISMA and/or NIST SP 800-53 requirements, you are likely not impacted by CMMC for that contract. However, additional contracts or portions of your existing contract not subject to those higher requirements could require CMMC levels in the future.

How will the readiness assessment (and CMMC appraisal) work for joint ventures (JVs)?

In theory, this should have no impact on the CMMC assessment process. The JV is the OSC and they would contract with a C3PAO. The OSC would need to define a scope for the assessment. That scope if composed entirely of JV systems then proceeds like any other assessment. If the scope includes technology from the parent or other third parties, then the assessment would need to cover not only the practices and processes in place at the JV, but also at the parent or other third parties. If those parents or third parties are already certified to the right CMMC level or have other designations like FedRAMP or prior DIBCAC assessments that will likely grant reciprocity, then less effort will be required outside of the JV.

If I am a subcontractor, do I need to get CMMC as well?

Yes, if you are a subcontractor (sub) to a prime contractor (prime) that has the DFARS 252.204-7021 clause and it flows down that clause to you because you are providing solutions beyond COTS, you will be required to obtain a CMMC level as determined by the data you handle.

If a contractor determines  a sub will not have access to CUI, is the contractor still required to flow down 7012 and then 7020?

This DoD document might be helpful to consider. It indicates that “the contractor shall include the clause in subcontracts for which performance will involve covered defense information or operationally critical support.”

Additionally, the interim rulemaking states, “Furthermore, CMMC certification requirements are required to be flowed down to subcontractors at all tiers, based on the sensitivity of the unclassified information flowed down to each subcontractor.”"

What level of responsibility does my company have in ensuring that subcontractors are actually certified? Do we have to actually request their certification level? Where does the burden of proof lie?

Per the interim rule that goes into effect on Nov. 30, 2020, the CMMC results will be posted to the DoD’s SPRS system. You will be able to see your own score but not that of other contractors including subcontractors. Therefore, in the future it is going to be an important task to determine what level a sub possesses. The contract will not be awarded to the prime and future awards should not be made to the subs if they do not have the required certifications. In the adoption period, when a sub does not yet have a certification or the proper level, it will be imperative for the prime to understand the plans and efforts underway to obtain required certification in time for award. We advise primes to work with their subs to make sure they are on track, and potentially even review readiness efforts with them. If a sub is not on track, the prime might want to make alternative arrangements.

How much responsibility should a prime contractor assume for a subcontractor's compliance with this interim rule or later, with CMMC? What is the prime's responsibility to verify their subcontractors' basic assessment and CMMC certification level?

The prime contractor has several important requirements as it pertains to the “interim rule” (DFARS 252.204-7019-21) and their subcontractors. The first is to flow down the clause appropriately. The second is to ensure the sub has a score posted to SPRS or holds a CMMC at the correct level. Because this information is not available for the prime to see in SPRS and is only available to the DOD, it is imperative for the prime to develop a mechanism to comply. For many, this will include asking for evidence from the sub prior to award and/or completion of representations and certifications. Such “reps and certs” should be carefully constructed to ensure the environment, or scope the sub completes the contract in, is the same as score or certification.

Do subcontractors have to register a score in SPRS or is this just the prime contractor?

Yes, subcontractors will be required to self-assess if they handle CUI and are subject to DFARS 252.204-7012.

Will the government help primes and subs to get CMMC?

The DOD is providing information and resources to assist with the rollout of CMMC. Project Spectrum is one resource for completing the basic assessment. Small entities might be able to take advantage of Manufacturing Extension Partnership grants. Lastly, the DOD has stated the costs are allowable.

How can I continue to stay informed related to CMMC?

Baker Tilly will continue updating content on our website regularly. Subscribe to our risk advisory mailing list to receive updates and notifications about relevant events – directly to your inbox! 

When will waivers be allowed

The DOD said waivers will be “allowed on a very limited basis in select mission critical instances, upon senior leadership approval.” This statement reveals that it is not a frequent occurrence. Who receives the waivers – and how – is still to be determined. The DOD’s comments since CMMC 2.0 was released further confirmed waivers would be limited in nature. It also implied waivers would be sought by the DOD before the contract is executed or even the solicitation occurs.

What are the restrictions for POA&Ms?

The DOD denoted that “highest weighted requirements cannot be on POA&M list” and “DoD will establish a minimum score requirement to support certification with POA&Ms.” This means that the practices from NIST 800-171 that carry three- and five-point values in the DOD assessment methodology are likely not eligible for POA&M. Additionally, organizations would need to achieve a minimum score before becoming eligible for POA&Ms. Where that score is set is not known. The POA&Ms are also only an option for a limited time. It is sounding like the DOD is planning for that to be less than six months, which means a POA&M will not be eligible for most of the controls and, if used, is only good for a limited period.