OUR CMMC® SERVICES.
CMMC is here, and government contractors working with the U.S. Department of Defense need to prepare to avoid missing out on RFIs and RFPs with this new requirement.
Because CMMC is so new, we have compiled information into an FAQ to help our clients learn about this new certification.
FAQs about CMMC
What is CMMC?
CMMC stands for “Cybersecurity Maturity Model Certification”. The CMMC will encompass multiple maturity levels that ranges from “Basic Cybersecurity Hygiene” to “Advanced/Progressive”. The intent is to incorporate CMMC into Defense Federal Acquisition Regulation Supplement (DFARS) and use it as a requirement for contract award (RFPs).
Why is the CMMC being created?
The DoD is planning to migrate to the new CMMC framework in order to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB). The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ networks.
Will all DoD contracts include a CMMC requirement?
The DoD has previously indicated that they intend to introduce CMMC requirements into solicitations on a gradual basis starting in September 2020. We do not have any more detailed visibility into DoD’s specific plan.
According to reports in Federal Computing Week , the Department of Defense has indicated that a subset of contracts will initially be chosen for application of the CMMC requirement.
My organization does not handle Controlled Unclassified Information (CUI). Do I have to be certified anyway?
If a DIB company does not possess CUI but possesses Federal Contract Information (FCI), it is required to meet FAR Clause 52.204-21 and must be certified at a minimum of CMMC Level 1.
Companies that solely produce Commercial-Off-The-Shelf (COTS) products do not require a CMMC certification.
I am a subcontractor on a DoD contract. Does my organization need to be certified?
Yes, so long as your company does not solely produce COTS products, it will need to obtain a CMMC certificate. The level of the CMMC certificate is dependent upon the type and nature of information flowed down from your prime contractor.
Will there be a self-certification?
No. DIB companies are encouraged to complete a self-assessment prior to scheduling a CMMC assessment. Excellence in Measurement Techonology can help perform a gap analysis to help your organization determine where you are in relation to the level of CMMC certification you are trying to achieve.
Who will perform the CMMC assessments?
Only CMMC Third Party Assessment Organizations (C3PAOs) and individual assessors that have been accredited by the CMMC AB will perform CMMC assessments.
Currently, no assessors or C3PAOs are formally accredited or certified by the CMMC-AB. However, pre-assessments or consulting using the most current version of the standard is accepted and encouraged.
Where can I find the CMMC model?
The DoD released CMMC Model version 1.0 to the public on January 31, 2020. Although the CMMC standard is not finalized, the publicly available early drafts provide good insight for organizations wishing to get ahead of the CMMC compliance process.