CMMC is here, and government contractors working with the U.S. Department of Defense need to prepare to avoid missing out on RFIs and RFPs with this new requirement.

Because CMMC is so new, we have compiled information into an FAQ to help our clients learn about this new certification.

FAQs about CMMC

What is CMMC?

CMMC stands for “Cybersecurity Maturity Model Certification”. The CMMC will encompass multiple maturity levels that ranges from “Basic Cybersecurity Hygiene” to “Advanced/Progressive”. The intent is to incorporate CMMC into Defense Federal Acquisition Regulation Supplement (DFARS) and use it as a requirement for contract award (RFPs).

Why is the CMMC being created?

The DoD is planning to migrate to the new CMMC framework in order to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB). The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ networks.

Will all DoD contracts include a CMMC requirement?

The DoD has previously indicated that they intend to introduce CMMC requirements into solicitations on a gradual basis starting in September 2020. We do not have any more detailed visibility into DoD’s specific plan.

According to reports in Federal Computing Week , the Department of Defense has indicated that a subset of contracts will initially be chosen for application of the CMMC requirement.

My organization does not handle Controlled Unclassified Information (CUI). Do I have to be certified anyway?

If a DIB company does not possess CUI but possesses Federal Contract Information (FCI), it is required to meet FAR Clause 52.204-21 and must be certified at a minimum of CMMC Level 1.

Companies that solely produce Commercial-Off-The-Shelf (COTS) products do not require a CMMC certification.

I am a subcontractor on a DoD contract. Does my organization need to be certified?

Yes, so long as your company does not solely produce COTS products, it will need to obtain a CMMC certificate. The level of the CMMC certificate is dependent upon the type and nature of information flowed down from your prime contractor.

Will there be a self-certification?

No. DIB companies are encouraged to complete a self-assessment prior to scheduling a CMMC assessment. Excellence in Measurement Techonology can help perform a gap analysis to help your organization determine where you are in relation to the level of CMMC certification you are trying to achieve.

Who will perform the CMMC assessments?

Only CMMC Third Party Assessment Organizations (C3PAOs) and individual assessors that have been accredited by the CMMC AB will perform CMMC assessments.

Currently, no assessors or C3PAOs are formally accredited or certified by the CMMC-AB. However, pre-assessments or consulting using the most current version of the standard is accepted and encouraged.

Where can I find the CMMC model?

The DoD released CMMC Model version 1.0 to the public on January 31, 2020. Although the CMMC standard is not finalized, the publicly available early drafts provide good insight for organizations wishing to get ahead of the CMMC compliance process.

Version 1.02 is now available on the Office of the Under Secretary of Defense for Acquisition & Sustainment website.


CMMC® Services

Ready for CMMC?

Excellence in Measurement Technology can help your organization prepare to get certified in CMMC with our consulting services. With our background in CMMI (which was originally created by the same parties that have developed CMMC) and the ISO 27000 cybersecurity standard, we are well-positioned to help you understand and implement the CMMC framework.

CMMC Consultation

Is your organization ready for a CMMC assessment? We offer a CMMC Gap Analysis / Pre-Assessment to evaluate your organization to identify any gaps in your organization's processes and practices that need to be filled to achieve your desired level of certification in the CMMC.

Contact us to schedule your CMMC Gap Analysis.

Using CMMC with Other Methodologies

We do more than just CMMC. If your organization is looking to implement CMMC alongside another methodology or practice such as CMMI, ISO 9000, Agile, Scaled Agile Framework®, Lean, or Six Sigma, we can help you integrate CMMC with other methodologies within your organization. Learn more about our CMMC multimodel approach.


Copyright 2016 © Excellence in Measurement Technology LLC & Ltd.
All other trademarks and service marks are the property of their respective owners.