CMMC Compliance 101: Answers to Common Questions
The simple Google search for CMMC compliance will bombard you with an outrageous amount of marketing jargon and confusing content. As a Registered Provider Organization, Echelon Risk + Cyber can help clear the air for Organizations Seeking Compliance (OSCs) by providing the answers to common questions we are hearing in the field and in experience with past CMMC client engagements.
Q: What is CMMC and why was it created?
CMMC stands for “Cybersecurity Maturity Model Certification” and is the standard for the implementation of cybersecurity across the Defense Industrial Base (DIB). CMMC was designed to provide increased assurance to the Department of Defense so that a DIB company can protect sensitive unclassified information and ensure secure flow down to subcontractors in a multi-tier supply chain.
Q: What is Controlled Unclassified Information?
CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government.
A couple examples of CUI are:
- Personally, Identifiable Information (PII)
- Sensitive Personally Identifiable Information (SPII)
- Proprietary Business Information (PBI) or currently known within EPA as Confidential Business Information (CBI)
- Unclassified Controlled Technical Information (UCTI)
The complete list can be viewed at https://www.archives.gov/cui/registry/category-list
Q: If I am only a sub-contractor on DoD contracts, does my organization still need to be CMMC certified?
If the Department of Defense contract has a CMMC requirement you will need to obtain a CMMC certificate. The level of the CMMC certificate is dependent upon the type and nature of information passed down from your prime contractor. It is important to note that if your organization is only producing COTS Products (Commercial-Off-The-Shelf) then you are excused from being required to obtain CMMC certification.
Q: How much time do I have until it goes into effect that all DoD contracts will require CMMC certification?
The current approach for the implementation of CMMC requirements on Department of Defense contracts is being done through a phased approach. The number of contracts requiring CMMC certification is set to gradually increase until the fiscal year 2026. After the phased approach, CMMC certification will be required for all Department of Defense contracts.
Q: My organization solely provides Commercial-Off-The-Shelf Products to government identities. Do I need to be CMMC Certified?
No, if you sell a product that is not Commercial-Off-The-Shelf you do not need to be CMMC certified.
Q: If a weakness is found during my organization’s assessment, what is the time window to correct them so we can “pass” the assessment?
All Organizations Seeking Certification (OSCs) are granted a 90-day remediation period to correct any weaknesses discovered during their assessment. The assessment team must agree that the weaknesses discovered can be fixed in 90 days to proceed with a remediation assessment.
Q: Can the assessment be completed remotely due to the pandemic?
Currently, we are seeing a hybrid approach in practice for assessments. About 90% of assessments can be done virtually with onsite requirements for some controls that require viewing physical security features.
Q: How much does a CMMC certification cost? What if my organization cannot afford it?
The full cost of a CMMC certification is not clear but will likely align with the maturity level that your organization is attempting to achieve. It is important to note that certification cost will be considered an allowable and reimbursable cost on DoD contracts moving forward.
Q: How should my organization start the CMMC certification journey?
The best way to start your journey to CMMC certification is to have a conversation with a Registered Practitioner. A Registered Practitioner will be able to spearhead the analyses of CMMC maturity level that your organization will need to achieve to be compliant. The next step is to have a conversation with a Registered Provider Organization (RPO), such as Echelon Risk and Cyber, to perform a CMMC Gap Assessment. This assessment will outline your current state, the effectiveness of your existing controls, and give your organization a report detailing in what areas your business is not yet fully compliant with CMMC.