Share This

NeoSystems Corporation

October 24, 2024 “The Wait is Over…The Final CMMC Rule Explained” Webinar – Q&A

We received many questions during the October 17th “The Wait is Over…The Final CMMC Rule Explained” webinar presented jointly by NeoSystems, Holland & Knight, and FutureFeed. Our speakers answered the questions below. Please let us know if you have any additional questions regarding the CMMC rule or if you require assistance with your CMMC compliance strategy.

This webinar “The Wait is Over…The Final CMMC Rule Explained” and responses to the questions submitted are provided as a public service. The content is intended for informational purposes only and is not intended to, nor does it, constitute legal or business advice.  By providing this information, we are not acting as your lawyer.  There are many subtleties to these topics that cannot be comprehensively addressed in a webinar.  You are strongly encouraged to contact a competent attorney before taking any action.  All content and opinions are strictly those of the presenter and are not representative of any presenter’s employer(s), affiliated entities, clients, or their associates.

Question

Name

Answer

Hello from Seattle, Washington. Can we have copies of the webinar and presentation slides? A Sec Links to the webinar presentation slides and Q&A responses are below:
·      Webinar Presentation Slides
·      Webinar recording
When will the 7 year rollout begin? J Wal The seven year roll out will begin after the 48 CFR rule is final, which is likely to be Q1 or Q2 of 2025.  The 48 CFR rule enables contracting officers to include CMMC requirements in solicitations and contracts.
How can we find a local certifying body or auditor? P Gra You can find authorized CMMC 3rd party assessment organizations (C3PAO) on the Cyber AB Marketplace
It looks like the final rule states that security protection tools do not themselves need to be FedRAMP unless they’re handling CUI.  Does this mean that non-FedRAMP versions of tools like Okta and Cloudflare can be used to meet CMMC 2.0? T Mit That is correct. However, they do need to satisfy the NIST 800-171 controls that they assume responsibility for in their Shared Responsibility Matrix (SRM).
If I am CMMC Level 1 compliant and a DoD entity, prime or subcontractor send me CUI, what’s the suggested approach to handling it?  Delete, contact sender and tell them we don’t have a system that can process CUI? J Kr This is considered a “spill” and it should be reported to the sender and DoD.  DoD has created training that addresses this.  You can find it here:
May I please get a copy of this presentation. Send to mjones@t-m-a.com. Thank you. M Jon Links to the webinar presentation slides and Q&A responses are below:
·      Webinar Presentation Slides
·      Webinar recording
We’re shooting for CMMC L2 compliance since we handle CUI. Are our subs (companies with 5 or 10 employees) expected to also be CMMC L2 certified as ii seems to be stated in CMMC? Is that a realistic expectation? S Cob If you exchange CUI with your subcontractors, you are required to flow down DFARS 252.204-7012 and they will need a CMMC L2 certification or, in some limited circumstances a CMMC L2 self-assessment
Am I missing something…I printed out the rule and it was 146 pages (83092 thru 83237). S Cob The formal copy in the Federal Register omits some of the responses to comments.  The pre-publication copy is the longer version and includes all of the background information.  So, you’re on the right document for most people.
Can someone speak to why CUI is ONLY a concern with DoD and not Civilian and IC? J Anz It isn’t.  All federal agencies are concerned with CUI.  DoD is just ahead of the other agencies in creating a program to manage it.  There is a forthcoming “FAR CUI Rule” that will push more of the agencies to adopt programs closer to DoD’s.
Will you be able to provide an analysis of the rules and how it impacts the vendors and service providers. J Cha We discussed how the rule affects service providers (ESPs including Cloud Service Providers, Managed Service Providers, and Managed Security Service Providers) during the presentation.  I am not sure to which “vendors” you are referring, whether they are vendors to the DoD or vendors to an OSC, and what good or services they provide. Different answers for each of those.
Where is the pre-publication document available? E Bue You can find it here.
When would assessments actually begin? B Wil Assessment can begin when the 32 CFR Part 170 rules becomes effective on December 16, 2024.
I keep hearing that Security Protection Data no longer requires FedRAMP. Page 83153 of the Federal Register includes this: Section 1.1 of NIST SP 800-171 R2 states: “The requirements apply only to components of nonfederal systems that process, store, or transmit CUI, or that provide security protection for such components. Security protection data requires protection commensurate with the CUI it protects and is based on how and where the security protection data is stored. The FedRAMP requirements for handling security protection data is therefore the same as that for handling CUI. M Sem If a cloud service does not store, process, or transmit CUI, whether it stores, processes, or transmits SPD or not, it does not need to meet the requirements of the FedRAMP moderate baseline.
What are your thoughts on the timing that Primes would start flowing down CMMC to it’s supply chain? B Tan Some large primes sent letters to their subs 60 days after the CMMC 1.0 Interim rule was published in 2020 asking that they be compliant within 90 days. While past performance is no guarantee of future performance, expect primes to request their subcontractors to be certified ahead of a specific DoD need.
So, does SPD require FedRAMP if it is protecting CUI? M Sem If a cloud service processes, stores, or transmits CUI, whether it processes, stores, or processes SPD, needs to satisfy the requirements of the FedRAMP moderate baseline.
I thought CMMC went into effect when it was published this week…that it is contingent upon other rules being finalized nor any type of Congressional approval…is that not correct? S Cob The rule published last week goes into effect 60 days after it’s publication date, on December 16, 2024. C3PAO assessments can begin at that time.  The 48 CFR rule needs to be completed, however, before CMMC requirements can be added to solicitations or contracts.  There are also pending updates to various DFARS clauses.  Expect all to be final and effective end of Q1 or early Q2 2025.  Congress has 60 days to review a regulation under the Congressional Review Act, but it rarely takes actions against a regulation.
Is the DoD the only agency that requires this rule? and for any type of work? R Gis The requirements to satisfy NIST 800-171 requirements will apply to all DOD contractors and subcontractors that store, process, or transmit CUI for all federal agencies once an in-process FAR rule is final in 2025.  We believe that other agencies sre likely to adopt CMMC or similar enforcement mechanisms in the future.  Other agencies have their own cybersecurity requirements.
Is OT (Operation technology on the factory or shop floor) still excluded? C Pet It depends on the CMMC level.  OT and IoT are considered Specialized Assets.  At Level 1, Specialized Assets are excluded (i.e., out of scope).  At Level 2, Specialized Assets must be inventoried in your System Security Plan and you must detail how they are managed using your risk-based information security policy, procedures, and practices.
How will we know whether a CMMC L2 (Self) will be sufficient for a work request or contract or whether a CMMC L2 (Certification) be required? S Cob The requirements (the CMMC level and whether a C3PAO or self-assessment will be required will be contract specific.  The requirements will appear in the solicitation and in the contract.
Do you see any scenario where the submittal of incidents via (DFARS) 252.204-7012 will require a recertification or revocation of certification for CMMC? J Sea That is not expected unless an investigation reveals a contractor failed to institute controls.
What determines those percentages 5 versus 95 z ost The DoD will determine whether a self-assessment or a C3PAO assessment is required for a government contract. The DoD has not provided guidance regarding how this will be determined.
Sounds like someone trying to segment the organization between FCI and CUI will be creating an auditors dream of having to do two paid CMMC assessments? I Mac Only the CUI environment is subject to the 3rd party assessment requirements.  The organization would self-assess and attest to compliance for the FCI environment.
Isn’t Level 3 CUI Specified (CUI//SP-XX) vs Level 2 Basic? O Fre No.  NIST SP 800-171 is the minimum requirement for all CUI, including CUI Basic.  When it comes to CUI Specified, you must implement not only the requirements in NIST SP 800-171 but also those specified in the corresponding law, regulation, or government-wide policy that made the information CUI.
Level 3 will effectively create a new form of CUI Specified that, rather than incorporating bespoke requirements, pulls requirements from NIST SP 800-172.
How is it determined if CUI is “highly sensitive”? M Mar This is still being determined by DoD.  Currently, it appears that Program Managers will have the authority to make that determination.  However, it should be noted that even when CUI is designated as Highly Sensitive and triggers the CMMC Level 3 requirements, only the prime contractor must be CMMC Level 3 (DIBCAC) certified.  Subcontractors who handle CUI will only need to meet the CMMC Level 2 (C3PAO) requirements.
How can DFARS change the definition of CUI? Isn’t the definition defined by NARA? W Luk DFARS does not change the CUI definition, but the current version of DFARS 252.204-7012 does create some circularity.  It defines CDI as CTI + other CUI.  That inconsistency has been pointed out to DoD as part of the public comments to various rulemakings (and will continue to be driven home).  You are encouraged to also bring that issue to their attention as part of the rulemaking process, specifically when the revisions to DFARS 252.204-7012 are published (if they still contain the inconsistency).
Level 2 assessment: how is that 5% require ONLY self-assessment are identified? N Tho The DoD will determine whether a self-assessment or a C3PAO assessment is required for a government contract. The DoD has not provided guidance regarding how this will be determined.
Is there a timeline for when NIST 800-171 Rev3 will required? Should organizations start preparing for it?Rev3 labeling is vastly different from Rev2, especially with all the withdrawn practices. Will CMMC come out with a separate labeling system again? P Lin There is no timeline for the adoption of NIST 800-171 Revision 3. There is a great deal the DoD, the Cyber AB, and the CAICO will need to do to make the change, including assessor re-training, assessment guides, etc.  A similar change affected FedRAMP when NIST 800-53 went from Revision 4 to Revision 5.  It took more than 3 years for FedRAMP to adopt Revision 5 after it was released. Finally, since  NIST 800-171 Revision 2 is specified in the 32 CFR 170 rule, a rule change will be required.
If a company has a DIBCAC cert for 800-171, is a C3PAO assessment necessary?  Is there a path to a C3PAO cert that is less expensive than a first-time C3PAO cert?  Secondly,  will companies that have achieved a DIBCAC 800-171 cert be required to meet the CMMC date or will the company be allowed some consideration due to the DIBCAC cert?  The assumption here is that an 800-171 DIBCAC cert has enough validity to ensure the “certified” company has satisfactorily met the “high risk” CMMC controls. T Tho These questions require a very nuanced answer.  Your best best would be to review 32 CFR 170.20 here for the details.  In short, if: a) the scope is the same; b) the assessment was a DIBCAC High assessment that resulted in a 110 score; and c) the assessment occurred less than three (3) years ago, then DoD will give the OSC a status of Level 2 Final (C3PAO) in SPRS.  However, it should be noted that no certification will be issued to the organization because DoD is not a C3PAO and cannot issue CMMC certifications. 32 CFR 170.20 includes some ambiguity as to whether all DIBCAC High assessments are eligible for the Level 2 Final (C3PAO) status in SPRS (assuming they meet the other requirements) or only those conducted under the Joint Surveillance Voluntary Assessment (“JSVA”) program.
How is ‘highly sensitive CUI’ defined? N Tho This is still being determined by DoD.  Currently, it appears that Program Managers will have the authority to make that determination.  However, it should be noted that even when CUI is designated as Highly Sensitive and triggers the CMMC Level 3 requirements, only the prime contractor must be CMMC Level 3 (DIBCAC) certified.  Subcontractors who handle CUI will only need to meet the CMMC Level 2 (C3PAO) requirements.
How did we go from the estimated 300,000 DIB companies to 80,000 or so in less than 4 years? T Lam DoD has always said that there are roughly 220,000 companies in the Defense Supply Chain, and that of them only about 80,000 handle CUI. The remainder handle FCI.
– Taiye Lambo, CMMCScorecard.com
For Level 2, do SPA/SPD assets need to meet all 110 controls?   Or do they only need to meet controls “that are relevant to the capabilities provided,” as mentioned in Table 3? C Pic As noted in Table 3 to 32 CFR 170.19(c)(1), at Level 2 and Level 3, any asset stores, processes, or transmits SPD (but not CUI) must satisfy the NIST 800-171 requirements relevant to the capabilities provided by that asset.
How are joint ventures to be handled, especially for unpopulated JV’s?  The score for the lowest level member?   Does the JV itself also need a certification even though it is unpopulated? D Mor The information system will be the members’ information systems and not the unpopulated JV.
Does CMMC flowdown to foreign subs? C Smi Yes
Since Level 1 only requires self assessment, if the level 1 data is in a separate IT system than the CUIm wont the level 2 CUI enclave still be assessed with the Level 1 controls included and the OSA’s actual FCI level 1 part of the IT systems only be self assessed? J Sci Yes.  The 15 FAR 52.204-21 requirements exist within the NIST 800-171 control set.  By satisfying NIST 800-171, the FAR 52.204-21 requirements are satisfied.  The CUI environment will not need to be assessed separately at Level 1
Will other agencies, even Civilian also follow these rules for their procurement J Cha Other agencies are independent from DoD and can do things their own way.  However, it will likely be difficult for them to explain to Congress why their agency is deviating significantly from the DoD requirements since DoD is already blazing a path.  See more information here.
How does one get to be in the 5% instead of 95% of Level 2? C Smi The DoD will determine whether a self-assessment or a C3PAO assessment is required for a government contract. The DoD has not provided guidance regarding how this will be determined.
Did I just hear that a Conditional Certification is enough to be awarded the contract? D DeW A Conditional Certification is sufficient for contract award.  However, you MUST close all of the open POA&Ms within 180 days of the initial assessment or your contract could be terminated and your organization subject to other contract-related penalties from DoD (potentially including False Claims Act claims).
How will prime contractors ensure subcontractor compliance when more subcontractors are stating their information (e.g., assessment score, etc.) is proprietary. A Ste Contractors should require their subcontractors to affirm separately or through a subcontract agreement that they are compliant.
If I have the DFARS 252.204-7020 which require SPRS and a Level 2 CMMC requirement which is published in eMass. Will I then have to get the results from the C3PAO so I can publish it in SPRS? E Mos DFARS -7019 and -7020 require contractors to conduct self-assessments and submit the resulting scores (calculated in accordance with the DoD NIST SP 800-171 Assessment Methodology) to SPRS.  Under DFARS -7021 (which pulls in the 32 CFR 170 requirements), when a C3PAO conducts an assessment, the assessment results are submitted to eMASS, and eMASS automatically transmits certain information to SPRS (see 32 CFR 170.17(a)(1)).  The OSC will separately submit an affirmation to SPRS (the content of that affirmation is TBD) (see 32 CFR 170.22)
Thank you for implementing these legal measurements, this is the kind of groundwork I hope will lead us all into a future with less corruption. A Bier While some of us may not agree with every decision made by DoD as part of the regulatory process, we agree with you that DoD should be commended for taking thoughtful and legally necessary steps for rolling out the CMMC program that has been open to public scrutiny.  This is a critical first step toward building a more secure nation.
So considering the hefty cost of the assessment being what seems to be anywhere from 40k-100k, plus all funding it takes to meet these 110 controls, the cost of everything I would imagine is going to skyrocket as well? With 70k+ companies requiring level 2, the dollar amount seems outlandish, and I wonder how that is going to affect the chain moving upwards? Not trying to sound salty per-say, just throwing it out there. B Ric Others share your concern.
Will they test us on this new rule for the CCA exam or the older rule? K Pat For now, the exam is based on the older information.  Lots of work is necessary to update the training and exams to match the new requirements.
What is the process for affirmations, yes SPRS but there is nothing to say this is an affirmation. Have not seen a form to upload or sign. Has this been explained? L Fro It is forthcoming.  DoD is not asking people to attest yet since it is not a requirement.
what is a POA&A closout? T Osb During a CMMC assessment, a C3PAO or DIBCAC may determine that the OSC is not meeting one or more requirements.  If there are a significant number of “not met” requirements (i.e., requirements that result in the creation of a Plan of Action and Milestones (“POA&M”)), the OSC will fail the assessment.
However, if the number and type of “not met” requirements meet certain attributes (defined in 32 CFR 170.21), the C3PAO or DIBCAC will record in eMASS a status of Conditional.  The OSC then has 180 days to remediate the POA&Ms.
If all of the POA&Ms have been remediated within the 180-day window, the OSC can ask DIBCAC or the C3PAO (as appropriate) to conduct a POA&M Closeout assessment.  That assessment reviews the remediation steps taken by the OSC and, if all of the requirements are now “met”, the C3PAO or DIBCAC will issue a CMMC certificate.
That 80,000 – does that include all the Research Universities and their subcontractors? E Mos Yes
Change of environment/scope – doesn’t it require the updating of the SPRS, but not a new assessment? M Bra Merger and acquisition activity may trigger a new assessment requirement.  A company Affirming official should not file an annual affirmation if the system being affirmed to has changed and should instead seek a new assessment (whether it is a Level 1 self-assessment or Level 2 or 3 third-party assessment).  As described in the commentary from DoD preceding the final rule, “[a] new CMMC assessment may be required if significant architectural or boundary changes are made to the previous Assessment Scope. Examples include, but are not limited to, expansions of networks or mergers and acquisitions.”
What guidance or thresholds exist to determine if an organization can self-assess only at L2 vs needing the 3rd-party audit for L2? A Kat The DoD will determine whether a self-assessment or a C3PAO assessment is required for a government contract. The DoD has not provided guidance regarding how this will be determined.
Will companies that are L2 (C3PAO) be required to do L2 Self Assessment in Phase 1? J Sti No. The final rule says that if you have a L2 (C3PAO) certification, it meets the requirements for an L2 (Self) assessment.
Is there an estimate on when the final rule will be published for 48 CFR 204? A little more specific thank Early 2025? E Bue Not really.  It all depends on how many comments they receive and how long it takes to adjudicate them.  My guess, and it’s only a guess, is that it will take DoD through the end of this calendar year.
If an OSA has active DoD contracts but none of the contracts have been identified as having CUI nor any of the DFARs requirements have been identified in the current contract language, how does the assessment scoping work when there is not anything considered within scope at this time? C Spe An organization not currently handling CUI that expects to receive an award with a Level 2 requirements would need to stand-up the environment in which CUI will be handled documenting how data will flow through that environment. They will also need to have created and be following policies and procedures that address the non-technical NIST 800-171 requirements.  You don’t need a conditional or final certification to bid, but you do need one to receive the award.
Is it a hypothetical situation as to how an OSA is set up to handle CUI and the systems/services/tool that would be used? Would the OSA simply create example network and data flow diagrams for CUI? The DoD is not prioritizing assessment.  Assessments are contracted and scheduled directly with a C3PAO.
Additionally, will there be a priority in scheduling assessments based on whether an OSA already has CUI in their environment as opposed to those who do not but are seeking assessment to be able to bid on contracts?
what is the reference for the final rule? T Osb 32 CFR 170 can be viewed here.
If that is the case will the agencies cite these rules or will there be other rules created to mimic these J Cha Other agencies are independent from DoD and can do things their own way.  However, it will likely be difficult for them to explain to Congress why their agency is deviating significantly from the DoD requirements since DoD is already blazing a path.  See more information here.
I don’t understand, my last update to SPRS was a score and not the number of controls. Did this change? L Fro Individual assessment objectives are scored as “MET” or “NOT MET”.  All need to be scored as “MET” to receive a CMMC final certification.  Each objective, however, has a value of either 1, 3, or 5.  In scoring, you start with a score of 110. For every objective “NOT MET”, it’s value is subtracted. That becomes the score submitted into SPRS.  It can be a little confusing.
Are we required to mark CUI documents associated with closed contracts (is this dependent on when the CUI marking requirement went into effect – in 2010 with the exec order or in 2016 with release of NIST 800-171)? S Cob CUI must be appropriately marked when created.  Legacy information (e.g., FOUO, SBU, etc.) is not inherently CUI and must be reviewed by an authorized person within DoD (or the agency “owning” the information) to determine whether it meets the requirements for CUI.  Under DoD’s CUI program (see DoDI 5200.48), only Original Classification Authorities (all CUI) and Technical Program Mangers (CDI/CTI) have been delegated that authority, NOT government contractors.
That being said, if the government tells a contractor that legacy information is now CUI, the contractor must mark it appropriately.
thanks that was my understanding also K Pat
Despite having the same ownership and company name,  each of our locations have Separate TAX IDs and are technically separate business. However we operate one IT Network and System with one IT team. Would we need Separate C3PAO assessments for each business unit or one for the entire organization. J Isa Probably not – I would suggest reaching out to a C3PAO for confirmation.
Wll… THE PRIME will have the bilateral negotiation. Will their subs? C Hal The prime contractor gets to negotiate with the government. The prime also gets to negotiate with their subs.  But the subs do not get to negotiate with the government.
Just to clarify, CMMC applies to DoD contracts only, not Non-DoD federal contracts? M Cai That is currently correct.  I suspect that other agencies will follow suit.  I’ve made the argument(s) for why that should be the case in a long article here.
How does this fit into Manufacturers/vendors that a contract holder is providing?  Will they require some level of CMMC as part of the flow down requirements? d gre If CUI is exchanged with a vendor or subcontractor, then the requirements of DFARS 252.204-7012 must be flowed down.
In the Holland & Knight write up on the new rule, there was a reference to Primes requiring compliance for subs prior to DOD requiring compliance.  How does this work? Can subs push back on this? E Bue Subs can push back on this, but it would have to a point of agreement (or disagreement) between the parties.  It depends on how much the prime needs the sub and visa versa.
“Secures the environment” does this apply to MSPs? T Sau Potentially, yes.
With the new rule, are MSPs subject to CMMC compliance requirements? D Ash I’ll give you my favorite lawyer answer…it depends.  Generally, no.  But there are scenarios where the answer would be yes.
Table 4 to § 170.19(c)(2)(i)—ESP Scoping Requirements seem to contradict your Assessment scoping comments. Can you clarify. B Pat The intent was to be consistent with Table 4 to § 170.19(c)(2)(i)—ESP Scoping Requirements. Where were we inconsistent?
if I have an iot solution, like a cad for advanced manufacturing, is this assessed? K Pri CAD systems are typically in scope because they are used to store, process, or transmit FCI and CUI.  OT/IoT systems that are controlled by the CAD systems may be in scope for the assessment depending on the CMMC Level.  This is discussed in detail in 32 CFR 170.19.  As a general rule, at Level 1 and Level 2, OT/IoT devices must be documented in the asset inventory and the OSC’s policies, procedures, and practices must demonstrate how those assets are managed (i.e., the OSC must have in place “risk-based security policies” for the OT/IoT), but the assets themselves are not assessed.  At Level 3, IoT and OT are considered in scope and will be assessed against a limited subset of the Level 2 requirements and all Level 3 requirements.
When we say could store, process, or transmit – Policy prohibits we’re talking HR style user policy – not technical controls. I Mac Generally, that is correct.  Under Level 2, Contractor Risk Managed Assets are “not intended to” process, store, or transmit CUI and there is a policy that says that the asset must not be used for that purpose.  However, those assets are not physically or logically isolated from the other assets that are in scope for the assessment, meaning that the CRMAs could, in theory, handle CUI.  To account for this, the CMMC assessment includes a review of the policy (and any related documentation) and its implementation in the environment.  If the assessment team agrees that the approach is reasonable, then it should be fine.  If the OSA’s risk-bses security policies, procedures, and practices documentation or other findings raise questions about the CRMA assets, the assessor can conduct a limited check to identify deficiencies.
Is there a tool or checklist that determines what level our programs are at for the purposes of CMMC? R Che No.  DoD has said that going forward, contracts will specify the level of CMMC required for the contract.  As a general rule, if you are a DoD contractor, you need CMMC Level 1.  If you handle CUI, you need Level 2, and most likely Level 2 (C3PAO).  If you are on a prime contractor on a critical system (e.g., helicopter, fighter jet, etc.), you would probably want to expect to be at Level 3 (DIBCAC).
Hope that helps!
Can you speak about costpoint/financial system with FCI. T Ema Questions concerning Costpoint are best directed to Deltek.
I’ve heard conflicting opinions on whether accessing a secure enclave via virtual desktop interface (VDI) is acceptable as a solution to meet CMMC L2 requirements.  Some say it’s OK, some say that because I’m VIEWING CUI on a computer, the computer that I’m using to connect to the secure enclave is now in scope and so too is the network I’m using to connect to the secure enclave.  Any input on this topic? J Kra I believe we covered this, but the short answer is that the final rule says the endpoint is out of scope as long as only K/V/M is being streamed down to the endpoint.  Printing, copy/pasting, etc. has to be disabled.
What about CSP in they are FedRAMP Moderate? a\Are they outside the assessment scope? J Bau A CSP that stores, processes, or transmits CUI is in scope. The requirement is that it has a FedRAMP Moderate or higher ATO OR has demonstrated FedRAMP Moderate equivalency per the DoD CIO’s published requirements.
Is there any documentation that stated what all information includes CUI data A Kau Yes.  The best resource is the CUI Registry
Is G-Code considered CUI? S Cob Yes, it can be.
How is the 180-day remediation window for Conditional Level 2 or Level 3 status enforced, and what flexibility exists for organizations unable to meet remediation deadlines? J Hut There is no flexibility.  If POA&Ms are not closed out and re-assessed as “MET” within 180 days, the OSC must restart the process.
How do we find FCI when there are no labeling requirements and the definition is so vague? I Pri The general rule is that if it is not public, it’s FCI.
Can we tell our customers (DoD prime contractors) that if what they give us is not marked CUI then we will not be held liable for not treating it as CUI? S Cob That is a legal question and we cannot offer legal advice as part of the webinar.  Your best bet would be to consult with a qualified government contracts attorney, and especially one that has been actively following and involved with the CMMC program.
What are the options if the USG “overmarks”? J Jay Each agency is supposed to have its own program for “challenging” CUI markings (see 32 CFR 2002.8(c)(13) and 2002.50).  DoD’s approach is not well documented, but their CUI program management office can be reached here  and any questions can be directed there.  CUI should not be sent to that E-mail address; instead, ask them about process for initiating a challenge.
Can mitigating controls be deemed as an “Enduring Exception” if documented correctly? Or will a DoD waiver still need to be approved in these instances? D Mor Mitigating controls are not an Enduring Exception.  Under 32 CFR 170.4(b), an Enduring Exception is “a special circumstance or system where remediation and full compliance with CMMC security requirements is not feasible. Examples include systems required to replicate the configuration of `fielded’ systems, medical devices, test equipment, OT, and IoT. No operational plan of action is required but the circumstance must be documented within a system security plan. Specialized Assets and GFE may be enduring exceptions. (CMMC-custom term)”.  Similarly, under 32 CFR 170.24(b)(1)(i), “Enduring exceptions when described, along with any mitigations, in the system security plan shall be assessed as MET.”
Put more simply, Enduring Exceptions will typically require the implementation of a mitigating/compensating control, but the use of a mitigating or alternative compensating control does not qualify as an Enduring Exception.
If we create CTI for a DoD-related contract with a DFARS clause 7012…that is CUI, correct? That slide you just talked about implied it is not? S Cob If a contractor creates information under a contract with DoD that DoD has designated as CUI, that information is CUI.  This is true for CTI or other forms of CUI.  However, if the contractor creates that same information on their own (i.e., not under a government contract), that information is not CUI.  It may still be subject to export or other regulatory controls, but it is not CUI.
If no CUI is stored on a company’s corporate network, but an employee’s corporate laptop (storing CUI) connects to the network (e.g. wifi) for internet access, is the company’s network in scope for assessment?  If so, then wouldn’t remote employee’s home networks be in scope when connecting their corporate laptop to their home network? J Alt Yes, under Level 2 and Level 3, anything on the same network will be in scope unless it is a Contractor Risk Managed Asset.  The device needs to be physically or logically separated from the other devices for them to be out of scope.  Many organizations use VPNs and strict device-level firewalls to create the logical separation when it comes to device utilization outside the corporate network.
In the example you gave of bank account info, what about the data of subcontractors? D Mor Your subcontractors’ bank account information is not CUI because it was not collected in performance of a government contract.  You have that because they are your subcontractors and it is a necessary part of doing business.  By contrast, if the government gave you that information, or if the government were paying you to go collect bank account information from a group of people/companies, then that information would be CUI.
Will the Program/Contract Officers be undergoing some 32 CFR education for data labelling requirement? A Sec They should be.  I am hopeful that Defense Acquisition University will create additional training though I have not heard anything definitive yet.
When the government returns the data it is now marked as CUI, even if it is our data. Won’t that cause a large either duplication of data or misunderstanding when handling OUR data now Marked CUI by the Government? J Mye Yes.  This is a fundamental issue with the CUI program.  When the government receives your information, you absolutely want them to mark it as CUI because you want them to safeguard it properly. And if they give it to someone else (e.g., another contractor who is doing other work for the government), you certainly would want the recipient to handle it as CUI.  But when they give your information back to YOU, you do not need to treat it as CUI since it is your own information.  NARA even covers this scenario in their CUI FAQs.  This is especially true if you’re only otherwise handling FCI; receiving your own information from the government should not open new obligations for you.  If this is something that you believe is likely to occur in your organization, your policies can/should draw careful distinctions on this, and you should ensure your teams are properly trained.
Contractor info created from CUI could be CUI, no?  so the contractor info could in fact be CUI or am I way off here. J And Information a contractor creates under a contract with the government can be CUI.  Information the contractor creates outside of a contract with the government is not CUI.  The information may be subject to other legal/regulatory requirements (e.g., protection of PII or export controlled information), but it is not CUI.
does that now mean that all Cyber logs are required to be in a Fedramp cloud? M Ste NO. Logs are SPD and do not require a FedRAMP environment.
So is the SSP now considered SPD because it has sensitive data about the system protecting the CUI? L Mor It depends on what you put in the SSP vs supporting/ancillary documents.  If you put the SPD in the SSP, then yes.  If the SSP largely references information in other documents, then the SSP may not be SPD.
can you list the books by title? L Fro Sure!  The CUI books Jim Goepel has written are:
* CUI Fundamentals – This provides an overview of the CUI program and is suitable for most government contractors.
* CUI Informed – This is written for compliance/legal professionals who need to understand the nuances of the CUI program.
* CUI Handbook – This is a collection of many of the frequently-referenced laws, regulations, and policies that are relevant to the federal CUI program and DoD’s implementation of it.
All of the books are available at BarnesAndNoble.com, Amazon.com, and other booksellers, or they can be ordered online at https://CUIInformed.com.
For SPD, does it need to meet the 110 requirements and be tracked in the SSP or just protect it well? J Mon The final rule treats SPAs and SPD separately.  Security Protection Assets (Assets that provide security functions or capabilities to the OSA’s CMMC Assessment Scope), must be assessed against all of the NIST SP 800-171 requirements that are relevant to the capabilities provided.  SPD only comes into play when evaluating whether and to what extent an external service provider is in scope (see Table 4 to 170.19(c)(2)(i)
Upon receipt of documents that a Prime just slapped CUI in the header and footer, but don’t have the required marking, how is this viewed during an audit? J Mul Assessors are not looking at specific documents, they are looking at the structure and implementation of your information security program.  In fact, there is really no reason for an assessor to ever see CUI during an assessment.
A CSP that only handles SPD (not CUI) is not required to be FedRAMP Moderate Authorized…correct? S Cob Correct.
If DoD does not mark something as CUI, do we need to review the content or is it safe not to worry? A S The goal of the CUI program is to ensure that recipients properly safeguard the government’s sensitive information.  Under 32 CFR 2002, the creator of information must ensure that information is properly marked as CUI before it is disseminated.  Thus, if DoD or another federal agency is providing information to a contractor that is not marked, there is a presumption that the agency has performed the appropriate analysis and it is not CUI.  However, if a recipient suspects that the information is CUI, they are under an obligation to ask the disseminator or the disseminating agency and to treat it (but not mark it) as CUI until told otherwise.  After all, the reality is that we’re all human and DoD’s personnel will make mistakes just like the rest of us.
Is a parent company that provides the ERP, etc.., but does a different line of work become an ESP? C Bur Reading the rule carefully, the answer is “YES”. And if CUI is stored, processed, or transmitted by that ERP, then it would need to meet the requirements of the FedRAMP Moderate baseline. This is likely to cause a issue for larger companies with shared IT services
I want to clarify my question, for a company that would be considered a L2 (needing a 3rd Party Audit), but who hasn’t yet gotten certified. Should they expect to be meeting Level 2 and doing the Self Assessment by the time Phase 1 begins in order to be considered meeting compliance of Phase 1 in order to win contracts in that Phase period. J Stit Not exactly. Not every DoD solicitation or award during Phase 1 will have a CMMC requirement. The same is true in Phase 2 and Phase 3, though ultimately at the end of the rollout every contract will.  If your contract has CMMC requirements, then you need to have a Conditional or Final certification at the time of award.
That said, the DFARS 252.204-7012 still applies and requires that you satisfy NIST 800-171, and DFARS 252.204-7019 still applies which requires submitting a score into SPRS.   If you are expecting an award during Phase 1, and if that contract does have the CMMC requirement, then you will need to have completed a self-assessment in order to receive the award.
I was always told that ITAR technical data is “likely” CUI.  This would include the formulas, procedures, and QC specifications we use internally to make our products.  We generally don’t provide this data to our customers (DIB primes) as its proprietary data.  The exceptions is a certificate of analysis. This is data we create and send to our customer. J Etz Whether ITAR-controlled information is CUI will depend on the circumstances under which the ITAR-controlled information was created.  Information is CUI if it was created or received for or on behalf of the government under a contract.  So, if a person creates a new form of munition under their own funding, the drawings and other information about the munition cannot qualify as CUI since it was not created for or on behalf of the government.  However, the drawings and other information about the munition will likely still be subject to export controls.
Are most of the mainstream Service Providers familiar with and easy to get a Shared Responsibility matrix from? R Wel They should be.  I suggest you be wary of a service provider that does not have an SRM.   A service provider that understands the NIST 800-171 requirements and their obligations should have a SRM.
If our MSP only handles internal company data and hardware and all of our CUI is accessed via virtual desktop from a cloud environment is there any reason for them to get anything beyond CMMC level 1 j cos If no CUI exists outside the VDI and no CUI exists in the endpoint from which the VDI is accessed, then the endpoint is not in scope.  There are non-technical Level 2 requirements that you will have to meet such as performing background checks and providing training before an employee is granted access to CUI.  Said differently, you may need a Level 2 certification, but the scope will be limited.
regarding SPD, what about our customers who have their own security requirements from their suppliers, and are asking to see their suppliers security policies? This is happening with several of our customers wanting to see our policies. K Hol Your customers may have additional compliance requirements, including other security requirements, beyond the need to have a CMMC Certification.  So, in some cases the request may be justified.  However, as a practical matter, sharing your SSP should be discouraged.  Try asking them for a copy of their SSP and supporting documentation before you’ll share your SSP with them, since you need to be confident that they can safeguard your sensitive information.  As a practical matter, once you have a CMMC Level 2 (C3PAO) or Level 3 (DIBCAC) certification, the customers should accept that in lieu of your SSP.
MSPs as ESPs become part of the Supply Chain so logically they should be subject too. J Cha The final rule removed certification requirements for ESPs that are not CSPs.  As presented, this creates risk as not all MSPs are capable of delivering services that satisfy NIST 800-171 requirements.  And while NIST 800-171 is focused on data confidentiality, MSPs should be held accountable for data integrity and data availability.  Again, OSCs need to understand the risks and choose MSPs accordingly.
If I need to meet CMMC level 1, does my ESP/CSP that hosts my ERP also need to meet CMMC level 1? M Car If only Level 1, then “no”
Security Protection Assets – do all 110 controls apply or a subset based on the security being provided by the asset? If a subset, is that outlined by the final rule? M Mic The final rule treats SPAs and SPD separately.  Security Protection Assets (Assets that provide security functions or capabilities to the OSA’s CMMC Assessment Scope), must be assessed against all of the NIST SP 800-171 requirements that are relevant to the capabilities provided.  SPD only comes into play when evaluating whether and to what extent an external service provider is in scope (see Table 4 to 170.19(c)(2)(i)
if you are using an AI tool to review documents with CUI, does it have to served up from a FedRAMP cloud? T Ben If the CUI is “shared” with the cloud service, if the AI tool processes, stores, or transmits CUI, then it must meet the requirements of the FedRAMP Moderate baseline
Is a contractor with CUI required to have a SIEM P Tar They are required to analyze logs. They can do this using a Managed Security Service Provider or a Managed Service Provider that provides log analysis services using their own SIEM.  If you have a SIEM, you must also have the capability to use it to analyze logs.
May want to correct a statement about FedRAMP and DoD.  FedRAMP is a federal program and not DoD specific.  A FedRAMP sponsor can be any US government agency. R McV You are correct. FedRAMP is a federal program. If we said otherwise, it was an inadvertent error.
what controls need to be met for the in scope IoT assets K Pat IoT assets only need to be inventoried
I thought I heard SPD could be subject to the same controls as CUI. If I have a Vulnerability Scanning tool that is a Security Protection Asset, does that mean the Scan Reports would be considered SPD and be subject to the same controls as a CUI assets? D Mor The final rule treats SPAs and SPD separately.  Security Protection Assets (Assets that provide security functions or capabilities to the OSA’s CMMC Assessment Scope), must be assessed against all of the NIST SP 800-171 requirements that are relevant to the capabilities provided.  SPD only comes into play when evaluating whether and to what extent an external service provider is in scope (see Table 4 to 170.19(c)(2)(i)
if the MSP does not process, stores or transmit any CUI, but may have access to the client environment to support users D Ash In this case the MSP is only a Security Protection Asset, not a CUI Asset
Do we need to get certification from Cloud Service Provider for final assessment A Kau If the Cloud Service Provider stores, processes, or handles CUI, then you are responsible for obtaining their body of evidence documenting they satisfy the requirements of the FedRAMP Moderate baseline and you must have this body of evidence available for the C3PAO assessment team
What is in place to ensure Primes/higher-tier subcontractors are not just flowing down a Level 2 (C3PAO) requirement on all of their gov’t contracts? E Bue The best thing you can do is see what type of information you will be receiving and insist on the proper level requirement off of that.
Pretty sure final rule states that if an MSP stores, processes, transmits or has access to CUI they have to achieve same level of CMMC certification as the OSC. Might want to double-check that. S Cob This requirement appeared in the Proposed Rule (12/26/2023) but was removed, unfortunately, from the Final Rule
How long do you anticipate it takes for a C3PAO to conduct the assessment once he/she starts the process? J Jay It depends on what you mean by “starts the process” and how complex the environment is.  For a fully virtual environment (i.e., VDI enclave), the assessment would involve:
* a preliminary discussion a few weeks before the assessment during which scoping and other details are discussed and the assessment teams requests certain documents (e.g., SSP, supporting business practices (policies, procedures, evidence of compliance, etc.), network diagram, data flow diagram, etc.)
* once the documents are received (typically 2 weeks before the assessment), the assessment team will begin reviewing the documents
* most assessments are scheduled over the course of a single week, though some will be longer depending on the complexity of the environment, any necessary travel, etc.
* after the assessment is complete, the assessment team finalizes their report and it is sent to a Q/A person at the C3PAO for review before it goes to the OSC and DoD.
So, from the C3PAO’s perspective, their assessment team is likely to be actively working on your assessment across at least 3-4 weeks, though there is some initial legwork before that.
Where do we find questions a C3PAO will ask during an assessment interview? P Eng The assessment is an open book test.  The assessment objectives and how they will be tested appear in NIST SP 800-171 A Rev 2.
I’ve not heard the term “Traceability Matrix” before.  I found a “Shared Responsibility Matrix” on cmmcaudit.org, but not much on a traceability matrix.  Can you please elaborate on this particular matrix? M SMI A traceability matrix is something an organization should prepare to help the assessment team find what they need to assess each assessment objective. Typically, this is a spreadsheet with one row per assessment objective.  The columns refer to the relevant policy(s) and procedure(s) for the assessment objective, the objective evidence, etc.  There are also tools like FutureFeed which can help with the creation of traceability matrices, SSPs, and much more!
Does Every Site need to be visited by the C3PAO J Isa No, but the C3PAO will determine which site(s) need to be visited
Is this deck going to be available to us afterwards? T Old Yes, an email with a link to the deck has already been sent
I’m assuming this cost doesn’t represent the cost to get your system up to CMMC standards.  yes? T Tho That is correct. The cost of meeting all requirements is a function of many things including the organization’s existing cyber maturity, the complexity of its IT environment, the size of the organization, the geographic diversity, and other factors.
So, back to the “DOD may bilaterally negotiate to add a CMMC requirement to a contract [at any time] before CMMC Implementation” C Hal Yes, but that will be dependent on the language of the subcontract agreement and whether a prime can require something of a sub.  If it is bilateral, that can be after negotiations that also updates pricing etc.
  – the Prime, for some reason (maybe overly optimistic subs saying they are compliant) AGREES to add CMMC TOMORROW to a contract. I suspect that means it will flow down to the subs whether they bilaterally agree or not. Right?
We have reduced 470 page document to 247 pages here. P Nig
Also, We are able use Microsoft Co-Pilot to summarize it for us. P Nig
If a company were to use non-FedRAMP approved software to perform computations as part of their work for a DoD contract, are the computations themselves considered CUI, or is only the final product classified as CUI? E Win This is one of the times when we’ll have to give our favorite lawyer answer of “it depends”.  This is highly fact-specific.  Your best bet would be to speak with a lawyer who really understands CUI and CMMC to ensure you get the “right” answer for your use case.
Will this ruling and 48 cfr end the use of JVS and only C3PAO audit only? M Cra Yes
What about the cost, Is the DOD talking about making up some of the cost for contractors? M D’Am DoD has said that costs should be reflected in a contractor’s rates
GCC High is not currently FedRAMP authorized. How are companies that leverage GCC High passing assessments? C Boa Microsoft has provided an extensive body of evidence documenting that GCC High satisfies the FedRAMP requirements, even though it does not presently have an ATO
My organization only deals with processing facility visits on the DISS site, which is labeled Controlled Unclassified Information.  We don’t store or process any other CUI.  Would we really need to setup an enclave to be compliant with NIST 800-171 for CMMC level 2? P DiS If CUI data cannot be stored, processed, or transmitted on the endpoints being used to access CUI on the DISS site, then they would not be in scope.  There are other non-technical NIST 800-171 requirements that may need to meet such as performing background checks and providing training before an employee can access the DISS site. You may still need to meet Level 2 at some point, but if so, the scope would be limited.
This was exceptionally helpful, thank you all ! K Pri
Thank you, very useful K Pat
If you are a supplier to the company holding the contract, does the supplier must comply to these regulations? S Uhl If you receive CUI from the contractor, they are required to flow down DFARS 252.204-7012 and they will need a CMMC L2 certification
Are we supposed to document and maintain vulnerabilities from scanners and patches in the operational plan of actions continuously? A Sec You should document all procedures and have documentation that those procedures have been followed.  This would include monitoring, patching, etc.
Thank you, gentlemen!  Solid information! M Bel
if the MSP does not process, stores or transmit any CUI, but may have access to the client environment to support users will they be included in the assessment scope? D Ash The MSP would only be considered a Security Protection Asset, not a CUI Asset,  The MSP, however, is in scope for the assessment and will participate in the assessment to address the controls they manage on behalf of the client – anything listed as MSP owned or shared in the shared responsibility matrix.

 

 

 

 

 

Software & Industry Partners