We received many questions during the September 25th CMMC webinar for small business owners and executives presented by NeoSystems, Holland & Knight, Forvis Mazars, and Bank of America. Our speakers answered the questions below. Please let us know if you have any additional questions regarding the CMMC rule or if you require assistance with your CMMC compliance strategy.
Can you be grandfathered in for older awards that a company is participating in or can you actually lose a project you are engaged on? – C Cro
CMMC is expected to be inserted into new contracts by DFARS clause based upon a planned rollout schedule defined by DoD. Haven’t seen anything that indicates is being retroactive. There is the possibility it is incorporated into contract renewals, but I’m not aware of fully defined guidance on that.
At level 3 the C3PAO will need a TSI clearance – S Hul
Level 3 assessments are expected to be performed by DoD’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), and not by C3PAOs. Level 3 certification assessments will be performed following a Level 2 certification assessment by a C3PAO. This is the expectation based upon the proposed DFARS rule!
What rule is expected in a day or two just mentioned? – A Ste
The 32 CFR rule, fully establishing the requirements of the CMMC program is expected imminently. The 48 CFR rule, which defines how CMMC compliance requirements are incorporated into RFPs and contracts, is expected in the coming months, as well.
How does a contractor qualify for the joint surveillance option? – T Law
The contractor must be be aligned with a DoD contract number, either as a prime or sub, and have access to CUI. You would work with a C3PAO to coordinate with DoD on the JSVA. Scheduling is currently at DIBCAC’s discretion.
How can a small business get level 1 certification with the intention of positioning for level 2 – K Wal
Level 1s are not currently certifications, but still self-assessments. Your organization can conduct a self-assessment or work with a third-party consulting firm (not necessarily a C3PAO) to validate the Level 1 requirements for protection of Federal Contract Information are in place.
How is the availability of C3PAO’s any better for JSVA’s opposed to full certification assessment schedule? – S Wat
Right now, CMMC is not a requirement, and scheduling/availability is actually up to DIBCAC. Availability of DIBCAC assessment teams is currently the limiting factor in the JSVA program.
Would it be advisable to schedule an assessment now, even before the final rule is released? – M San
There is expected to be scheduling tension and bottleneck within the C3PAO ecosystem. I would certainly suggest starting to connect with C3PAOs to determine who would work best to meet your needs and schedule!
What’s a good way to find C3PAOs, is there a lookup list available somewhere? – B Ber
The Cyber AB (CMMC Accreditation Body) has a “Marketplace” on their website that lists the name and primary point of contact for all currently “Authorized” C3PAOs. It is a good starting point!
Will GSA schedules for technical services be modified to allow higher prices for Level 2 certified services? – H Gau
If you mean for new GSA schedules, it is likely that the increased costs associated with CMMC implementation will be standard in that industry. For existing GSA schedules, any changes to the terms and conditions of the award, to include adding CMMC requirements, would need to be done bilaterally (the government and the contractor) and this would be a time to bring up any changes in pricing as a result of that change.
Where would you go to find a C3PAO? – J Kis
The Cyber AB website marketplace has a complete list of all currently Authorized C3PAOs with primary PoCs!
Doesn’t a JSVA require scheduling a C3PAO as well as a DIBCAC assessment team? – S Wat
Yes, you need to start with a C3PAO and the C3PAO coordinates the JSVA candidacy with the Cyber AB and DIBCAC. It’s a three-party process, but it has become efficient over the past several months.
I recommend reaching out to the marketplace, it took them a couple weeks to respond, and they only had 2 reasonable C3PAO’s near me. So I’m sure this will only get busier. – B Ric
Geographic location doesn’t need to be a limiting factor. Depending upon the nature of your CUI operation, many of the assessment procedures can be performed virtually as part of the JSVA program.
InfoSmart is Small company want to go for CMMC program, what is the easy, affordable process – K Asi
Some of the resources Stuart is speaking about right now are extremely helpful!
Is there a ‘good faith’ exclusion for the affirmation? – R Aga
Expect affirmation by a company “senior official” to be required in all cases.
Is the expectation that only New DOD contracts will include CMMC, (once final). Or will the DOD issue MOD’s to implement CMMC into existing agreements? – T Tak
That depends on the type of contract, the requirement, and the program/contracting office. Any changes to implement CMMC will need to be done bilaterally as it is a change to the terms and conditions of the contract, but if required to be added, it would be a condition of contract extension/renewal
What will be for non U.S. companies? – G Ker
Guidance for international assessments is still pending, but we expect it soon. International companies will be eligible and required for compliance as well!
Does CMMC Level 2 require access to CUI be restricted to US Persons or is that a contractual obligation? – L Tso
No, there is no general requirement for limitation of CUI access to US persons.
What is the “official” certification checklist or process document called? – C Bra
NIST 800-171 and NIST 800-171A is the assessment guide which spells out all requirements and assessment procedures.
if no FCI or CUI is shared w/subs, are then considered out of scope? – T Tak
If no CUI is shared with a subcontractor, then the subcontractor is out of scope. The DFARS clauses relating to CMMC should not be flowed down to such subcontractors.
Has it been decided by the Govt if Level II will have 2 options for assessment: A. Self-Assessment, or B. 3rd party audit by a C3PAO? 2. What will be the criteria to determine which option a contractor will come under? – K Chr
We expect this question to be answered in the final 32 CFR rule. Expect the solicitation to indicate whether a self-assessment is sufficient in the case of Level 2. The government has led us to believe only a small percentage of Level 2 contracts will not require a C3PAO assessment.
At what CMMC security level will our entities need to be at to bid on DoD contracts currently and the near future. – L Del
There is somewhat of a chicken and the egg scenario here. The solicitation should tell you the level required. You need to be certified at that level “at the time of award”. There isn’t enough time between the publication of the solicitation and the award to achieve Level 2 and complete an assessment. I suggest, based on the work you do or intend to do, decide whether receiving and/or creating CUI will be involved. If the answer is “yes”, I suggest preparing for and certify at Level 2.
Can you please talk about what is in scope and out of scope for small sub-prime contractors. How does this effect sub-contractors vs contractors? – C Web
The people, facilities, and IT that handle CUI or through which CUI flows are all in scope. What this specifically translates into is specific to an organization and the work they do for the DoD. In some cases, the scope can be limited to a person in and office and their laptop. In other cases, it could be all employees and the entire IT infrastructure. Start by understanding what CUI you handle and how it flows through your organization.
Do we know what the final scores will be for level 1 for SPRS? – D Czu
The expectation is that all requirements of the 17 controls in scope for Level 1 are met.
Have you heard timing and extent of any other agencies other than DOD to have similar requirements? Do costs need to be spread across all business or can it be applied only to DoD contracts? – J Jay
Through an in process rule change to the FAR, all agencies will require contractors and suppliers that store, process, or transmit CUI to satisfy the requirements of NIST 800-171. Expect this in early 2025. While other agencies are looking to adopt CMMC or similar programs to enforce comformance with NIST 800-171, we are not aware of any specific timelines.
How can I begin the process for CMMC certification? Do you have suggestions on companies that might provide this service? – K Wal
If you believe you have satisfied all NIST 800-171 requirements, have a current SSP, and all documentation and objective evidence, you can select a C3PAO and schedule your assessment. Authorized C3PAOs are listed on the Cyber AB Marketplace. If you are in the process of addressing NIST 800-171, you may want to contact a Managed Service Provider such as NeoSystems or a Registered Practitioner Organization (RPO). RPOs are consultants and are listed on the Cyber AB Marketplace.
How do I get a provisional CAGE Code for my MSP business so I can get Certified? – M Mur
To obtain a provisional CAGE code register in the SAM (System and Award Management) system (www.sam.gov). You will need a Taxpayer Identification Number and a DUNS number.
HOW DO I SUBMIT OUR SELF ASSESSMENT IN THE SPRS DATABASE FOR A LEVEL 1 CMMC . WE HAVE ALREADY SUBMITTED OUR SCORES 2 X OVER THE PAST 4 YEARS. IS IT THE SAME PROCESS? – M San
Any updates to the current process will be released by the DoD.
How does a SB at level 2 know if they have to self attest AND get a third-party audit? – A Kat
This information should be included in the solicitation. Only a small percentage of contracts will allow self-assessment only for Level 2. If you are handling CUI Specified, it is safe to assume you will need a C3PAO assessment
If a company has no FCI or CUI, and no active government contracts, but plans to bid on contracts in the future, how would you recommend this company prepares for CMMC? – M Col
At a minimum, you will have FCI (Federal Contract Information) if you receive a DoD contract award. If you believe the work you hope to do for the government will involve receiving, creating, or transmitting CUI, you should plan to prepare for Level 2. If you’re unsure, whether the type of work you intend to do will involve CUI, you may want to consult your attorney.
Looking for a single user, single “platform” solution. – S Lef
There is an “it depends” here. Will the CUI leave a file share or collaboration platform and be used by other business applications? There are several FedRAMP Moderate or Equivalent collaboration platforms. You will still need to address the NIST 800-171 non-technical controls, many of which require having documented policies and procedures along with evidence that you are following those procedures. If you use a single platform provider, look at the SRM (Shared Responsibility Matrix) they provide and make sure you understand what responsibilities you have and what you need to do to satisfy them. There is no complete out of the box solution.
Please explain in detail the requirements for FIPS Encryption validation vs Certified and if this is different if the solution is OnPrem vs Cloud. – M Plu
FIPS validated encryption is an overall requirement for your technology that stores or transmits CUI. If you allow smartphones, for example, they must use FIPS 140-2 validated encryption. Connections from cloud services must similarly use FIPS validated encryption.
Projected timeline for compliance for GovCon companies. – J Coo
Expect CMMC to begin to appear in DoD contracts late Q1 to early Q2 2025. The specific roll-out plan will be spelled out in the 32 CFR rule that should be published soon.
What data from Security Protection Systems is in scope for CUI – such as logs, metadata, configuration, etc.? – A Sar
Security Protection Assets need to be identified in your SSP. There is a question whether Security Protection Data needs to handled as if it were CUI. This should be resolved in the 32 CFR rule when it publishes in the near future.
What tools are available for an initial Self Assessment? What is the most cost-effective method for a next level assessment? – J Hei
There are several tools available to support a self-assessment. FutureFeed, Cyturus, Exostar Certification Assistant are examples.
What’s the most minimal compliance scenario for a non-traditional contractor that handles no CUI at present and has not plans to do so? – T Hol
Not sure what you mean by “non-traditional contractor”, If you have a DoD contract, assume you have FCI and will need to meet all requirements of the 17 Level 1 controls.
When does CMMC go Live? – L Kum
Expect CMMC to begin to appear in DoD contracts late Q1 to early Q2 2025. The specific roll-out plan will be spelled out in the 32 CFR rule that should be published soon.
