Share This

NeoSystems Corporation

CMMC – Frequently Asked Questions

CMMC Compliance Services & FAQ’s

NeoSystems is proud to be a best-of-breed provider of CMMC audit preparation and compliance services for government contractors. Here are some frequently asked questions related to CMMC certification.

Contact Our CMMC Experts

What is CMMC?

What is CMMC?

The Department of Defense (DoD) has announced the introduction of a new program called the Cybersecurity Maturity Model Certification (CMMC). CMMC will serve as a framework for the enforcement of the department’s existing Defense Federal Acquisition Regulation Supplement (DFARS) requirements. The current DFARS cybersecurity requirements were implemented in December 2017 to provide security protection for controlled unclassified information (CUI) as provided by the NIST SP800-171 codification. CMMC will be implemented in 2020, with the goal of improving CUI security by introducing a formal audit program for compliance.

The CMMC framework will associate different security processes and practices to levels (one through five). The higher the level, the more complex and important the security posture is. It’s important to note that ANY organization that does business with the Department of Defense must meet, at the very least, all the provisions of the basic maturity level (Level 1) of the CMMC program. The previous self-assessment process is being replaced by audits from qualified, accredited 3rd-party organizations (C3PAOs). These auditors will determine the appropriate maturity level that the contactor, or subcontractor, has achieved. The CMMC program has put focus on making sure the certification process is both affordable and straightforward.

Breach Detection and Security Assessments

Breach Detection Assessments
One of the main focus areas for the CMMC program is simplifying breach detection, which is a capability that many defense contractors do not currently have in place. Businesses will be required to integrate the latest breach detection solutions into established processes and applicable governance to detect malicious devices, activities, and other breach indicators. To address these issues, contractors and subcontractors must put in place solutions that assess all-new attack vectors and protocols so they can detect anomalous behavior and breaches on their networks.

It’s important to note that the need for DoD contractors and subcontractors to prove a satisfactory security posture will not go away with the implementation of the Cybersecurity Maturity Model Certification program. A contractors’ CMMC Level will be determined by the number of NIST 800-171 controls and additional processes and practices they have implemented. The more security practices a defense contractor implements, the higher their required CMMC Level certification is likely to be. That being said, the contract itself will dictate the certification level needed to be awarded. That being said, contractors (both primes and subs) will still need to prove that they have implemented adequate security controls to be awarded contracts by the Department of Defense.

Contact NeoSystems to Prepare for CMMC

CMMC Levels

The CMMC framework consists of five maturity levels – Level 1 through 5 – whose cybersecurity requirements become more advanced as you ascend up the levels. Level 1 or “basic cybersecurity”, is expected to entail a small subset of NIST 800-171-based data controls and other “best practices”. Levels 2 and 3 provide a closer approximation of what is required by NIST SP 800-171 and DFARS 252.204-7012. The mid-levels will encompass all rev 1 controls under 800-171 as well as other practices outside the CUI protection scope. Level 5 of the CMMC calls for the most advanced cybersecurity practices within and beyond the perimeter of CUI protection. Additional controls may include 24/7 SOC, network segmentation, real-time asset tracking, and initial response actions. Here is a high-level looks at what contractors can expect in order to gain certification in each level:

Level 1 (Basic Cyber Hygiene)

  • Antivirus
  • FAR Requirements
  • Ad hoc incident response

Level 2 (Intermediate Cyber Hygiene)

  • Awareness and training
  • Risk management
  • Security continuity
  • Back-ups

Level 3 (Good Cyber Hygiene)

  • Compliance with all NIST SP 800-171 requirements
  • Share threat information with key stakeholders
  • Multi-factor authentication (MFA)

Level 4 (Proactive Cyber Controls)

  • Network segmentation
  • Detonation chambers
  • Mobile device inclusion
  • Use of DLP technologies
  • Supply chain risk consideration
  • Threat hunting

Level 5 (Advanced/Progressive Cyber Protection)

  • 24/7 SOC operation
  • Device authentication
  • Cyber maneuver operations
  • Organizational custom protections implementation
  • Real-time asset tracking

Who does CMMC apply to?

CMMC applies to ALL government contractors, primes and subs, who do business with the Department of Defense. This includes over 300,000 organizations that will need to be certified. Previously, federal contractors were allowed to self-certify as required in the DFARS 252.204-7012 clause, which could include a Plan of Action and Milestones (POAM) for any security gaps that existed. With the inception of CMMC, defense contractors must now achieve CMMC certification via a certified and accredited 3rd-party auditor in order to be awarded a defense contract.

When does CMMC go into effect?

The final version of CMMC (V1.0) was released on January 31, 2020 to help support training requirements. This version includes feedback collected from industry leaders during a listening tour held in the second half of 2019. In addition to the official CMMC levels and requirements released in January, there will also be a program development kick-off to certify the auditors who will ultimately perform the reviews and award the certifications.

In June 2020, CMMC requirements will begin to appear in Department of Defense Requests for Information (RFIs). Also in June, certified and accredited 3rd-party auditors will be available to begin CMMC certification assessments. Starting in September 2020, some DoD contractors will need to be certified at the appropriate CMMC level in order to bid on Requests for Proposal (RFPs).

Contact Our CMMC Experts

Why is this new regulation being implemented?

Quite simply: existing cyber security measures have failed the United States. A prime example of this is Chinese J-31 aircraft, which is strikingly similar to the American F-35 Joint Strike Fighter. It’s unlikely that U.S. adversaries have become better innovators. Rather, they are more likely becoming better thieves. The NIST 800-171 security standard relies on organizations to self-assess their security posture and then report their compliance. Obviously, self-assessments cannot be truly trusted, thus a new approach is needed.

In addition, compliance does not mean that you are secure and will never equal that. Compliance requires only achieving a level of implementation and making sure items are in place. To address these shortcomings, as well as protect the sensitive information, CUI and overall national security, the CMMC is a welcome and needed mechanism.

The Department of Defense is migrating to the new CMMC framework so they can assess, regulate and enhance the cybersecurity stance of Defense Contractors. CMMC will serve as a verification tool to ensure appropriate cybersecurity practices are in place. The goal is to confirm that the most basic cyber security controls are enacted to protect controlled unclassified information (CUI) used and maintained by any and all contractors supporting the DoD.

Am I compliant now? If not, how do I prepare for CMMC & achieve compliance?

No defense contractor is compliant with CMMC until they coordinate directly with an accredited and independent third party commercial certification organization to request and schedule their CMMC audit. These auditors will review the contractor’s security processes and practices. Based on the security controls in place and the contractor’s ability to demonstrate organizational and operational maturity, the contractor will be awarded a CMMC certification level from one to five (one being the most basic security controls, five being the most stringent and complex security requirements). CMMC will require companies to have the certification to match the level required on the solicitation prior to be awarded the contract.

Prepare for CMMC With NeoSystems

What should I look for in a partner to help me achieve compliance?

When researching vendors to assist with security assessments and CMMC preparation, it is important to look for a partner who can not only assist with CMMC compliance services but who also delivers managed cyber and information security services that align with the CMMC requirements. There are many organizations that provide either advisory services OR managed security services, but it’s important to find a partner that does both, understands the government contracting industry, and who has a firm grasp of the new security regulations.

It’s also critical to work with a partner who can offer FedRAMP Moderate Equivalent hosting services, so any data you store in the cloud meets the stringent FedRAMP standard required by the government. And if your organization lacks the staffing resources to manage your networks and security on a day-to-day basis, consider outsourcing to an organization that also provides managed IT services. With managed IT services, your organization hands over the responsibility for things such as network administration and laptop maintenance all the way up to virtual CIO services.

Contact a CMMC Expert Today

NeoSystems CMMC Solutions

NeoSystems offers comprehensive CMMC solutions for government contractors:

Learn More

Cybersecurity Maturity Model Certification FAQs

What organizations does CMMC apply to?

CMMC applies to any government contractor — whether prime contract recipient or subcontractors — that does business with the Department of Defense. This includes organizations that are grant recipients. CMMC will not apply if your organization currently holds a DoD contract but does not intend to obtain future contracts.

My organization is a subcontractor on a DoD contract, do I need CMMC?

Yes, CMMC applies to subcontractors. The level of certification your organization will need will depend upon the type and nature of the information you receive from the prime contractor.

What is the CMMC Accreditation Body (CMMC-AB)?

The CMMC-AB is responsible for the establishment and oversight of qualified and trained assessors for the Cybersecurity Maturity Model Certification (CMMC) Program.

What is Controlled Unclassified Information (CUI) data?

The DoD defines Controlled Unclassified Information (CUI) as “information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.”

Additional information on CUI is available in the DoD CUI memo and the National Archives and Records Administration’s CUI Registry.

If your organization possesses CUI, you will likely need to achieve CMMC Level 3.

What is Federal Contract Information (FCI) in CMMC?

Federal Contract Information (FCI) is defined as “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.”

If your organization possesses FCI, you will likely need to achieve at minimum CMMC Level 1.

What CMMC level will my organization need to achieve? How do we know?

CMMC levels required for prime contractors will be specified in Requests For Information (RFIs) and Requests for Proposals (RFPs). The level of certification for subs will depend upon the type and nature of the information they receive from primes.

Based on examples from DoD officials, primes will likely need to achieve CMMC Level 3, while subs may only need to obtain Level 1.

What contracts will be in the DoD’s pathfinder program? When will this information be available?

This information is not yet available and depends on the progress of the CMMC-AB. The list of contracts in the pathfinder program will likely not be released until the CMMC-AB has identified and trained the assessors. However, if your organization is expecting a DoD RFI or RFP for this fall, it could be included in the pathfinder program, requiring your organization to have achieved its CMMC.

Who are the assessors for CMMC? Is there a list of assessors available?

CMMC assessments will be performed by accredited CMMC Third Party Assessment Organizations (C3PAOs) and individual assessors. The DoD has not yet officially named any assessors for CMMC as the CMMC-AB is still defining the requirements and application process for assessors and C3PAOs. The CMMC-AB has stated that it will publish a public list of assessors once it has completed the standard, developed the training and certified the assessors.

What is the cost of a CMMC assessment? Will it be reimbursable?

The CMMC-AB has not yet defined the cost of a CMMC assessment, which will depend on several factors, including CMMC level and the complexity, size and scale of the organization’s network. According to the DoD, “the cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive.”

Does our organization need to have one certification, or can areas of our organization be certified at different CMMC levels?

According to the DoD, “When implementing CMMC, a DIB contractor can achieve a specific CMMC level for its entire enterprise network or for a particular segment(s) or enclave(s), depending upon where the information to be protected is handled and stored.” Organizations can choose to achieve a base level of CMMC for their entire organization and be certified at higher levels for certain enclaves as contracts require.

Are the results of CMMC assessments public?

CMMC assessment results will not be made public. The only publicly available information will be that your company has achieved CMMC, but the level of the certification will not be public. The DoD will have access to all certification level information.

Is my organization responsible for ensuring that subcontractors are certified? What is the CMMC status verification process?

The CMMC-AB should be a central repository for CMMC information, including what organizations have achieved which levels. Once CMMC is fully implemented, it will not be difficult for the DoD to determine what level a subcontractor possesses and contracts will not be awarded if primes and subs do not meet the required level of certification. As CMMC is adopted, we recommend that prime contractors work with their subs to ensure that they will be ready for CMMC and can achieve certification in time for contract award.

How long will it take my organization to achieve CMMC certification?

As the CMMC-AB has not yet released the official CMMC assessment methodology and no certifications have been completed, we do not yet know how long the certification process will take. The general consensus is that the CMMC process will take a minimum of nine weeks. Organizations can better prepare for CMMC assessment by conducting readiness efforts.

How often will my organization need to be reassessed for CMMC?

In general, Cybersecurity Maturity Model Certification will be valid for three years.

What is a CMMC Registered Provider Organization (RPO)?

A CMMC RPO or Cybersecurity Maturity Model Certification Registered Provider Organization, is an organization who has been recognized by the CMMC-AB as familiar with the basic constructs of the CMMC Standard and is authorized to provide consulting and support to organizations in the DIB that are seeking certification.

CMMC RPOs must:

  • Register and receive authorization from the CMMC-AB
  • Sign the RPO agreement with the CMMC-AB
  • Pass an Organizational Background Check and have a DUNS number
  • Have at least one Registered Practitioner (RP) associated at all times (there is a 30-day grace period)
  • Agree to the CMMC-AB Code of Professional Conduct

It’s important to note that a CMMC RPO cannot conduct assessments while a C3PAO can.

Will CMMC impact classified networks or prior FISMA and NIST SP 800-53 requirements?

Government contractors that have contracts with FISMA and/or NIST SP 800-53 requirements will likely not be impacted by CMMC for those contracts. However, new contracts or additions to current contracts could require CMMC in the future.

If our organization is already ISO 27001 certified or has obtained a similar certification, will we have time and cost savings in the CMMC process?

As the CMMC-AB has not yet officially released the CMMC assessment methodology, we do not know yet. However, the efforts required to implement controls and conduct self-assessments may be greatly decreased if your organization already has these controls in place and assessed from previous certifications.

Are the Defense Contract Management Agency’s (DCMA) cyber assessments related to CMMC?

To date, the assessments conducted by the DCMA and its Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) are based on NIST SP 800-171, not CMMC. It is unclear if and how these assessments will be related to CMMC.

How can I stay updated on CMMC?

We will continue to update CMMC information, resources and content on our website as information becomes available. You can consult our CMMC Media Resources or consult the CMMC-AB website.

Contact NeoSystems to Prepare for CMMC

Software & Industry Partners