CMMC Frequently Asked Questions

The necessity to protect data is one not limited to private sector businesses that store, manage and process personally identifiable information (PII). In fact, government agencies such as the Department of Defense (DoD) also need to evaluate, review and enhance cybersecurity measures both internally and with contractors. Currently, DoD contractors are required to comply with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, which outlines how contractors are required to protect sensitive data and report breaches.

At the end of last year, a more robust set of regulations, known as the Cybersecurity Maturity Model Certification (CMMC) would be phased-in to facilitate a more robust control standard. Given that any DoD contractor that handles Controlled Unclassified Information (CUI) will be required to comply, many questions have arisen around the transition. To help clients, prospects and others, PBMares has provided a list of the most frequently asked questions below.

Common CMMC Questions

What is CMMC?
CMMC stands for “Cybersecurity Maturity Model Certification”. The CMMC will encompass multiple maturity levels that range from “Basic Cybersecurity Hygiene” to “Advanced”. The intent is to identify the required CMMC level in RFP sections L and M and use it as a “go / no go decision.”

Why is the CMMC being created?
DOD is planning to migrate to the new CMMC framework in order to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB). The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect controlled unclassified information (CUI) that resides in the Department’s industry partners’ networks.

What is Controlled Unclassified Information?
CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. A CUI Registry provides information on the specific categories and subcategories of information that the Executive branch protects.

What’s the difference between NIST 800-171 and the CMMC?
The intent of the CMMC is to combine various cybersecurity control standards such as NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933 and others into one unified standard for cybersecurity. In addition to cybersecurity control standards, the CMMC will also measure the maturity of a company’s institutionalization of cybersecurity practices and processes.

How will my organization become certified?
Your organization will coordinate directly with an accredited and independent third-party commercial certification organization to request and schedule your CMMC assessment. Your company will specify the level of the certification requested based on your company’s specific business requirements. Your company will be awarded certification at the appropriate CMMC level upon demonstrating the appropriate maturity in capabilities and organizational maturity to the satisfaction of the assessor and certifier.

Will there be self-certification?
No.

What if my organization cannot afford to be certified?
The cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive. For contracts that require CMMC, you may be disqualified from participating if your organization is not certified.

Do companies not handling CUI need to be certified?
Yes. All companies conducting business with the DoD must be certified. The level of certification required will depend upon the amount of CUI a company handles or processes.

We are a subcontractor on a DoD contract. Does my organization need to be certified?
Yes, all companies doing business with the Department of Defense will need to obtain CMMC.

How we will know the certification level required for a contract?
The government will determine the appropriate tier (i.e. not everything requires the highest level) for the contracts they administer. The required CMMC level will be contained in sections L & M of the Request for Proposals (RFP) making cybersecurity an “allowable cost” in DoD contracts.

Contractors that want to get started on CMMC assessment or have questions on the new regulations should contact PBMares anytime or reach out to Neena Shukla, Government Contracting Team Leader.

ABOUT THE AUTHOR(S):

Neena Shukla, CPA, CFE, CGMA, FCPA, CTP
Partner, Government Contracting Team Leader
Neena has extensive experience leading and managing assurance and consulting engagements for government contractors. She has a deep background advising on SEC compliance, mergers and acquisitions due diligence, revenue recognition, stock compensation, employee benefit plan audits, cybersecurity, fraud and forensic accounting.

The content of this post is accurate as of the date below. Always ensure you are reviewing the most recent information available. Contact your tax advisor if you need clarification.

CMMC Frequently Asked Questions

Contractors that want to get started on CMMC assessment or have questions on the new regulations should contact PBMares anytime or reach out to Neena Shukla, Government Contracting Team Leader.

SHARE THIS POST:

Related Posts

Understanding Cost Estimating Systems: A Guide for Government Contractors

SBA 8(a) Certification Guide for Government Contractors

Empowering Employees: The Next Frontier in Cybersecurity for Government Contractor Employee Benefit Plans