CMMC Frequently Asked Questions

In January 2020 the Department of Defense (DoD) announced a new standard for assessing organization’s cybersecurity posture called “Cybersecurity Maturity Model Certification (CMMC).” According to CMMC, all DoD contractors that process, transmit or store Controlled Unclassified Information (CUI) will be asked to be certified by a third-party assessment organization (C3PAO). The new CMMC program consists of five levels of certification in both cybersecurity practices and processes.

The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) created this dedicated page answering the most frequently asked questions about the coming CMMC standard. We also have included some of these questions below to help you better understand CMMC. If you have any questions regarding your organization’s compliance with NIST SP 800-171 or CMMC, please contact us at info@cybernines.com to schedule a free consultation with our cybersecurity experts.

What is CMMC?

CMMC stands for “Cybersecurity Maturity Model Certification”. The CMMC will encompass multiple maturity levels that ranges from “Basic Cybersecurity Hygiene” to “Advanced/Progressive”. The intent is to incorporate CMMC into Defense Federal Acquisition Regulation Supplement (DFARS) and use it as a requirement for contract award.

Why is the CMMC being created?

DOD is planning to migrate to the new CMMC framework in order to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB). The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ networks.

How will CMMC be different from NIST SP 800-171?

Unlike NIST SP 800-171, the CMMC model possesses five levels. Each level consists of practices and processes as well as those specified in lower levels.

In addition to assessing a company’s implementation of cybersecurity practices, the CMMC will also assess the company’s institutionalization of cybersecurity processes.

Who will perform the CMMC assessments?

Only CMMC Third Party Assessment Organizations (C3PAOs) and individual assessors that have been accredited by the CMMC AB will perform CMMC assessments.

I am a subcontractor on a DoD contract. Does my organization need to be certified?

Yes, so long as your company does not solely produce COTS products, it will need to obtain a CMMC certificate. The level of the CMMC certificate is dependent upon the type and nature of information flowed down from your prime contractor.

Source: CMMC FAQ. Retrieved from https://www.acq.osd.mil/cmmc/faq.html