Before I can begin my series on how to reach compliance with the various levels of CMMC, we need to look into what CMMC actually is. So lets do a FAQ! I would prefer to not talk about FAQs already discussed by the DOD, so take a look at the DOD’s FAQ and then read mine.
What is CMMC?
CMMC stands for Cybersecurity Maturity Model Certification. It is a new certification process being put in place by the Department of Defense (DOD) for all of their contracts. The goal of CMMC is to ensure that everyone in the DOD’s supply chain meets a base level of security, depending on the type of work they are doing. More cna be found on CMMC’s website, at https://www.acq.osd.mil/cmmc/index.html
I just mow the grass in the base. Why do I need to do this?
As Katie Arrington of the DOD stated, you need to know what you are mowing. That means that the base likely sent you the plans for the base, showing where grass is and what needs to be mowed. This means you have sensitive information about how the base is laid out, which can be very useful to our adversaries.
I work with CUI, what level of certification do I need?
If you work with Controlled Unclassified Information (CUI), then you will need to be at Level 3 in the CMMC model. Level 3 incorporated 100% of NIST 800-171 controls, as well as including 10 additional controls that were introduced with CMMC. Failure to meet any controls means you will fail your audit.
AUDIT? I thought I could self report!
In the past, with DFARS and NIST 800-171, you were allowed to self-report that you were compliant with the controls, and no one would verify whether or not you were. The DOD is aware that many who claim to be compliant are not, often not in a malicious way. Because of this, CMMC fixes that by ensuring everyone is compliant at the level they claim to be. Third party auditors (C3PAO, or Certified Third Party Audit Organizations) will not only conduct an initial audit of your organization, but also spot check your organization, and reverify every three years.
I have controls I believe are not applicable to me. Can I claim that? What kind of proof will I need?
You absolutely can claim that some controls are not applicable to you. If you do not operate a wireless network in your facilities, and the controls relate to wireless networks, then you can claim it is N/A. As can be expected, the type of proof varies. In this case, the auditor would interview your System Administrator(s) (SA) and Network Engineer(s) (NE) to verify the claim that it does not exist.
What is meant by an allowable cost?
In the future, CMMC allows you to claim that expenses related to CMMC in your rates, allowing for you to be reimbursed for these costs. However, the cost of complying with the 110 existing NIST 800-171 controls is not a CMMC cost, as you should already be doing it as part of DFARS. The upfront costs to gain compliance can also be incorporated into your rates.
What if, during a spot-check, I am not compliant with a control?
If you are out of compliance during a spot check, the audit team will determine what steps are needed to rectify the issue. If you remediate this issue, you will not lose your CMMC level. If the issue can not be remediated quickly enough, you may see your certification level drop to whatever level you currently meet, and this could impact your current contracts. Keep in mind, if every control is met up to Level 3, but one is only met to Level 1, you are going to be certified at Level 1.
I’m too small to implement some of these controls. Can I utilize a service?
Yes! Cybersecurity-as-a-Service (CaaS) will be allowed under CMMC, as long as the CaaS provider meets the required level for your contract. Furthermore, there will be a marketplace on the CMMC Accreditation Board’s website (https://www.cmmcab.org) that will help you find a service for whatever control you need.
I currently meet ISO 27001. Can I use this information in CMMC?
Yes! If you look at the CMMC specification, certain controls will state where this information can be found. In this example, any control that states ISO 27001 will be automatically compliant since you have met that certification’s requirements.
When will this go into affect?
The first Request for Information (RFI) requiring a CMMC level will be tenatively released in June, 2020. The first Request for Proposal (RFP) requiring a CMMC level will be tenatively released in October, 2020. By 2026, all contracts in the DOD will have a CMMC level attached to it. Your organization needs to meet that CMMC Level at time of award, not time of bid.
Will Primes and Subcontractors need to meet the same CMMC Level?
Not necessarily. If the Prime needs Level 3, it is possible the subcontractor will only need to meet Level 2 or Level 1, depending on how the contract is written and what work the subcontractor is doing.
Will the CMMC specification change?
Yes. CMMC is a living document, and will change over time. For example, it is expected in 2021 to include the first statements on Quantum Resistence.
Have more questions? Reach out to me and I’ll answer if I don’t! Otherwise, feel free to reach out to Katie Arrington at the DOD, and she’ll answer when she can!