Q: What is CMMC?
A: CMMC stands for Cybersecurity Maturity Model Certification. It is designed to assess the security posture of Defense Industrial Base (DIB) companies to verify that appropriate practices and to ensure procedures are implemented prior to granting defense contracts.
Q: Do all contractors, sub-contractors and organizations need to be certified?
A: If you’re one of the 350,000 entities working directly (or indirectly) on Department of Defense (DoD) contracts containing Federal Contract Information (FCI) and/ or Controlled Unclassified Information (CUI), you must fully comply to the 2026 mandate.
Q: What is FCI?
A: FCI is information provided by or generated for the federal government under contract not intended for public release. CMMC requirements specify that organizations handling FCI must minimally meet Level 1 (Performed – Basic Cyber Hygiene) certification.
Q: What is CUI?
A: CUI is information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and government-wide policies, excluding information classified under Executive Order 13526, Classified National Security Information, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended. CMMC requirements specify organizations storing/processing/transporting CUI must minimally meet Level 3 (Managed – Good Cyber Hygiene) certification.
Q: If mandate compliance doesn’t take full effect until October 2025, why should I worry about it now?
A: The CMMC program is meant to be phased in. Failure to comply and become an early adopter will likely lead to a significant decrease in awarded contracts. Early adopters will see a huge competitive advantage over non-certified contractors, and will be given exclusive bidding rights on contracts with CMMC requirements. Even prior to that October 2025 date, the DFARS Interim Rule applies.
Q: What is the DFARS Interim Rule?
A: Effective November 20, 2020, contractors were still required to self-assess and enter the Supplier Performance Risk System (SPRS) database. While some contracts will also need to take it all the way to CMMC certification, it is at the discretion of the Office of Undersecretary of Defense (OUSD) to state which new contract awards must be CMMC certified as of right now. The goal is to award more prime contracts annually to CMMC certified organizations. In fiscal year 2021, DoD requires only 15 prime contracts to be awarded with the new CMMC requirements, including prime subcontractors. By 2025, all organizations must be CMMC certified to successfully win contract awards.
Q: How is CMMC different from 800-53 or 800-171?
A: National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 is for all US federal agencies and any entity housing US federal information or information systems. 800-171 is meant for protecting CUI stored/processed/disseminated in nonfederal systems. CMMC is not about auditing to ensure that specific boxes are checked, but rather an assessment. CMMC is about ascribing the organization's cybersecurity posture as it pertains to CUI/FCI.
Q: My organization didn’t bid on a contract but we assist one that did. Do we need to be certified?
A: Yes. If the organization handles CUI or FCI, even as a subcontractor, then that organization needs to be certified just as the prime contract owner is.
Q: My organization doesn’t handle CUI. Do we still need to be certified?
A: Yes. Even if the organization is only handling FCI, the organization still needs to be certified at level 1. The few exceptions are payment information necessary to process a transaction and contracts dealing with pure COTS products.
Q: What are the CMMC certification levels?
A: Level 1 – Performed – Basic Cyber Hygiene | Level 2 – Documented – Intermediate Cyber Hygiene | Level 3 – Managed – Good Cyber Hygiene | Level 4 – Reviewed – Proactive | Level 5 – Optimizing – Progressive/Advanced
Q: How will I know what CMMC level is required for a contract?
A: The DoD will specify the required CMMC level in Requests for Information (RFIs) and Requests for Proposals (RFPs).
Q: If I start my assessment with an organization listed on the marketplace, will they carry out the test by December 2021?
A: No, as of Aug 2nd, 2021, CMMC will no longer allow LTP’s to sell exam vouchers. The CMMC-AB will grant all access to the test. This is due to the fact that there are multiple checks that need to be done before allowing a candidate to take the test. Training is merely one piece of those checks. Therefore, the validation to allow exam access occurs within the candidate's record. In Dec only “Beta” 200 test takers will have access to the exam, the exam is available as of Feb 2022.
Q: If I hold a Provisional Assessors (PA) and Provisional Instructor (PI) status, when do I have to take the official certification exam?
A: As a PA / PI, you have six months to take the exam to obtain this designation from the official release of an exam. For example, if you are a PI training CCP, you have six months to pass the CCP exam after the release of the CCP exam.
Q: Is there a correlation between APMG approved NCSP certifications and the CCP / CA-1, CCA-3 of CMMC-AB?
A: No, the objectives and intended audience for these certifications are different. The CMMC-AB certifications validate the skills of the “assessors.”