14 FAQs about CMMC
As any Department of Defense (DoD) contractor knows, CMMC can be tricky to navigate. However, when implemented correctly, you can grow your business faster and feel more confident knowing your information and assets are protected. Our team of CMMC Registered Practitioners is dedicated to guiding organizations to CMMC certification, and they have put together a list of questions they are frequently asked.
- Does my company need to be CMMC certified?
If your company responds to DoD Requests for Information or Proposals, it will need to be CMMC certified. The DoD will start gradually including CMMC requirements in its solicitations beginning in 2021. According to the current timeline, all DoD solicitations will include CMMC requirements by 2026.
- What CMMC level should my company seek?
CMMC Level 1 will be needed to receive DoD contracts that include Federal Contract Information (FCI), which is the broader category that does not also include Controlled Unclassified Information (CUI). CMMC Level 3 is the minimum level needed for contracts involving CUI.
- How does my company get certified?
An organization must demonstrate that it is performing the required practices and processes of each CMMC Level. Moreover, the company must show that it has achieved the required process maturity over time. If your company will be handling CUI, it will need at a minimum CMMC Level 3 certification, so it is best to start preparing now. Read through the 5 key steps to preparing for CMMC certification.
- Who grants the certification?
Companies cannot self-certify, which is a change from prior rules under Federal Acquisition Regulation (FAR) 48 CFR 52.204-21 or Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012. The CMMC Accreditation Board (CMMC-AB) was formed as an independent non-profit entity in collaboration between the DoD and industry. DoD has granted the CMMC-AB sole authority to grant CMMC certifications.
- Is an SSP and POAM enough to become compliant and CMMC certified?
The CMMC is a maturity model, meaning that companies need to have been performing the required practices and processes of each CMMC level over time. At Level 3, companies must have in place documented policies and procedures governing each of the required practices, have resourced a plan that supports the implementation of those practices, and be able to demonstrate via an evidence-based independent third-party assessment that they perform the practices in a repeatable fashion. '
All requirements of a CMMC Level must be satisfied to achieve certification. There can be no open items, thus a POAM, which, by definition, implies incomplete items, is not permitted.
- How many practices are included at Level 3?
There are 130 practices required at Level 3, 110 of which correspond to the practices defined in NIST SP 800-171 and an additional 20 more.
- Do CMMC obligations change based on business size?
CMMC Levels and requirements are focused on data sensitivity, not organization size. An organization with 2 people and a fortune 500 company are subject to the same CMMC Level 3 requirements if they are handling CUI, although, the 2-person company would satisfy the requirements differently, based on the differing business complexity.
- Can ProArch, or other MSSP/consulting organization just make my organization compliant?
No, the reality is that the organizations seeking CMMC certification are responsible for the security, confidentiality, and integrity of regulated data. MSSP providers can be utilized as an essential tool to meet and maintain compliance, but the organization needs to be heavily participating throughout the process. Even if we have a vCISO role, there are still potentially $100,000+ additional technology investments that need to be made, and meeting the controls will impact certain critical business processes outside of just IT.
If you decide to engage with an MSSP provider, be sure to work with organizations that have Registered Practitioners (RPs) and are a Registered Provider Organization (RPO) listed on the marketplace.
- Does meeting CMMC Level 3 compliance mean my organization is “secure”?
Companies that have achieved CMMC Level 3 (the minimum level needed to handle CUI) are considered to practice “good cyber hygiene”. That is not to say that further steps can’t be taken to boost your security posture for the overall wellbeing of your organization.
- How long will it take to become CMMC Level 3 compliant?
This answer is very dependent on the current security maturity of the client. An organization starting from scratch would likely take a minimum of a year to prepare for the assessment. Those that are already meeting the 110 controls of NIST SP 800-171 will have a head start.
But remember that CMMC is a maturity certification, so companies will have to show that they have been implementing the 130 controls required at Level 3 over a significant time period, minimally for 3 to 6 months prior to assessment.
- What happens if an organization fails the CMMC certification?
If the assessor raises any issues that prevent certification, there is a 90-day period to remediate any minor gaps to the satisfaction of the assessor. The CMMC-AB has also defined an appeals process, by which an organization seeking certification can file a dispute if they believe the judgment of the assessor is incorrect.
Failing certification does not mean they will necessarily lose existing contracts, but it will prevent the organization from gaining new or renewing contracts with CMMC requirements until they repeat and pass a new assessment.
- Does my company need CMMC certification to be allowed to bid on a DoD contract?
CMMC certification is not required to bid on a contract, but certification must be achieved in order for the contract to be awarded. This is another good reason to start preparing now.
- How do I know what CMMC level I need to adhere to?
If the organization has contracts that involve CUI they will need to meet CMMC Level 3 at a minimum. If the contract doesn’t include CUI, they can be certified at CMMC Level 1 or Level
- How much will CMMC-certification cost my organization?
This depends highly on the complexity of the organization and the scope of the assessment. Costs could range from a few thousand to tens of thousands. Organizations seeking certification must hire a CMMC-AB accredited independent third-party assessment organization to conduct the assessment.
Our team of Registered Practitioners knows what it takes to successfully meet CMMC requirements. Check out our CMMC consulting services to see how we can help you get and stay compliant.