Skip to content

CMMC FAQ

Our Frequently Asked Questions have been updated to reflect the most recent inforemation provided by the CMMC-AB and the Department of Defense.

GET A CONSULTATION

About CMMC

The Cybersecurity Maturity Model Certification (CMMC) program is aligned to DoD’s information security requirements for DIB partners. It is designed to enforce protection of sensitive unclassified information that is shared by the Department with its contractors and subcontractors. The program provides the Department increased assurance that contractors and subcontractors are meeting the cybersecurity requirements that apply to acquisition programs and systems that process controlled unclassified information.

The DFARS 252.204-7012 clause (aka DFARS 7012) was created in response to alarming increases in cyberthreats aimed at contractors in our nation’s Defense Industrial Base (the DIB). It went into effect at the end of 2017.

In November 2020, the DoD released its DFARS Interim Rule. The goal of this supplement was to increase compliance with its cybersecurity regulations and improve security throughout the DIB. The Interim Rule introduced three new clauses – 7019, 7020 and 7021.

The publication of materials relating to CMMC 2.0 reflect the Department’s strategic intent with respect to the CMMC program; however, CMMC 2.0 will not be a contractual requirement until the Department completes rulemaking to implement the program. The rulemaking process and timelines can take up to 24 months. CMMC 2.0 will become a contract requirement once rulemaking is completed.

The Department values feedback from industry, Congress, and other stakeholders and received over 850 public comments in response to the interim rule establishing CMMC 1.0. These comments focused on the need to enhance CMMC by (1) reducing costs, particularly for small businesses; (2) increasing trust in the CMMC assessment ecosystem; and (3) clarifying and aligning cybersecurity requirements to other federal requirements and commonly accepted standards. CMMC 2.0 was designed to meet these goals, which also contribute to enhancing the cybersecurity of the defense industrial base.

The CMMC assessment costs will depend upon several factors including the CMMC level, complexity of the DIB company’s unclassified network for the certification boundary, and market forces. DoD will develop a new cost estimate associated with CMMC 2.0 program which will be published on the Federal Register as part of the rulemaking process.

CMMC 2.0 Model

Tab Item Conte

Once CMMC 2.0 is implemented, DoD will specify the required CMMC level in the solicitation.

Compliance with NIST standards are levied as contractual requirements via inclusion of clauses such as FAR 52.204-21 and DFARS 252.204-7012. The relationship between CMMC and the NIST standards is that CMMC requirements will result in a contractor self-assessment, or a third-party assessment, to determine whether the applicable NIST standard (as identified by the DFARS clause) has been met. The FAR clause states the basic safeguarding requirements for CMMC Level 1 compliance. Under CMMC 2.0, a Level 2 assessment will be conducted against the NIST SP 800-171 standard and a Level 3 assessment will be based on a subset of NIST SP 800-172 requirements.

If contractors and subcontractors are handling the same type of FCI and CUI, then the same CMMC level will apply. In cases where the prime only flows down select information, a lower CMMC level may apply to the subcontractor.

If contractors and subcontractors are handling the same type of FCI and CUI, then the same CMMC level will apply. In cases where the prime only flows down select information, a lower CMMC level may apply to the subcontractor.

Assessments

Once CMMC 2.0 is implemented, self-assessments, when permitted based on the CMMC level assigned, will be required on an annual basis. When CMMC certification is required, C3PAO assessment (Level 2) or Government assessment (Level 3), will be required on a triennial basis.

Once CMMC 2.0 is fully implemented, DoD will only accept CMMC assessments provided by the Government or an authorized and accredited C3PAO or certified CMMC Assessor. C3PAOs shall use only certified CMMC assessors for the conduct of CMMC assessments.

Mainly it is up to the leadership and layout of your organization and how those roles are defined. Who is the ultimate responsible party/parties for the cybersecurity hygiene and assessments for your organization? Cybersecurity covers personnel, facilities, and technology.

Please refer to the policy documents, training materials, and quick reference guides generated by the National Archives (https://www.archives.gov/cui/training.html) and the DoD CUI program, located at https://www.dodcui.mil/Home/Training/.

The sole purpose of CMMC assessments is to verify that information systems used to process, transmit, or store DoD CUI are fully capable of meeting the information security requirements in other FAR and DFARS clauses. In the case of DFARS 252.204-7012, this means providing “adequate security” to the standard described in NIST SP 800-171. The controls assessed under the CMMC model are NIST controls, and are deemed necessary to adequately safeguard DoD CUI. To the extent that an information system is not able to provide adequate information security, DoD CUI should not be processed, stored, or transmitted in or on that system.

In accordance with DFARS 252.204-7012 (b)(ii)(D), companies can use commercial instances of cloud offerings as long as the cloud offering meets the security requirements equivalent to the FedRAMP Moderate baseline and as long as the provider meets the requirements of paragraphs (c)-(g) of the clause. Please refer to question #115 of the responses to industry comments regarding the DFRS implementation of 204.73, which addresses equivalency of cloud service provider security requirements to FedRAMP “Moderate.” 

The DoD intends to maintain its existing cybersecurity requirements (as defined in FAR 52.204-21 and DFARS 252.204-7012), and enforce them where applicable. The DoD will continue to engage with our international partners regarding mutual agreement on necessary cybersecurity standards, and will ensure that foreign companies that support U.S. warfighters are equipped to safeguard FCI and CUI.

Find out more about how Gigit is invested in your security.

Gigit’s comprehensive cybersecurity expertise is broad, diverse, and ready to solve your business’ needs.
Get a Consultation

More Intel

NEWS

Stay up to date with the latest changes at Gigit.

WEBINARS & VIDEOS

Stay up to date with the latest changes at Gigit.

ARTICLES

Stay up to date with the latest changes at Gigit.

Elevate your State of Protection