The necessity to protect data is one not limited to private sector businesses that store, manage and process personally identifiable information (PII). In fact, government agencies such as the Department of Defense (DoD) also need to evaluate, review and enhance cybersecurity measures both internally and with contractors. Currently, DoD contractors are required to comply with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, which outlines how contractors are required to protect sensitive data and report breaches.

At the end of last year, a more robust set of regulations, known as the Cybersecurity Maturity Model Certification (CMMC)  would be phased-in to facilitate a more robust control standard. Given that any DoD contractor that handles Controlled Unclassified Information (CUI) will be required to comply, many questions have arisen around the transition. To help clients, prospects and others, PBMares has provided a list of the most frequently asked questions below.

Common CMMC Questions

What is CMMC?
CMMC stands for “Cybersecurity Maturity Model Certification”. The CMMC will encompass multiple maturity levels that range from “Basic Cybersecurity Hygiene” to “Advanced”. The intent is to identify the required CMMC level in RFP sections L and M and use it as a “go / no go decision.”

Why is the CMMC being created?
DOD is planning to migrate to the new CMMC framework in order to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB). The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect controlled unclassified information (CUI) that resides in the Department’s industry partners’ networks.

What is Controlled Unclassified Information?
CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. A CUI Registry provides information on the specific categories and subcategories of information that the Executive branch protects.

What’s the difference between NIST 800-171 and the CMMC?
The intent of the CMMC is to combine various cybersecurity control standards such as NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933 and others into one unified standard for cybersecurity. In addition to cybersecurity control standards, the CMMC will also measure the maturity of a company’s institutionalization of cybersecurity practices and processes.

How will my organization become certified?
Your organization will coordinate directly with an accredited and independent third-party commercial certification organization to request and schedule your CMMC assessment. Your company will specify the level of the certification requested based on your company’s specific business requirements. Your company will be awarded certification at the appropriate CMMC level upon demonstrating the appropriate maturity in capabilities and organizational maturity to the satisfaction of the assessor and certifier.

Will there be self-certification?
No.

What if my organization cannot afford to be certified?
The cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive. For contracts that require CMMC, you may be disqualified from participating if your organization is not certified.

Do companies not handling CUI need to be certified?
Yes. All companies conducting business with the DoD must be certified. The level of certification required will depend upon the amount of CUI a company handles or processes.

We are a subcontractor on a DoD contract. Does my organization need to be certified?
Yes, all companies doing business with the Department of Defense will need to obtain CMMC.

How we will know the certification level required for a contract?
The government will determine the appropriate tier (i.e. not everything requires the highest level) for the contracts they administer. The required CMMC level will be contained in sections L & M of the Request for Proposals (RFP) making cybersecurity an “allowable cost” in DoD contracts.

Contractors that want to get started on CMMC assessment or have questions on the new regulations should contact PBMares anytime or reach out to Neena Shukla, Government Contracting Team Leader.