1 - What is Controlled Unclassified Information (CUI)?
CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.
A CUI Registry provides information on the specific categories and subcategories of information that the Executive branch protects. The CUI Registry can be found at: https://www.archives.gov/cui and https://www.dodcui.mil/Home/DoD-CUI-Registry/ and includes the following organizational index groupings:
Natural and Cultural Resources
Procurement and Acquisition
Proprietary Business Information
Resources, including online training to better understand CUI can be found on the National Archives’ Website at https://www.archives.gov/cui/training.html as well as the Department of Defense’s website https://www.dodcui.mil/.
2 - What are the concerns regarding cybersecurity in the Defense Industrial Base (DIB)?
The aggregate loss of Controlled Unclassified Information (CUI) from the DIB sector increases the risk to national economic security and in turn, national security. In order to reduce this risk, the Department has continued to work with the DIB sector to enhance its protection of CUI in its unclassified networks.
The Council of Economic Advisers, an agency within the Executive Office of the President, estimates that malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016 [Ref: “The Cost of Malicious Cyber Activity to the U.S. Economy, CEA” in February 2018].
The Center for Strategic and International Studies (CSIS), in partnership with McAfee, reports that as much as $600 billion, nearly 1% of global GDP, may be lost to cybercrime each year. The estimate is up from a 2014 study that put global losses at about $445 billion. [Ref: “Economic Impact of Cybercrime - No Slowing Down” in February 2018].
3 - What is CMMC?
CMMC stands for “Cybersecurity Maturity Model Certification” and is a unifying standard for the implementation of cybersecurity across the Defense Industrial Base (DIB). The CMMC framework includes a comprehensive and scalable certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level. CMMC is designed to provide increased assurance to the Department that a DIB company can adequately protect sensitive unclassified information, accounting for information flow down to subcontractors in a multi-tier supply chain.
4 - Why was CMMC created?
DoD is migrating to the new CMMC framework in order to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB) sector. The CMMC is intended to serve as a verification mechanism to ensure that DIB companies implement appropriate cybersecurity practices and processes to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within their unclassified networks.
5 - When is the interim Defense Federal Acquisition Regulation Supplement (DFARS) rule implementing CMMC
(DFARS Case 2019-D041) effective?
The interim rule became effective on November 30, 2020. The public review and comment period for DFARS Case 2019-D041 ended on November 30, 2020. Due to its designation as a major rule change, the interim rule must also complete a Congressional Review.
6 - Will other Federal (non-DoD) contracts use CMMC?
The initial implementation of the CMMC will only be within the DoD and will be implemented through DFARS clause 252.204-7021.
7 - What is the relationship between the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 and CMMC?
CMMC Level 3 includes the 110 security requirements specified in NIST SP 800-171. The CMMC Model also incorporates additional practices and processes from other standards, references, and/or sources such as NIST SP 800-53, Aerospace Industries Association (AIA) National Aerospace Standard (NAS) 9933 “Critical Security Controls for Effective Capability in Cyber Defense”, and Computer Emergency Response Team (CERT) Resilience Management Model (RMM).
8 - How will CMMC be different from NIST SP 800-171?
Unlike NIST SP 800-171, the CMMC model possesses five levels. The model is cumulative whereby each level consists of practices and processes as well as those specified in the lower levels. The CMMC Model includes additional cybersecurity practices in addition to the security requirements specified in NIST SP 800-171.
In addition to assessing a company’s implementation of cybersecurity practices, the CMMC will also assess the company’s maturity processes.
9 - What is the CMMC Accreditation Body (CMMC-AB)?
The CMMC-AB (https://www.cmmcab.org/) is an independent organization that will authorize and accredit CMMC Third Party Assessment Organizations (C3PAOs) and the CMMC Assessors and Instructors Certification Organization (CAICO) in accordance with DoD requirements. The CMMC-AB will be required to achieve compliance with the ISO/IEC 17011, Conformity Assessment – Requirements for Accreditation Bodies Accrediting Conformity Assessment Bodies.
10 - What is a CMMC Third Party Assessment Organization (C3PAO)?
Authorized and Accredited C3PAOs are responsible for conducting the CMMC assessments of DIB companies’ unclassified networks and then issuing appropriate CMMC certificates based on the results of the assessments.
Authorized C3PAOs must meet DoD requirements and a subset of the ISO/IEC 17020, Conformity Assessment – Requirements for the Operation of Various Types of Bodies Performing Inspection requirements prior to being authorized to conduct CMMC assessments and issue certifications. The CMMC-AB can authorize C3PAOs to conduct CMMC assessments prior to the C3PAO achieving accreditation.
Accredited C3PAOs must meet all DoD requirements and achieve full compliance with ISO/IEC 17020. C3PAOs must be accredited by the CMMC-AB within 27 months of their registration.
11 - Who will perform the CMMC assessments?
Only Authorized and Accredited C3PAOs who are listed on the CMMC-AB Marketplace website will be able to conduct CMMC assessments. C3PAOs shall use only Authorized or Certified CMMC assessors for the conduct of CMMC assessments.
12 - How will my organization become certified?
DIB companies will select one of the Authorized or Accredited C3PAOs from the CMMC-AB Marketplace website. The DIB company and the selected C3PAO will coordinate and plan the CMMC assessment as well as complete appropriate contractual agreements. After the completion of the CMMC assessment, the C3PAO will provide an assessment report and if there are no deficiencies, issue the appropriate CMMC certificate to the DIB company for the specified certification boundary. The C3PAO will also submit a copy of the assessment report and CMMC certificate to the DoD.
13 - Will there be a self-certification?
No, there are no self-certifications for CMMC. However, DIB companies are encouraged to complete a self-assessment based on CMMC Assessment Guides prior to scheduling a CMMC assessment. The Department of Defense posts versions of the CMMC Assessment Guides on its website (https://www.acq.osd.mil/cmmc/index.html).
14 - Are the results of my assessment public? Does the DoD see my results?
No, the detailed results of a CMMC assessment and the specific CMMC certification levels will not be made public. The only information that will be publicly available is that your company has a CMMC certification.
The DoD will have access to all DIB companies’ CMMC certificates, which will be posted on the CMMC Enterprise Mission Assurance Support Services (eMASS) database and on the Supplier Performance Risk System (SPRS).
15 - How much will CMMC certification cost?
The CMMC assessment costs will depend upon several factors to include the CMMC level, the complexity of the DIB company’s unclassified network for the certification boundary, and other market forces. The Department of Defense provided rough order of magnitude cost estimates for CMMC assessments as part of the Federal Register Notice for Defense Federal Acquisition Regulation Supplement (DFARS) Case 2019-D041.
16 - How often does my organization need to be reassessed?
In general, a CMMC certificate will be valid for 3 years.
17 - If my organization has a CMMC certification and my unclassified network is compromised, do I lose my certification?
A cybersecurity incident will not automatically cause a DIB company to lose its CMMC certification. Depending upon the circumstances of the incident, the DoD program manager may direct a re-assessment.
18 - What if my organization cannot afford to be certified? Does that mean my organization can no longer work on DoD contracts?
The costs associated with implementing CMMC requirements, supporting the CMMC assessment, and contracting with the C3PAO will be considered an allowed cost. For contracts that include the CMMC requirement, you will not be awarded the contract if you are not certified at the appropriate CMMC level at the time of contract award.
19 - My organization does not handle Controlled Unclassified Information (CUI). Do I have to be certified anyway?
If a DIB company does not possess, store, or transmit CUI but possesses Federal Contract Information (FCI), it is required to meet FAR clause 52.204-21 and must be certified at a minimum of CMMC Level 1.
Companies that solely produce Commercial-Off-The-Shelf (COTS) products do not require a CMMC certification.
20 - I am a subcontractor on a DoD contract. Does my organization need to be certified?
If the DoD contract has a CMMC requirement and so long as your company does not solely produce COTS products, you will need to obtain a CMMC certificate. The level of the CMMC certificate is dependent upon the type and nature of information flowing down from your prime contractor.
21 - How will I know what CMMC level is required for a contract?
The DoD will specify the required CMMC level in Requests for Information (RFIs) and Requests for Proposals (RFPs).
22 - Will CMMC certifications and the associated third-party assessments apply to classified systems and/or classified environments within the Defense Industrial Base?
CMMC applies to only DIB contractor’s unclassified networks that process, store or transmit FCI or CUI.
23 - How does my company become a C3PAO?
The CMMC-AB will provide information on DoD requirements for candidate C3PAOs and manage the registration process. Candidate C3PAOs should reference the CMMC-AB website (www.cmmcab.org).
24 - What is the CMMC Assessors and Instructors Certification Organization (CAICO)?
The Authorized and Accredited CAICO will be established to manage and oversee the training, testing, authorizing, and certifying of candidate-assessors and instructors. The CAICO will be required to meet DoD requirements and achieve compliance with ISO/IEC 17024, Conformity Assessment – General Requirements for Bodies Operating Certification of Persons Conformity Assessment.
25 - What is the status of Standard Acceptance Agreements between CMMC and other cybersecurity standards and assessments?
The Department plans to provide guidance with respect to Standard Acceptance Agreements between CMMC Level 3 and the NIST SP 800-171 DoD Assessment Methodology for the high assessment or confidence level. In addition, the Department is working with the GSA Federal Risk and Authorization Management Program (FedRAMP) Program Management Office to provide clarifications and guidance with respect to CMMC Level 3 and commercial cloud service offerings that meet the DFARS clause 252.204-7012.
Furthermore, DoD is working with international partners to coordinate on potential bilateral agreements between CMMC and their respective cybersecurity requirements and assessments.
26 - What is the Department’s phased rollout plan for CMMC?
The Department is implementing CMMC through a phased rollout approach. Until September 30, 2025, the Office of the Under Secretary of Defense for Acquisition and Sustainment must approve the inclusion of the CMMC requirement in any solicitation.
The Department is currently working with military Services and Defense Agencies to identify candidate programs that will implement CMMC requirements during the FY2021-FY2025 phased rollout. During the first year of the rollout, the Department will require no more than 15 new Prime acquisitions to meet CMMC requirements as part of a CMMC pilot program. These contracts will focus on mid-sized programs that require the contractor to process or store CUI (CMMC Level 3). Primes will be required to flow down the appropriate CMMC requirement to their subcontractors.
For subsequent fiscal years of the rollout, the Department intends to incorporate CMMC Levels 4 and 5 on a small number of contracts while increasing the quantity of Prime acquisitions that include a CMMC requirement to the following targets: