Yes! In some cases, Prime Contractors are asking their subcontractors to complete the CMMC as soon as possible to be able to work on the contract.
If you are planning on participating in a DoD Contract that contains the DFARS 252.204-7012 clause in it, then yes. The CMMC will be rolling out slowly until FY 2025, so once the DFARS clause is in your contract, you will need to receive the CMMC upon contract award.
No. This is when you will need a C3PAO to come complete the assessment to receive the certification. The provisional assessors who will be completing the assessment were trained directly by the CMMC-AB and have the power to take on this compliance.
CMMC Level 1: 17 Controls Basic Cyber Hygiene
CMMC Level 2: 72 Controls (includes Level 1 controls) Intermediate Cyber Hygiene
CMMC Level 3: 130 Controls (includes Level 2 controls) Good Cyber Hygiene
CMMC Level 4: 156 Controls (includes Level 3 controls) Proactive
CMMC Level 5: 171 Controls (includes Level 4 controls) Advanced/Progressive
This is a huge question that is being asked and the best answer is: it depends. There will be two different types of costs for the certification and it will be quite different for every organization going through it. The major breakdown will be:
The cost of the actual assessment will be based upon which CMMC level you are going for, how big the web of CUI is and the number of locations that will need to be assessed. This is all based on the scope and scope is based on how to continuously protect FCI/CUI.
Currently the CMMC requirement will apply to anything related to DoD funding. If the 252.204-7021 clause is stated in the grant, they will be requiring the certification.
The best way to prepare is look at the requirements, and begin by doing a baseline comparison with the controls and what you currently have in place. Sometimes, organizations prefer to use an outside professional who can help them walk through each step clearly and identify the information that will be needed for each control within the CMMC.
To begin the assessment, you will first agree on the scope with the assessor (level, systems, etc.). Next, the assessor will be walking through each practice and process and looking for two pieces of objective evidence that show conformity. At level 3 and above, the assessor will be looking at maturity/institutionalization of the process and practice to make sure it is being continuously maintained and improved.
This depends on the process and activity. The process really needs to show that good cyber-hygiene activities are continuously done.
- If a contract you are bidding on has the DFARS 252.204-7021 clause in it, you will need to have the CMMC before the contract is officially awarded. Although you will be able to respond to solicitations without it, you will not be awarded one on the day of if you do not have the CMMC.
For NIST SP 800-171, an organization can complete the self-assessment and upload it within SPRS on their own. The Supplier Performance Risk System (SPRS) is the Department of Defense’s Database for contractors to upload their NIST SP 800 – 171 Self-Assessments.
As the CMMC begins to roll out and until training expands, only a C3PAO can perform the assessment. There are provisional assessors who have undergone official training from the CMMC-AB (including Reef Systems), but as of January 1st 2021, there are no authorized C3PAOs to provide assessments yet.
The level will depend on the organization and what they want to do specifically. It is possible to certify parts of your company at a different level than other groups, but you must show the difference and maintain these parts separately to be compliant. As part of scoping your organization, you will determine which parts of the organization will be covered under each CMMC level.