- Have any questions?
- (919) 535 – 8170
- CMMC@reef-sys.com
CMMC FAQ
- Access Control
- Asset Management
- Audit and Accountability
- Awareness and Training
- Configuration Management
- Cybersecurity Governance
- Identification and Authentication
- Incident Response
- Maintenance
- Media Protection
- Personal Security
- Physical Protection
- Recovery
- Risk Assessment
- Security Assessment
- Situational Awareness
- System and Communications Protection
- System and Information Integrity
Yes!
Yes! In some cases, Prime Contractors are asking their subcontractors to complete the CMMC as soon as possible to be able to work on the contract.
If you are planning on participating in a DoD Contract that contains the DFARS 252.204-7012 clause in it, then yes. The CMMC will be rolling out slowly until FY 2025, so once the DFARS clause is in your contract, you will need to receive the CMMC upon contract award.
No. This is when you will need a C3PAO to come complete the assessment to receive the certification. The provisional assessors who will be completing the assessment were trained directly by the CMMC-AB and have the power to take on this compliance.
CMMC Level 1: 17 Controls Basic Cyber Hygiene
CMMC Level 2: 72 Controls (includes Level 1 controls) Intermediate Cyber Hygiene
CMMC Level 3: 130 Controls (includes Level 2 controls) Good Cyber Hygiene
CMMC Level 4: 156 Controls (includes Level 3 controls) Proactive
CMMC Level 5: 171 Controls (includes Level 4 controls) Advanced/Progressive
- FCI-“Federal Contract Information” is information not intended for public release. It is provided by or generated by for the Government under a contract to develop or deliver a product or service to the Government. FCI does not include information generated for the public.
- CUI- “Controlled Unclassified Information”is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.
This is a huge question that is being asked and the best answer is: it depends. There will be two different types of costs for the certification and it will be quite different for every organization going through it. The major breakdown will be:
- Cost based on maturity & level: The cost will begin with the maturity of your organization’s processes and what CMMC level you are looking to obtain. The higher the level, the more FCI/CUI will be present, and this will correlate to bigger costs.
- FCI/CUI Flow: Where does the CUI flow in the organization? This does not necessarily mean a big organization will always be costing more than a small company. This is dependent on who has access to CUI in the organization. A bigger web of CUI (how many people have access, computer access vs cell phone access, single site vs multi-site, etc.) will cost more than a tighter, smaller web of CUI (limited access to only certain people, groups, or locations, etc.).
- There is also a physical security component of the assessment that takes place so single site organizations vs. multi-site organizations will be different.
The cost of the actual assessment will be based upon which CMMC level you are going for, how big the web of CUI is and the number of locations that will need to be assessed. This is all based on the scope and scope is based on how to continuously protect FCI/CUI.
Currently the CMMC requirement will apply to anything related to DoD funding. If the 252.204-7021 clause is stated in the grant, they will be requiring the certification.
The best way to prepare is look at the requirements, and begin by doing a baseline comparison with the controls and what you currently have in place. Sometimes, organizations prefer to use an outside professional who can help them walk through each step clearly and identify the information that will be needed for each control within the CMMC.
To begin the assessment, you will first agree on the scope with the assessor (level, systems, etc.). Next, the assessor will be walking through each practice and process and looking for two pieces of objective evidence that show conformity. At level 3 and above, the assessor will be looking at maturity/institutionalization of the process and practice to make sure it is being continuously maintained and improved.
This depends on the process and activity. The process really needs to show that good cyber-hygiene activities are continuously done.
- If a contract you are bidding on has the DFARS 252.204-7021 clause in it, you will need to have the CMMC before the contract is officially awarded. Although you will be able to respond to solicitations without it, you will not be awarded one on the day of if you do not have the CMMC.
For NIST SP 800-171, an organization can complete the self-assessment and upload it within SPRS on their own. The Supplier Performance Risk System (SPRS) is the Department of Defense’s Database for contractors to upload their NIST SP 800 – 171 Self-Assessments.
As the CMMC begins to roll out and until training expands, only a C3PAO can perform the assessment. There are provisional assessors who have undergone official training from the CMMC-AB (including Reef Systems), but as of January 1st 2021, there are no authorized C3PAOs to provide assessments yet.
The level will depend on the organization and what they want to do specifically. It is possible to certify parts of your company at a different level than other groups, but you must show the difference and maintain these parts separately to be compliant. As part of scoping your organization, you will determine which parts of the organization will be covered under each CMMC level.