FAQ: The Cybersecurity Maturity Model Certification standard

Since the Department of Defense released its Cybersecurity Maturity Model Certification (CMMC) Model v1.0 in January, we’ve received a number of questions from clients and others about the new security standard’s components and timing. Read on for our answers to some of the most common queries.

Please note that these FAQs have been prepared for information purposes and general guidance only and do not constitute legal or professional advice.

1. What is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is a new unified security standard used by the Department of Defense (DOD) in assessing government contractors’ cybersecurity maturity. It consists of 17 domain families, 43 capability areas, and 171 practices. Implementation of these components is mapped across five levels to create a five-tier maturity ranking, which ranges from Level 1 (basic cyber hygiene) to Level 5 (highly advanced programs) for technical practices and Level 1 (performed) to Level 5 (optimized) for processes. For more detailed information, see the recently released v1.02. (The Department says v1.02 has “no substantive nor critical changes” from v1.0.)

2. When was the CMMC released?

The CMMC standard was released in January 2020, and the expectation is that a select number of DOD requests for information (RFIs) and requests for proposals (RFPs) will include CMMC requirements in late 2020. By 2025, all DOD RFIs and RFPs will include CMMC requirements.

3. Who does the CMMC apply to?

CMMC applies to all DOD contractors and subcontractors; however, subcontractors may not have to meet the same level of CMMC requirement as the prime. The CMMC maturity level for a subcontractor will be based on the type of work and service they are doing to support the contract. 

4. Will there be a delay to the rollout of the CMMC due to COVID-19?

To date, the rollout of the CMMC is expected to begin in late 2020.

5. What CMMC maturity level will DOD expect companies to be at to work with them?

While the guidelines on what level a contractor should consider for CMMC readiness or audit are still being finalized, contractors that work with Controlled Unclassified Information (CUI) data will be expected to meet Level 3 requirements of the CMMC, at a minimum. 

CMMC applies to only a Defense Industrial Base (DIB) contractor’s unclassified networks that handle, process, and/or store Federal Contract Information (FCI) or CUI. If your contract requires secret clearances and your organization handles CUI as part of the contract, there is a good chance that your organization needs to comply with Level 3 CMMC requirements at a minimum.

6. Will audits be performed by third-party certified entities, or will they be conducted by government or government-appointed entities?

CMMC audits will be conducted by third-party assessment organizations (C3PAOs), independent organizations accredited by the CMMC Accreditation Body. Government will not be conducting the audits. C3PAOs must complete an accreditation process and an approved training, and must show independence in their work.

7. Do you expect third-party certifiers doing an entire CMMC audit each time and then seeing what level a company is compliant to, or is a specific level to be determined and audited ahead of time?

We expect contracts that require CMMC certifications to note the maturity level that the organization is expected to meet. We encourage each organization to perform a holistic preparedness assessment composed of all Level 1 to Level 5 controls in order to identify its gaps. Once gaps are identified, they should be remediated based on their risk and compliance requirements according to their risk profile. This will allow the organization to understand what is needed and be prepared for future contracts that may require higher-level certification requirements.

8. What are the boundaries of the CMMC level? Is the level for the entire company or for parts of that company?

The boundaries of the CMMC level should include the people, process, and technology that will be used in servicing the DOD contract. 

9. Are 1099s working on your projects considered "subcontractors" that have to be CMMC compliant?

The CMMC is required for all contractors and subcontractors that are servicing DOD contracts. This includes full-time, part-time, and temporary contractors that may be in scope of servicing the DOD contract. 

10. Information Systems in FAR 52.204-21 seems very broad. What internal systems come under this scope?

All systems that are in the boundary of servicing or supporting the DOD contract should be in scope. As part of CMMC, contractors and subcontractors must implement Level 1 controls, which are based on the FAR 52.201-21 requirements.

11. Are you still vulnerable if your industrial machines are not connected to the internet?

Organizations whose systems or industrial machines are not connected to the internet are still vulnerable to various methods of internal attacks such as insider threats, which are covered under the CMMC framework. 

12. Will there eventually be a list of suppliers that are moving toward compliance?

The CMMC Accreditation Body, in partnership with DOD, will have a central CMMC marketplace, and only DOD will have access to all defense industrial base companies’ certification. The marketplace will also include all the firms that are C3PAOs. Per the DOD, the results of a CMMC assessment and companies’ certification level will not be made public; “the only information that will be publicly available is that your company has a CMMC certification.”  

13. How do you know if you have CUI data if your customer has not identified it as such but has imposed the FAR clause?

We encourage every organization to have a dialogue with their Contracting Officer (CO) and ask the questions around CUI. In the event that the CO is not able to answer that question, organizations should refer to the National Archives’ CUI Registry to identify CUI data. 

14. For CUI, what business information systems will be impacted? 

Any business information system that is used or leveraged to process, use, or store CUI data will need to be considered in the system boundary. 

15. Does CohnReznick plan to become a C3PAO?

CohnReznick does plan to become a CMMC C3PAO and is providing readiness assessments to help organizations prepare and plan for CMMC. 

16. If we consult with CohnReznick to obtain an assessment of CMMC requirements currently in place, will we also be able to certify through CohnReznick? 

CohnReznick can certainly assist organizations to help prepare for CMMC. Our services consist of advisory and will include certification once we become a C3PAO. However, CMMC requires independence for auditors performing the CMMC audit. Hence, a C3PAO cannot help an organization with both preparedness/remediation and the audit. Either we can help an organization with preparedness/remediation or conduct the CMMC audit for the organization. 

17. To what frameworks, standards, and guidelines does the CMMC reference?

CMMC references the following:

• National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF)/Special Publication (SP) 800-171/SP 800-53 rev.4
• UK National Cyber Security Centre (NCSC) Cyber Essentials
• ISO/IEC 27001
• CERT Resilience Management Model (CERT-RMM)
• Australian Cyber Security Centre’s Essential Eight
• CIS Controls

18. What can organizations do to start preparing for the CMMC?

Click to download a PDF resource of some activities that we recommend organizations perform to start preparing for CMMC.