Cybersecurity Maturity Model Certification (CMMC) FAQ

The Cybersecurity Maturity Model Certification (CMMC) was developed to unify cybersecurity standards for Department of Defense (DoD) contractors. CMMC aims to build upon the Defense Federal Acquisition Regulation Supplement and National Institute of Standards and Technology (NIST) frameworks, which can seem challenging for organizations as they attempt to meet the requirements put in place by the DoD.

The first step toward CMMC compliance is understanding the CMMC framework and how it will impact your organization:

Do You Have a DoD Contract?

There are currently 300,000 companies that are involved in the Defense Industrial Base (DIB) sector and must achieve at least a Level 1 certification to continue to contract directly with the DoD or subcontractors of larger firms.

Do I Need a Level 1 Certification?

Only defense supply chain companies that process and hold controlled unclassified information (CUI) are required to achieve at least a Level 1 certification to ensure that basic cyber hygiene practices and processes are in place.

What is CUI?

CUI is information the government creates or processes or information that an entity creates or possesses on behalf of the government. A CUI registry provides information on the specific categories and subcategories of information that the executive branch protects including:

  • Critical Infrastructure
  • Defense
  • Export Control
  • Financial
  • Immigration
  • Intelligence
  • International Agreements
  • Law Enforcement
  • Legal
  • NATO
  • Natural and Cultural Resources
  • Nuclear
  • Privacy
  • Procurement and Acquisition
  • Proprietary Business Information
  • Provisional
  • Statistical
  • Tax

Why Was CMMC Created?

The DoD developed the CMMC framework to align stringent cybersecurity processes and practices across the DIB for all defense contractors and subcontractors that handle CUI.

Is CMMC Different from NIST 800-171?

Unlike NIST 800-171, the CMMC has five distinct levels, whereby each level consists of practices and processes to ensure that basic cyber hygiene to advanced cybersecurity controls are in place to secure CUI. The CMMC model includes cybersecurity practices in addition to the security requirements specified in NIST SP 800-171.

What is a CMMC Third-Party Assessment Organization (C3PAO)?

Authorized and accredited C3PAOs are responsible for conducting the CMMC assessments of DIB companies’ unclassified networks and issuing appropriate CMMC certificates based on the results of the assessments.

Authorized C3PAOs must meet DoD requirements and a subset of the ISO/IEC 17020, Conformity Assessment – Requirements for the Operation of Various Types of Bodies Performing Inspection requirements, prior to being authorized to conduct CMMC assessments and issue certifications. The CMMC-Accredited Body (AB) can authorize C3PAOs to conduct CMMC assessments prior to the C3PAO achieving accreditation.

Who Will Perform the CMMC Assessments?

Only authorized and accredited C3PAOs that are listed on the CMMC-AB Marketplace website will be able to conduct CMMC assessments. C3PAOs shall use only authorized or certified CMMC assessors for conducting CMMC assessments.

What is a Registered Provider Organization (RPO)?

The RPO and registered practitioners in the CMMC ecosystem provide advice, consulting, and recommendations to their clients. Pondurance is an RPO that can provide a CMMC readiness assessment to identify gaps and provide recommendations to prepare your organization for a CMMC assessment by a C3PAO.

How Will I know Which CMMC Level is Required for a Contract?

The DoD will specify the required CMMC level in its request for information (RFI) and request for proposal (RFP).

How Will My Organization Become Certified?

DIB companies will select one of the authorized or accredited C3PAOs from the CMMC-AB Marketplace website. The DIB company and the selected C3PAO will coordinate and plan the CMMC assessment as well as complete appropriate contractual agreements. After the completion of the CMMC assessment, the C3PAO will provide an assessment report and, if there are no deficiencies, issue the appropriate CMMC certificate to the DIB company for the specified certification boundary. The C3PAO will also submit a copy of the assessment report and CMMC certificate to the DoD.

As a registered practitioner organization, Pondurance is here to help your organization overcome these challenges and guide your way to CMMC readiness. Learn more about our CMMC Services.