Cybersecurity Maturity Model Certification (CMMC) FAQ

Cybersecurity Maturity Model Certification (CMMC) was developed to unify cybersecurity standards for Department of Defense (DOD) contractors. The model aims to build upon the Defense Federal Acquisition Regulation Supplement and National Institute of Standards and Technology (NIST) frameworks, which can seem challenging for organizations attempting to meet the requirements put in place by the DOD.
The first step toward compliance is understanding the certification framework and how it will impact your organization:

Do You Have a DOD Contract?

There are currently 300,000 companies that are involved in the defense industrial base (DIB) sector and must achieve at least a Level 1 certification to continue to contract directly with the DOD or subcontractors of larger firms.

Do I Need a Level 1 Certification?

Only defense supply chain companies that process and hold controlled unclassified information (CUI) are required to achieve at least a Level 1 certification to ensure that basic cyber hygiene practices and processes are in place.

What is CUI?

CUI is information the government creates or processes or information that an entity creates or possesses on behalf of the government. A CUI registry provides information on the specific categories and subcategories of information that the executive branch protects including:

  • Critical Infrastructure
  • Defense
  • Export Control
  • Financial
  • Immigration
  • Intelligence
  • International Agreements
  • Law Enforcement
  • Legal
  • NATO
  • Natural and Cultural Resources
  • Nuclear
  • Privacy
  • Procurement and Acquisition
  • Proprietary Business Information
  • Provisional
  • Statistical
  • Tax

Why Was CMMC Created?

The DOD developed the CMMC framework to align stringent cybersecurity processes and practices across the DIB for all defense contractors and subcontractors that handle CUI.

What are the Differences with CMMC 2.0?

On Nov. 4, 2021, the DOD announced the enhanced CMMC 2.0 that eases the compliance burden on contractors moving to three compliance levels rather than five. The enhancements:
  • Simplify the standard and provide additional clarity on cybersecurity regulatory, policy, and contracting requirements
  • Focus the most advanced cybersecurity standards and third-party assessment requirements on companies supporting the highest priority programs
  • Increase DOD oversight of professional and ethical standards in the assessment ecosystem

Is CMMC Different from NIST 800-171?

Unlike NIST 800-171, there are three distinct levels, whereby each level consists of practices and processes to ensure that basic cyber hygiene to advanced cybersecurity controls are in place to secure CUI. The CMMC model includes cybersecurity practices in addition to the security requirements specified in NIST SP 800-171.

What is a CMMC Third-Party Assessment Organization (C3PAO)?

Authorized and accredited C3PAOs are responsible for conducting the assessments of DIB companies’ unclassified networks and issuing appropriate CMMC certificates based on the results of the assessments.
Authorized C3PAOs must meet DOD requirements and a subset of the ISO/IEC 17020, Conformity Assessment – Requirements for the Operation of Various Types of Bodies Performing Inspection requirements, prior to being authorized to conduct assessments and issue certifications. The CMMC-Accredited Body (AB) can authorize C3PAOs to conduct CMMC assessments prior to the C3PAO achieving accreditation.
Accredited C3PAOs must meet all DOD requirements and achieve full compliance with ISO/IEC 17020. C3PAOs must be accredited by the CMMC-AB within 27 months of registration.

Who Will Perform the CMMC Assessments?

Only authorized and accredited C3PAOs that are listed on the CMMC-AB Marketplace website will be able to conduct official assessments. C3PAOs shall use only authorized or certified CMMC assessors for conducting assessments.

What is a Registered Provider Organization (RPO)?

The RPO and registered practitioners in the industry provide advice, consulting, and recommendations to their clients. Pondurance is an RPO that can provide a CMMC readiness assessment to identify gaps and provide recommendations to prepare your organization for an assessment by a C3PAO.

How Will I know Which CMMC Level is Required for a Contract?

The DOD will specify the required level in its request for information and request for proposal.

How Will My Organization Become Certified?

DIB companies will select one of the authorized or accredited C3PAOs from the CMMC-AB Marketplace website. The DIB company and the selected C3PAO will coordinate and plan the assessment as well as complete appropriate contractual agreements. After the completion of the assessment, the C3PAO will provide an assessment report and, if there are no deficiencies, issue the appropriate CMMC certificate to the DIB company for the specified certification boundary. The C3PAO will also submit a copy of the assessment report and certificate to the DOD.