CMMC Documentation – Questions and Answers

Posted by: Jenna Brankin June 19, 2020 CMMC, Compliance, Cybersecurity, Documentation, Policy

Last month, Exostar led a webinar, “Documentation and Policy Requirements in CMMC” that had our experts discussing the first step to becoming compliant with CMMC: properly structured IT policies in place to comply with the 17 control families outlined in NIST SP 800-171. Many businesses struggle with understanding the NIST guidelines, as well as requirements contained in CMMC, and don’t have access to the proper resources begin documenting compliant IT policies.  So we had many questions from the audience.  In an effort to help others who may also be struggling with this process, we would like to share those questions and the answers our experts provided.

If you missed the webinar, you can still watch it on-demand at your convenience.


Answers to common questions from the webinar:


Q: As a non-prime, how do we know what level we need to be at?

At this point, we don’t have any written guidance from DoD on how to estimate which CMMC level you will need to attain. DoD has said that if you possess or process CUI you will need at least a CMMC level 3.  Much like with the current DFARS 252.205-7012 clause which requires primes to flow down the requirement to protect CUI, the CMMC will require primes will “flow-down” the level of CMMC maturity level they believe you will need to fulfill your contract.  The difference here is that the CMMC has five levels of maturity, whereas the DFARS clause is a singular requirement. Companies should consider their need to possess and/or store CUI now, to determine if they will need at least a CMMC level 3.


Q: What certifications should we looking for from 3rd party auditors / consultants once they are up and running? How do we separate the fake from the real?

Again, the DoD has not published any official documentation on C3PAO (third-party auditors) certifications and other certifications, however, the CMMC Accreditation Body has published several pre-recorded videos which detail their plan to create CMMC AB certifications. The videos are located on their website:


Q: Is there a place that tells us what exactly is considered CUI?

YES! The CUI registry is the official and definitive list of CUI. If information is not listed or found on the CUI registry, then it is not considered CUI.  The CUI registry is located here:  Each category of CUI has a description along with additional information about marking and potentially other handling requirements for that category of CUI.


Q: How often is the CMMC certification required?

The DoD has said that companies will need the CMMC assessment once every three years.


Q: I have heard that everyone should plan for Level 3 if you have the DFARS clause in your contracts. Is this true?

This isn’t necessarily true. The Defense Contract Management Agency (DCMA) unilaterality modified all DoD contracts and put in the DFARS clause into all contracts.  Not all companies possess, create, store, or process CUI, and therefore those companies won’t necessarily need CMMC Level 3.


Q: We sell manufactured COTS products. Should I expect to need to be Level 1 or 2?

The DoD has recently said that COTS products are exempt from the CMMC requirement.


Q: What are the estimated costs for CMMC certification?

The DoD has thrown around cost estimates for the CMMC audit as well as for the cost of compliance, but those costs have been heavily debated by industry experts. The CMMC auditors will most likely charge by-the-hour for their services.  The cost of implementing CMMC compliance solutions for your company depends on what your current cybersecurity posture is and where you are trying to go.  A company that has less than CMMC level 1 compliance who wants to get to a CMMC Level 4 will have a lot more money to spend than a company who is nearly CMMC Level 3 and wants to achieve a CMMC Level 3.

Official CMMC Documentation

There has been no official CMMC documentation since the CMMC v1.02 was published in March. The CMMC AB has been publishing a series of pre-recorded videos that are released weeks, if not a month, after recording.  These videos give some insight into the CMMC AB process, but again, no official policies or written guidance has been issued by the DoD or the CMMC AB since March.


Q: How can I get started with creating relevant policies that comply with CMMC?

Use Exostar PolicyPro’s 7-day free-trial to get started with your policies.