Last month we presented our “What Suppliers Need to Be Doing Now: CMMC Roll-Out Update” webinar hosted by Exostar’s Stuart Itkin, Verify’s Kris Carter, and Leidos’ Matt Vespraskas. As CMMC Certification will be a requirement for the over 350,000 vendors in the supply chain to the DOD, it was no surprise that we received many questions from our almost 3000 attendees. In an effort to help other organization who may be struggling with the same challenges, we have published the most frequently asked questions from our webinar, along with answers from our experts.
Q: How is Email Hosting supposed to be managed? Are there recommendations such as GCC High that are required to be compliant?
A: Each email hosting provider provides different security controls. You may need to check with hosting providers to see if they comply with DFARS 252.204-7012. You also need to consider the use of hosted email. Would it contain only federal contract information (FCI), could it contain CUI, and could it also need to meet requirements for ITAR/EAR. These answers would help guide any recommendation.
Q: What do you do when most competitions are based on LPTA? It is price driven, so checking the box is all that is required, will lose to price even though you are providing a superior protection.
While costs are recoverable, one needs to win the contract. Having the appropriate level of certification, and not beyond, may help in the case of LPTA.
Q: Will selling COTS through resellers and integrators require CMMC?
If you are not in receipt of, can influence, or are creating FCI/CUI on behalf of the U.S. government, then you would not be required to be CMMC certified.
Q: Is there a list of authorized certification authorities for CMMC?
This will be available through the CMMC Accreditation Body at http://www.cmmcab.org
Q: How do we know what level of CMMC Maturity model we need? When will that information be passed down to us? Will it vary from contract to contract?
Ultimately, this will be determined by your customer and the information/requirements that they flow to you.
Theoretically, yes, you could see variation on the required CMMC Maturity Level on a per-program basis. However, as the DoD have indicated that only a small number of programs will require Level 4 & 5, the likelihood is much smaller. This then returns to the question on whether the data in question is FCI (Level 1) or CUI (Level 3).
Q: As a 2nd tier supplier, how do we determine what level of CMMC certification we need, if any?
Ultimately, this will be determined by your customer and the information/requirements that they flow to you.
In preparation for this, you could start by identifying whether or not you are receiving Federal Contracting Information (FCI) or Controlled Unclassified Information (CUI) and what requirements you’ve already indicated that you have met. Recall that CMMC is still a future requirement for future contracts – and that you are and will remain responsible for your current contractual requirements.
If FCI only, then you would likely be at CMMC Level 1 maturity. If receiving CUI, then you would need to certify at CMMC Level 3 or higher.
Q: How far down the supply chain are the CMMC requirements going to flow?
The stated intent (by DoD) is that ALL tiers who handle or influence FCI/CUI will be included as appropriate to the data involved.
Q: Having been CMMI level 5 certified, does this help with CMM validation level at all?
Reciprocity discussions are currently underway for a number of existing standards and models.
Q: Will it be a requirement by the government and primes to consistently and reliably identify and label contracts and documentation that contains CUI?
Per DoD instruction, DoD requires contractors to identify whether any of the information is CUI via the contracting vehicle, in whole or part, and mark such documents, material, or media in accordance with this issuance. Please check section 5 at https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/520048p.PDF?ver=2020-03-06-100640-800.
CMMC also requires appropriate marketing and labeling of FCI/CUI.
Q: There has been a lot of confusion around what COTS suppliers need to do. We have heard that Level 1 might be required. Can you provide any guidance? What will COTS suppliers need to do?
The DoD have indicated that if no FCI or CUI is received by the COTS supplier, then they will not require CMMC certification. See CMMC FAQ #19 at https://www.acq.osd.mil/cmmc/faq.html
If a DIB company does not possess CUI but possesses Federal Contract Information (FCI), it is required to meet FAR Clause 52.204-21 and must be certified at a minimum of CMMC Level 1.
Companies that solely produce Commercial-Off-The-Shelf (COTS) products do not require a CMMC certification.
Q: Once certified, does CMMC require an annual re-certification like ISO Certification?
Barring new information, the CMMC certification will be valid for three (3) years.
Q: With the roll out of CMMC, is the DFAR’s 7012 requirement going to be updated to account for CMMC, replace the NIST-800-171 aspects and reference the correct set of requirements?
At publication date, the DFARS draft language has not been made public. The DoD have indicated that it should be available for comment in early July 2020.
Q: Is freight/transportation a key element to supply chain?
Q: Our company is a large distributor with service center locations in CONUS. Will all locations need certification or just our corporate headquarters as all locations align there?
It depends on the scope of DoD contract. If FCI/CUI of the contract is distributed to all locations, all locations need CMMC certification.
Q: Is there any deadline that we need to be compliant on?
The DoD have indicated that all suppliers need to be certified at time of contract award.
Q: At a conference, we were warned not to sign up for CMMC assistance from companies that reach out to you saying they can certify you. How do you know who can/can’t? Will an approved list be distributed?
At time of publication, there are NO companies that can certify you. When there are, they will be identified on the CMMC AB website (http://www.cmmcab.org).
Q: How does CMMC apply to small businesses, specifically ones that are 100% service-based, performing 100% of their services at the customer facility?
The stated intent (by DoD) is that ALL tiers who handle or influence FCI/CUI will be included as appropriate to the data involved. If in receipt of or able to influence FCI/CUI then they may be in scope. If, however, they are not in scope, then they will not require CMMC certification.
Q: How do smaller companies manage the cost associated with CMMC? How do we know what certification level is appropriate for our business?
The DoD have indicated that, 1) CMMC is an allowable cost, however, 2) you have already indicated that you were meeting the majority of the CMMC requirements when you received DFARS 252.204-7012 in existing contracts.
More practically, engage with your customers to determine if you need to be in receipt of the data that would require you to be CMMC certified. You may be able to have your data packages reassessed so as to reduce the requirement. Additionally, they may have alternate means of collaborating with you that reduces or removes this requirement. Lastly, contact your local SBA office for resources on this subject.
Q: Once you feel you are compliant, who issues the certification? Is there an agency that takes lead for this or is this something we have to pay for whatever level we state we are at?
Please check CMMC AB website – https://www.cmmcab.org/osc-lp.
Q: For Incident reporting – Medium Certification was mentioned; what is that and is it required prior to CMMC certification?
At time of publication, the incident reporting requirement remains within the DFARS 252.204-7012 clause in existing contracts. We are awaiting a rewrite to this rule that may alter how this operates for future contracts.
Information on the Medium Assurance Certificate and the reporting process can be found here: https://dibnet.dod.mil/portal/intranet/
Q: When will an authoritative resource be available to provide specific answers to specific questions?
While DoD and CMMC AB have representatives highly engaged with industry, it is best to submit inquiries through their respective websites.
Q: My company stores all documents that are not ITAR related on Google Drive. Is that going to be acceptable to get certified?
If you store CUI in Google Drive, Google Drive needs to comply with the DFARS 252.204-7012, Please check Google to see if it complies with DFARS 252.204-7012.
Q: Will a public register of all suppliers’ CMMC certification be available?
DoD have indicated that this information should not be made public, however, industry have also presented similar questions on how they are to track and choose from available suppliers. This remains an open dialogue.
Q: If I don’t pay for a 3rd party GAP and have a C3PAO certification and do not pass, if I remediate in time, isn’t there a chance I would not have to pay anything besides remediation (due to the allowable expense)?
Our recommendation would be that you not wait to start on this process. Depending on the CMMC Certification Level, industry experts are suggesting starting 6+ months prior to requiring certification. As currently outlined by the CMMC AB, you would have 90 days to remediate certification assessment findings.
Please do not forget, if you are currently receiving DFARS 252.204-7012, you have already attested to your having met the majority of the requirements contained within CMMC.
Q: What level of disruption is expected to supply chain? How can CMMC avoid “killing” off vendors? With hundreds of thousands government suppliers, how can cert entities get all Certs done in a year?
DoD officials have indicated that only 10-15 programs will be impacted in the first year of implementation. Then, over an additional four (4) years, additional contracts will contain the new requirement. Based upon this phased implementation and the increasing number of CMMC credentialed assessors, DoD do not foresee there being a challenge to meet the certification demand.
Industries have, and will continue to, been engaged with DoD and CMMC AB throughout this process. There remain open items related to the CMMC implementation and open dialogue on how best to create minimal disruption to supply chain.
Q: Will CMMC replace Exostar’s Cybersecurity questionnaire? Deconflicting the two standards will require a lot of extra, needless investment of company resources.
CMMC does not replace the prime’s current need to present their Tier 1 Supplier 171 evaluation process for existing contracts, and new contracts that do not include CMMC requirements initially. Over a period of years, once CMMC is fully implemented, it is expected that the need for 171 supplier attestations to become unnecessary. Regarding the use of the CSQ based on the AIA standard, it may or may not continue to be used, as it is also used for non-DoD suppliers in the Aerospace industry.
Q: Is there a list of requirements broken down by certification level? It sounds like the requirement is still being finalized based on the discussion here?
The CMMC model was finalized and released in January 2020 and can be found here: https://www.acq.osd.mil/cmmc/
Q: If someone who is not certified level 3 wins a contract that mandates level 3, what happens next? Do they just keep moving down the list until they find someone who is?
This will be up to the procurement officer (at DoD or your customer) and their internal processes.
Q: If our suppliers don’t receive any CUI from us, do they need to be CMMC certified?
If there is no FCI or CUI present or being influenced by these suppliers, then no.
Q: How does ISO27001 play into CMMC requirements?
This ISO standard may fall under reciprocity discussions that are currently underway. However, it is our expectation that there will be gaps between most certifications that will need to be assessed to gain CMMC certification.
Q: Who are considered Prime?
Those organizations who work directly with the U.S. DoD and then have subcontractors or tiers working under their contract.
Q: What is the best way to learn what the controls mean?
CMMC uses practices and processes terms rather than controls.
Please check https://www.acq.osd.mil/cmmc/draft.html to understand CMMC terms.
Q: We have already spent a ton of time and money getting to the requirements of the new DFARS cyber security requirements. Does meeting that put you close to any specific Level?
CMMC Level 3 is largely made up of the requirements identified in NIST SP 800-171. The current DFARS 252.204-7012 clause names this same NIST standard as a requirement. So, if having met all of the NIST requirements, you are well on your way.
Q: Will the Primes help their subs get certified? Will they start informing what materials are CUI, so we know what to protect?
You may contact your prime for more information.
Per DoD CUI instruction (DoDI 5200.48), whenever DoD provides information to contractors, it (“contractor”) must identify whether any of the information is CUI via the contracting vehicle, in whole or part, and mark such documents, material, or media in accordance with this issuance. Please check here for CUI requirements.
Q: Where can you find a good list of CUI for businesses?
The National Archives and Records Administration (“NARA”) updates and maintains CUI Categories. Please visit https://www.archives.gov/cui/registry/category-list.
Q: What about the fact that we can download all sorts of CUI/FOUO from public websites hosted by Primes and DoD?
If you download CUI from Primes or DoD, you need to comply with DFARS 252.204-7012.
Q: Who will host the CMMC training courses this year and when will the courses begin? Would you post this information for us all?
No information about CMMC training courses has been made available yet.
Q: By what date will DoD contractors need to achieve ML3?
DoD contractors (and subtiers) will be required to achieve the requisite CMMC maturity level identified within the contract prior to its award. DoD officials have indicated that they will start with 10-15 contracts in the latter part of 2020 and phase in new contracts over the following four (4) years.
Q: How does this relate to the security controls in eMass? Security controls are used to assess ATOs?
The Enterprise Mission Assurance Support Service (eMASS) is a service-oriented computer application that supports Information Assurance (IA) program management and automates the DoD Information Assurance Certification and Accreditation Process (DIACAP) and Risk Management Framework (RMF) process. RMF is designed based on NIST 800-37 and 800-53. Per DoD CMMC mapping, many CMMC practices refer to NIST 800-53.
Q: Is there data available to show overlap between NIST/CSC and CMMC requirements? We’re already level 3 on NIST and CSC and don’t want to duplicate the work.
Several industry groups provide crosswalks between standards, but the authoritative source mappings can be found within the CMMC model, Appendix E.
Reference link: https://www.acq.osd.mil/cmmc/
Q: What are your thoughts on an IT distributor like Ingram pursuing CMMC certification?
Typically, Ingram operates as a distribution house for items that would be classified as COTS. Assuming not in receipt of FCI or CUI, the determination would then largely be determined upon the perceived ROI of CMMC certification. Also note that DoD officials have indicated that you are not to publically portray your certification level, only that you are CMMC certified.
Q: I understand that DCMA will be performing CMMC compliance audits prior or parallel to the 3rd party certification audits. Can you tell me when the DCMA audits are expected to start and how they will implement contracts; i.e., new FAR clauses?
The DCMA team have been conducting audits to DFARS 252.204-7012 (specifically NIST SP 800-171) since Summer 2019. They are not auditing to CMMC at this time nor has this been publicly discussed that they would start doing so. These audits are exercised under existing contracts and related language.
Q: Can you tell me the relationship between NIST SP 800-171 to DFARS 252.204-7012?
The Defense Federal Acquisition Regulation Supplement, or DFARS, has been working to encourage DoD contractors to proactively comply with certain frameworks in order to achieve this goal. Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, was a mandatory addition.
Under the Clause, all contractors must comply with the National Institute of Standards and Technology’s Special Publication 800-171 (NIST SP 800-171), a framework that lays out how contractors must protect sensitive defense information and report cybersecurity incidents.
If you have additional questions, please feel free to reach out to us at email@example.com.