CMMC Overview: What Government Contractors Need to Know to Prepare Webinar: Q&A
November 2, 2021
Do you know what it takes to become CMMC certified? On October 28, 2021, the Director of our CMMC Advisory practice, Azunna Anyanwu, led an overview of the Cybersecurity Maturity Model Certification (CMMC). Find responses to the questions asked during the presentation below.
- Do you expect that civilian agencies (non-DoD) will also require CMMC certification?
- Yes, Other Federal agencies are interested in adopting & planning limited implementation of this framework. GSA has included CMMC requirements in the STARS III and Polaris GWACs (Washington Technology). DHS is also evaluating a CMMC-like cyber compliance program (FedScoop).
- Which levels require audits/3rd party certification?
- All 5 levels of CMMC currently require certification by a 3rd Party (C3PAO). However, the CMMC program is under review by the DOD including the requirement to use “independent auditors versus [Defense Contract Management Agency] versus self-attestation” (FCW).
- Do companies not handling CUI need to be certified?
- Yes, CMMC includes a minimum certification requirement for contractors to protect Federal Contract Information (FCI). This is reflected as CMMC Maturity Level 1.
- Is acquiring the different levels of the CMMC a continuous process? By that I mean, if I need a level 3 certification, do I have to first acquire levels 1 and 2?
- No, each certification is discrete. So you can pursue CMMC ML3 without going through certifications for level 1 and 2.
- How we will know the certification level required for a contract?
- Per the CMMC FAQ, “The DoD will specify the required CMMC level in Requests for Information (RFIs) and Requests for Proposals (RFPs).”
- As a provider, can Aprio also perform the assessment?
- As a Registered Provider Organization (RPO), Aprio can perform informal assessments (that do not lead to certification). These assessments can be supplemented with recommendations and advice to resolve outstanding gaps. However, only a Certified Third Party Assessor Organization (C3PAO) can perform an assessment that leads to a CMMC certification. C3PAOs are unable to provide recommendations to remediate findings during a formal assessment.
- For SPRS what is the DFAR clause that requires this?
- 252. DFARS clause 252.204-7019 Notice of NIST SP 800-171 DoD Assessment Requirements (gov).
- You intimated that the Government might use a contractor’s score on SPRS to support contract decisions such as contract award, option exercise, etc. Do you believe that is likely?
- Yes, DFARS clause 252.204-7019b states “In order to be considered for award, if the Offeror is required to implement NIST SP 800-171, the Offeror shall have a current assessment (i.e., not more than 3 years old unless a lesser time is specified in the solicitation) (see 252.204-7020) for each covered contractor information system that is relevant to the offer, contract, task order, or delivery order.” DOD also makes a distinction between Basic assessment (conducted by the contractor) and a Medium/High assessment (performed by Government personnel). So it is certainly likely that DOD will consider SPRS score in awarding contracts or exercising option periods and/or include SPRS score as an evaluation criteria in future awards.
- It is my understanding that there is currently only 4 certified assessors/auditors and at least 150,000 firms that will require CMMC L3. How will the audit/certification realistically occur within the projected timeline?
- As of October 2021, there are 5 C3PAOs (assessment organizations) and about 100 assessors. The DOD and CMMC-AB are aggressively working to scale the CMMC ecosystem to meet future demand.
- Is there a model or framework for how the evolution of CMMC will work? How will new requirements be defined, communicated, and re-assessed?
- The DOD owns the CMMC framework and updates to the model will likely be communicated via https://www.acq.osd.mil/cmmc/. For example, the current version of the model is v1.02 which was released March 18, 2020. If history is any guide, DOD will submit revisions to the model to industry to provide feedback as they did during the initial creation of CMMC.
- Do the reporting requirement and subsequent fines flow up from subs to the prime?
- Like other contract clauses, we expect CMMC requirements will flow down from primes to subs. With respect to the recent Civil Cyber-Fraud initiative from the US Department of Justice, it is unknown how fines will be enforced for primes vs. subs. E.g. if a subcontractor failed to follow cybersecurity standards, the DOJ may have to go through the prime contractor to assess the file (since that is who owns the contracting relationship with the government). It will then be up to the prime contractor how to allocate those fines to subcontractors (especially in the situation where the sub is solely or primarily responsible for causing the fine).
- With a very small company that doesn’t have their own servers, etc., some of the 130 processes just don’t apply. How do you document that? Is an explanation why it doesn’t apply to your company a sufficient artifact?
- In general, the company will need to document that by policy or procedure a particular security control does not apply. For example, there is a practice requiring securing wireless access (WiFi). If an organization does not allow/have WiFi in their environment, they would need to have documentation to that effect AND demonstrate how they enforce that policy (e.g. how do you prevent rogue Wireless Access Points from being added to your network).
- We use SaaS products to assist in the monitoring of our networks/cloud systems but they are not pursuing CMMC certification. As a SaaS provider of Network Admin software, they technically have access to our systems – so are SaaS products fall under the COTS rule of exemption?
- You will need to determine whether the SaaS provider is in scope for your assessment (i.e. within your defined system boundary). This is likely the case if it is involved in the processing or transmission of Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). However, if you are simply using a service/product to secure your environment – e.g. a managed detection and risk (MDR) product – that product is simply a technical control to support a security practice. There is no expectation that the provider of that service/product also needs to be CMMC certified.
- What about solopreneur companies providing only training and education services to the federal government? Will we have to comply with the CMMC standards for providing these services?
- It depends. CMMC is required for all government contractors with the exception of those providing COTS products OR for micro-purchase contracts (currently $10,000 or less). For all other contracts, you will be required to comply with CMMC standards (at a minimum of CMMC Maturity Level 1).
- If the subcontractor is only doing “basic research”, e.g., a University, are flow down clauses required?
- The type of subcontract work is unlikely to affect the clauses flowed down to the subcontractor. However, it is recommended you discuss with your Prime contractor.
- How foreign companies can be certified?
- Per National Defense, CMMC will be “applied to foreign contractors that do business directly with the Defense Department or as part of its supply chain. The CMMC Accreditation Body is working to stand up Third Party Assessor Organizations (C3PAOs) in foreign locations to allow companies to receive certifications. It will likely not be a quick process, however.”
Got questions? Connect with an experienced Aprio advisor today.