FAQ About CMMC

1. What are the cybersecurity concerns for DoD contractors?

The aggregate loss of controlled unclassified information (CUI) from the DIB sector increases risk to national economic security and in turn, national security.  In order to reduce this risk, the DIB sector must enhance its protection of CUI in its networks.

The Council of Economic Advisers, an agency within the Executive Office of the President, estimates that malicious cyber activity cost the U.S. economy between $57 billion and $109 Billion in 2016 [Ref: “The Cost of Malicious Cyber Activity to the U.S. Economy, CEA” in February 2018].

The Center for Strategic and International Studies (CSIS), in partnership with McAfee, reports that as much as $600 Billion, nearly 1% of global GDP, may be lost to cybercrime each year. The estimate is up from a 2014 study that put global losses at about $445 Billion. [Ref: “Economic Impact of Cybercrime - No Slowing Down” in February 2018]. (source OUDS A&S website)

2. What is CMMC?

CMMC stands for “Cybersecurity Maturity Model Certification”. The CMMC will encompass multiple maturity levels that ranges from “Foundational” to “Advanced.”  The intent is to incorporate CMMC into Defense Federal Acquisition Regulation Supplement (DFARS) and use it as a requirement for contract award.

3. Why is the CMMC being created?

DOD is planning to migrate to the new CMMC framework in order to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB). In addition to contractors self-certifying, the CMMC will provide a framework for 3rd party verification to ensure appropriate levels of cybersecurity practices and processes are in place to protect sensitive information that resides on the Department’s industry partners’ networks.

4. What is CUI?

Controlled unclassified information (CUI) is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.

5. How is CMMC different from NIST SP 800-171?

CMMC Level 2 encompasses the 110 security requirements specified in NIST SP 800-171. Unlike NIST SP 800-171, the CMMC model possesses three levels.  Each level consists of practices and processes as well as those specified in lower levels.

In addition to assessing a company’s implementation of cybersecurity practices, CMMC will also assess the company’s institutionalization of cybersecurity processes.

6. How will my company become certified?

The Cyber Accreditation Body (Cyber AB), a non-profit, independent organization, will accredit CMMC Third Party Assessment Organizations (C3PAOs) and individual assessors.  The Cyber AB will also provide a list of approved consulting companies or Registered Provider Organizations (RPOs) that can help your company prepare for a formal CMMC assessment. For the information and updates, see their website (www.cyberab.org).

The Cyber AB established a Marketplace that includes a list of approved companies and individuals for your certification needs.  DIB companies are able to select one of the approved companies or certified individuals for assessment preparation consulting or to schedule a formal CMMC assessment with a C3PAO for a specific level.

7. Can my company perform our own preparation without hiring a consulting company?

Yes, but... You may indeed have highly qualified internal staff but there is a level of risk. An RPO or consulting company has been trained, approved, bound by a Professional Code of Conduct and are listed in the Marketplace of the Cyber AB website as a company to be trusted. An assessment preparation consultant will know the CMMC requirements, how to prepare your company with documentation and appropriate evidences, have a thorough understanding of the assessment process, and can lead a Readiness Review.