CMMC FAQs Part 1 – OUSD A&S

This article highlights some of the key CMMC FAQS from Office of the Under Secretary of Defense for Acquisition & Sustainment Cybersecurity Maturity Model Certification.

As part of our continued commitment to helping organizations prepare for CMMC, we are curating some of the most relevant frequently asked questions from authorized resources and providing an overview of them in our CMMC FAQ series.

What is CMMC?

CMMC stands for “Cybersecurity Maturity Model Certification” and is a unifying standard for the implementation of cybersecurity across the Defense Industrial Base (DIB). The CMMC framework includes a comprehensive and scalable certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level. CMMC is designed to provide increased assurance to the Department that a DIB company can adequately protect sensitive unclassified information, accounting for information flow down to subcontractors in a multi-tier supply chain.

What is Controlled Unclassified Information (CUI)?

CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.

CUI is a newer term developed for all Executive Branch Agencies. Prior to the establishment of the term “CUI”, each agency used their own internal terminology to describe the same information. Some of these retired terms would be: Unclassified Controlled Technical Information (UCTI), For Official Use Only (FOUO), Sensitive but Unclassified (SBU), and others.

CUI encompasses two other classifications of data: Covered Defense Information (CDI) and Controlled Technical Information (CTI). CDI is information that is marked and subject to the protections outlined within DFARS Clause 252.204-7012. CTI is any technical information with a military or space application that is subject to the protections within DoDI 5230.24. All CDI and CTI are CUI, but not all CUI is CDI or CTI.

A CUI Registry provides information on the specific categories and subcategories of information that the Executive branch protects. The CUI Registry can be found at: https://www.archives.gov/cui and https://www.dodcui.mil/Home/DoD-CUI-Registry/ and includes the following organizational index groupings:

  • Critical Infrastructure
  • Defense
  • Export Control
  • Financial
  • Immigration
  • Intelligence
  • International Agreements
  • Law Enforcement
  • Legal
  • Natural and Cultural Resources
  • NATO
  • Nuclear
  • Privacy
  • Procurement and Acquisition
  • Proprietary Business Information
  • Provisional
  • Statistical
  • Tax

Resources, including online training to better understand CUI can be found on National Archives’ website at https://www.archives.gov/cui/training.html as well as the Department of Defense’s website https://www.dodcui.mil/.

Why was CMMC created?

The Department of Defense (DoD) is migrating to the new CMMC framework in order to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB) sector. The CMMC is intended to serve as a verification mechanism to ensure that DIB companies implement appropriate cybersecurity practices and processes to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within their unclassified networks.

When is the interim Defense Federal Acquisition Regulation Supplement (DFARS) rule implementing CMMC (DFARS Case 2019-D041) effective?

The interim rule became effective on November 30, 2020. The public review and comment period for DFARS Case 2019-D041 ended on November 30, 2020. Due to its designation as a major rule change, the interim rule must also complete a Congressional Review.

What is the relationship between National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 and CMMC?

CMMC Level 3 includes the 110 security requirements specified in NIST SP 800-171. The CMMC Model also incorporates additional practices and processes from other standards, references, and/or sources such as NIST SP 800-53, Aerospace Industries Association (AIA) National Aerospace Standard (NAS) 9933 “Critical Security Controls for Effective Capability in Cyber Defense”, and Computer Emergency Response Team (CERT) Resilience Management Model (RMM).

How will CMMC be different from NIST SP 800-171?

Unlike NIST SP 800-171, the CMMC model possesses five levels. The model is cumulative whereby each level consists of practices and processes as well as those specified in the lower levels. The CMMC Model includes additional cybersecurity practices in addition to the security requirements specified in NIST SP 800-171. In addition to assessing a company’s implementation of cybersecurity practices, the CMMC will also assess the company’s maturity processes.

Will there be a self-certification?

No, there are no self-certifications for CMMC. However, DIB companies are encouraged to complete a self-assessment based on CMMC Assessment Guides prior to scheduling a CMMC assessment. The Department of Defense posts versions of the CMMC Assessment Guides on its website

How often does my organization need to be reassessed?

In most cases, a CMMC certificate will be valid for 3 years.

My organization does not handle Controlled Unclassified Information (CUI). Do I have to be certified anyway?

If a DIB company does not possess, store, or transmit CUI but possesses Federal Contract Information (FCI), it is required to meet FAR clause 52.204-21 and must be certified at a minimum of CMMC Level 1. Companies that solely produce Commercial-Off-The-Shelf (COTS) products do not require a CMMC certification.

I am a subcontractor on a DoD contract. Does my organization need to be certified?

If the DoD contract has a CMMC requirement and so long as your company does not solely produce COTS products, you will need to obtain a CMMC certificate. The level of the CMMC certificate is

How will I know what CMMC level is required for a contract?

The DoD will specify the required CMMC level in Requests for Information (RFIs) and Requests for Proposals (RFPs).

What is the Department’s phased rollout plan for CMMC?

The Department is implementing CMMC through a phased rollout approach. Until September 30, 2025, the Office of the Under Secretary of Defense for Acquisition and Sustainment must approve the inclusion of the CMMC requirement in any solicitation.

The Department is currently working with military Services and Defense Agencies to identify candidate programs that will implement CMMC requirements during the FY2021-FY2025 phased rollout. During the first year of the rollout, the Department will require no more than 15 new Prime acquisitions to meet CMMC requirements as part of a CMMC pilot program. These contracts will focus on mid-sized programs that require the contractor to process or store CUI (CMMC Level 3). Primes will be required to flow down the appropriate CMMC requirement to their subcontractors.

For subsequent fiscal years of the rollout, the Department intends to incorporate CMMC Levels 4 and 5 on a small number of contracts while increasing the quantity of Prime acquisitions that include a CMMC requirement to the following targets:

The full list can be found at https://www.acq.osd.mil/cmmc/faq.html.

Related Articles

How Can Schneider Downs Help?

Schneider Downs currently offers CMMC readiness and consulting services as a Registered Provider Organization (RPO). Our team includes a Certified CMMC Provisional Assessor, and several other members currently in process of applying for CMMC Certified Assessor status who plan on completing training in Q2 of 2021. OSCs should note that a single firm cannot perform both consulting and audit services for a single client per the CMMC-AB standards. In the meantime, until such requirements are made public, we can help your organization prepare for CMMC by performing an assessment against the NIST 800-171 framework.

For more information visit www.schneiderdowns.com/cmmc or contact the team at [email protected].

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2021 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on
Guidance for NERC-CIP-013-01 Compliance
Ransomware Groups Attack Washington DC Police and QNAP Clients
How Internal Audit Can Assist with SOC Reviews at Higher Education Institutions
Controlled Unclassified Information: Labeling Requirements for CMMC and NIST 800-171
What is a SOC for Cybersecurity report and who needs one?
FTC Issues COVID-19 Vaccine Scam Alert
Register to receive our weekly newsletter with our most recent columns and insights.
Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us
contact us
Map of Pittsburgh Office
Pittsburgh

One PPG Place, Suite 1700
Pittsburgh, PA 15222

[email protected]
p:412.261.3644     f:412.261.4876

Map of Columbus Office
Columbus

65 East State Street, Suite 2000
Columbus, OH 43215

[email protected]
p:614.621.4060     f:614.621.4062

Map of Washington Office
Washington, D.C.

1660 International Drive, Suite 600
McLean, VA 22102

[email protected]
p:571.380.9003