Frequently Asked Questions Most commonly asked CMMC and DoD related questions

What level of certification will be required?

According to the Department of Defense FAQ:

"The DoD will specify the required CMMC level in Requests For Information (RFIs) and Requests for Proposals (RFPs)"

Generally, it is expected that most contractors within the Defense Industrial Base supply chain will only need to achieve a level 1 certification with those handling CUI needing a level 3 certification. An extremely small amount of the DiB is expected to need a certification higher than level 3.

Level 1 certification is required to have access to Federal Contract Information aka “FCI”. According to FAR 52.204-21 Federal contract information means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.

Level 3 certification and above certification is required to have access to Controlled Unclassified Information “CUI”. Established by Executive Order 13556 CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.

Cybersecurity Complexity Explained

What should I be doing?

Review the framework. Treat it as a series of questions and honestly answer where your organization stands currently. Begin to consider what actions you can take to meet the desired level of compliance. If you do not have the resources or time internally to complete this process find an external advisor to help you prepare. It is important to start now. Part of the assessment process will include evaluating whether or not practices in place are established. In other words, you will need to be able to demonstrate that you have been practices these standards for a period of time prior to an assessor completing a review.

How often will it have to be done?

According to the Department of Defense FAQ:

"In general, a CMMC certificate will be valid for 3 years"

More answers to frequently asked questions about cyber maturity model certification (CMMC) can be found at Office of the Under Secretary of Defense for Acquisition & Sustainment.