[vc_row css=”.vc_custom_1712841951971{margin-top: -60px !important;}”][vc_column][vc_column_text]
CMMC 2.0 UPDATES:
Our Frequently Asked Questions have been updated to reflect the most recent information provided by the CMMC-AB and the Department of Defense.
[/vc_column_text][vc_column_text]
Cybersecurity Maturity Model Certification
On March 18, 2020, the Department of Defense (DoD) released Version 1.02 of the Cybersecurity Maturity Model Certification (CMMC) document, as a replacement for Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012.Since that time federal contracting companies have been inquiring about CMMC, and asking questions about this topic. To help contractors, clients, and potential prospects, Edwards Performance Solutions has provided a list of the most frequently asked questions (FAQ) and DoD related questions below.[/vc_column_text][vc_raw_html]JTNDZGl2JTIwY2xhc3MlM0QlMjJ2Y19idG4zLWNvbnRhaW5lciUyMHZjX2J0bjMtbGVmdCUyMiUzRSUzQ2ElMjBjbGFzcyUzRCUyMnZjX2dlbmVyYWwlMjB2Y19idG4zJTIwdmNfYnRuMy1zaXplLW1kJTIwdmNfYnRuMy1zaGFwZS1zcXVhcmUlMjB2Y19idG4zLXN0eWxlLWN1c3RvbSUyMiUyMHN0eWxlJTNEJTIyYmFja2dyb3VuZC1jb2xvciUzQSUyMCUyMzE1MTI0MCUzQiUyMGNvbG9yJTNBJTIwJTIzZmZmZmZmJTNCJTIyJTIwaHJlZiUzRCUyMmh0dHBzJTNBJTJGJTJGZWR3cHMuY29tJTJGd2hhdC13ZS1kbyUyRmN5YmVyc2VjdXJpdHklMkZjeWJlcnNlY3VyaXR5LW1hdHVyaXR5LW1vZGVsLWNlcnRpZmljYXRpb24lMkYlMjIlM0VSRVRVUk4lMjBUTyUyMENNTUMlMjAlRTIlODAlQkElM0MlMkZhJTNFJTNDJTJGZGl2JTNF[/vc_raw_html][vc_separator color=”custom” border_width=”2″ accent_color=”#020242″][/vc_column][/vc_row][vc_row][vc_column][vc_tta_accordion style=”modern” active_section=”0″ collapsible_all=”true” title=”CMMC 2.0″][vc_tta_section title=”Now that CMMC 2.0 is published, will companies be required to comply with CMMC 1.0?” tab_id=”1703814736118-18ca1118-815c”][vc_column_text]The short answer is no. According to The Cyber AB, CMMC 1.0 has been “OBE” (overcome by events). With that said, the majority of requirements of CMMC 1.0 will be implemented in CMMC 2.0.
The interim DFARS rule established a five-year phase-in period, during which CMMC compliance is only required in select pilot contracts, as approved by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)). The Department does not intend to approve inclusion of a CMMC requirement in any contract prior to completion of the CMMC 2.0 rulemaking process.
Once CMMC 2.0 is codified through rulemaking, the Department will require companies to adhere to the revised CMMC framework according to requirements set forth in regulation.[/vc_column_text][/vc_tta_section][vc_tta_section title=”When will CMMC 2.0 be required for DoD contracts?” tab_id=”1703814736118-bcc19116-c2f5″][vc_column_text]The publication of materials relating to CMMC 2.0 reflect the Department’s strategic intent with respect to the CMMC program; however, CMMC 2.0 will not be a contractual requirement until the Department completes rulemaking to implement the program. The rulemaking process and timelines can take 9-24 months. CMMC 2.0 will become a contract requirement once rulemaking is completed.[/vc_column_text][/vc_tta_section][vc_tta_section title=”Why did the Department make these changes?” tab_id=”1703815471988-9f1745e6-fd0d”][vc_column_text]The Department values feedback from industry, Congress, and other stakeholders and received over 850 public comments in response to the interim rule establishing CMMC 1.0. These comments focused on the need to enhance CMMC by (1) reducing costs, particularly for small businesses; (2) increasing trust in the CMMC assessment ecosystem; and (3) clarifying and aligning cybersecurity requirements to other federal requirements and commonly accepted standards. CMMC 2.0 was designed to meet these goals, which also contribute toward enhancing the cybersecurity of the defense industrial base.[/vc_column_text][/vc_tta_section][vc_tta_section title=”How much will it cost to implement CMMC 2.0?” tab_id=”1703815665093-2dd3e628-e831″][vc_column_text]The Department will publish a comprehensive cost analysis associated with each level of CMMC 2.0 as part of rulemaking. Costs are projected to be significantly lower relative to CMMC 1.0 because the Department intends to (a) streamline requirements at all levels, eliminating CMMC-unique practices and maturity processes, (b) allow companies associated with the new Level 1 (Foundational) and some Level 2 (Advanced) acquisition programs to perform self-assessments rather than third-party assessments, and (c) increase oversight of the third-party assessment ecosystem.[/vc_column_text][/vc_tta_section][vc_tta_section title=”How will my organization know what CMMC level is required for a contract?” tab_id=”1703817009325-a051b8c1-f3f6″][vc_column_text]Once CMMC 2.0 is implemented, DoD will specify the required CMMC level in the solicitation and in any Requests for Information (RFIs), if utilized.[/vc_column_text][/vc_tta_section][vc_tta_section title=”What is the relationship between National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 and CMMC?” tab_id=”1703817170975-6f0294c4-c4a9″][vc_column_text]Under CMMC 2.0, the “Advanced” level (Level 2) will be equivalent to the NIST SP 800-171r2 which is carried into The Cyber AB Level 1 and Level 2 Assessor Guides with a CMMC-specific numbering system. The “Expert” level (Level 3), which is currently under development, will be based on a subset of NIST SP 800-172 requirements.[/vc_column_text][/vc_tta_section][vc_tta_section title=”How frequently will assessments be required?” tab_id=”1703817319887-6d2a269d-db07″][vc_column_text]Once CMMC 2.0 is implemented, self-assessments, associated with Level 1 and a subset of Level 2 programs, will be required on an annual basis. Third-party and government-led assessments, associated with some Level 2 and all Level 3 programs, will be required on a triennial basis.[/vc_column_text][/vc_tta_section][vc_tta_section title=”Who will perform third-party CMMC assessments?” tab_id=”1703817369959-c7838ae7-7686″][vc_column_text]Once CMMC 2.0 is fully implemented, DoD will only accept CMMC assessments provided by an authorized and accredited C3PAO and C3PAOs shall use only Certified CMMC Assessors (CCAs) for the conduct of CMMC assessments.[/vc_column_text][/vc_tta_section][vc_tta_section title=”Will my organization need to be certified if it does not handle CUI?” tab_id=”1703817501351-8d30bfed-b3d6″][vc_column_text]DoD’s intent under CMMC 2.0 is that if a DIB company does not process, store, or transmit Controlled Unclassified Information (CUI) on its unclassified network, but does process, store or handle Federal Contract Information (FCI), then it must perform a CMMC Level 1 self-assessment and submit the results with an annual affirmation by a senior company official into SPRS.[/vc_column_text][/vc_tta_section][vc_tta_section title=”Will CMMC certifications and the associated third-party assessments apply to a classified systems and / or classified environments within the Defense Industrial Base?” tab_id=”1703817578580-61422389-3fb7″][vc_column_text]CMMC only applies to DIB contractor’s unclassified networks that process, store or transmit FCI or CUI.[/vc_column_text][/vc_tta_section][vc_tta_section title=”Will the results of my assessment be public? Will the DoD see my results?” tab_id=”1703817702562-c7476456-9d65″][vc_column_text]No, the results will not be made public. Once CMMC 2.0 is fully implemented, the DoD will have access to information and data relating to a company’s assessment, to include the assessment results and final report. The DoD will store all self-assessment results on SPRS. CMMC certificates and the associated third-party assessment data will be stored in the CMMC Enterprise Mission Assurance Support Services (eMASS) database. CMMC eMASS will automatically post a copy of a company’s CMMC certificate to the Supplier Performance Risk System (SPRS). The detailed results of a CMMC assessment will not be made public.
If a company voluntarily chooses to obtain a CMMC assessment and certification from a third-party assessment organization in the absence of a contractual requirement, the company must provide written consent to allow DoD access to or use of those assessment results. If a company consents to DoD access and use of data relating to the assessment, then DoD intends to store that information on eMASS.[/vc_column_text][/vc_tta_section][vc_tta_section title=”How much will CMMC certification cost?” tab_id=”1703817777318-959d8b7f-1ba7″][vc_column_text]The CMMC assessment costs will depend upon several factors including the CMMC level, complexity of the DIB company’s unclassified network for the certification boundary, and market forces. DoD will develop a new cost estimate associated with CMMC 2.0 to account for the changes made to the program which will be published on the Federal Register as part of the rulemaking process.[/vc_column_text][/vc_tta_section][vc_tta_section title=”What is the difference between a CMMC self-assessment and a basic assessment required as part of the DoD Assessment Methodology?” tab_id=”1703817868301-7aa43938-571c”][vc_column_text]A CMMC self-assessment will apply to those companies that are only required to protect the information systems on which FCI is processed, stored or transmitted; and a subset of companies that are required to protect CUI. The CMMC self-assessment should be completed using the CMMC Assessment Guide codified in 32 CFR for the appropriate CMMC level. A CMMC self-attestation is a representation that the offeror meets the requirements of the CMMC level required by the solicitation. The CMMC program will require an annual self-assessment and an annual affirmation by a senior company official.
A “Basic Assessment”, as defined in DFARS clause 252.204-7020, NIST SP 800-171 DoD Assessment Requirements, means a contractor’s self-assessment of the contractor’s implementation of NIST SP 800-171 that:
- Is based on the Contractor’s review of their system security plan(s) associated with covered contractor information system(s);
- Is conducted in accordance with the NIST SP 800-171 DoD Assessment Methodology; and
- Results in a confidence level of “Low” in the resulting score, because it is a self-generated score.
[/vc_column_text][/vc_tta_section][vc_tta_section title=”How will CMMC apply to non-U.S. companies?” tab_id=”1703818004286-81af8b06-a46b”][vc_column_text css=””]CMMC will be mandatory for any organization, including non-U.S. companies, that works with the U.S. Department of Defense and much of its supply chain. However, many U.S. allies are expected to adopt similar cybersecurity standards in the future, with reciprocity agreements likely in place. This means that a certification obtained in one country could potentially satisfy CMMC requirements, simplifying the compliance process for companies operating across multiple jurisdictions.[/vc_column_text][/vc_tta_section][vc_tta_section title=”What is the Department’s intent regarding acceptance agreements between CMMC and other cybersecurity standards and assessments?” tab_id=”1703818115031-5e30d45d-554c”][vc_column_text]The Department is pursuing development of acceptance standards between CMMC and other cybersecurity standards and assessments, to include between CMMC Level 2 (Advanced) and the NIST SP 800-171 DoD Assessment Methodology for the high assessment confidence level, as well as CMMC Level 2 and the GSA Federal Risk and Authorization Management Program (FedRAMP) requirements for commercial cloud service offerings.
Furthermore, DoD is working with international partners to coordinate on potential agreements between CMMC and their respective cybersecurity programs.
Any such equivalencies or acceptance standards, if established, will be implemented as part of the rulemaking process.[/vc_column_text][/vc_tta_section][/vc_tta_accordion][/vc_column][/vc_row][vc_row][vc_column][vc_tta_accordion style=”modern” active_section=”0″ collapsible_all=”true” title=”CMMC 101″][vc_tta_section title=”Where can I get the latest information about CMMC?” tab_id=”1703866464103-ea12271b-6fd4″][vc_column_text]The Cyber AB website and newsletter provide the latest information. Edwards website also adds regular updates to our dedicated CMMC webpage explaining how updates can potentially affect your organization, and how we can help.[/vc_column_text][/vc_tta_section][vc_tta_section title=”What is the current version of the CMMC Model?” tab_id=”1703866464104-00410e11-0320″][vc_column_text]There are three components to understanding the CMMC Model – the CMMC Model itself, the CMMC Assessment Guide, and the NIST 800-171r2 Framework. Visit The Cyber AB and NIST for the most recent versions.[/vc_column_text][/vc_tta_section][vc_tta_section title=”What is an APP?” tab_id=”1703866464104-8672ea82-149c”][vc_column_text css=””]An Approved Partner Publisher (APP) provides the materials for Approved Training Partners (ATPs), used by their Certified Instructors for training Certified CMMC Professionals and Certified CMMC Assessor applicants.[/vc_column_text][/vc_tta_section][vc_tta_section title=”What is an ATP?” tab_id=”1703866464104-0af7a5ab-d5ea”][vc_column_text css=””]Approved Training Providers (ATPs) are private companies that specialize in cybersecurity assessments and professional instruction (like Edwards), as well as the universities, community colleges, and other learning institutions that train Certified CMMC Professionals and Certified CMMC Assessors.[/vc_column_text][/vc_tta_section][vc_tta_section title=”What is a C3PAO?” tab_id=”1703866464106-b5ae5855-7cac”][vc_column_text]CMMC Third-Party Assessment Organizations (C3PAOs) are organizations employing Certified Assessors (CAs) and Certified Professionals (CPs), ensuring they adhere to The Cyber AB Code of Professional Conduct. C3PAOs provide quality assurance of the assessment process and results, and presents them for final certification to The CyberAB. C3PAOs themselves must meet stringent standards, internal CMMC certification, and can be verified on the CMMC marketplace if they are currently an approved CMMC provider.[/vc_column_text][/vc_tta_section][vc_tta_section title=”How can I find accredited Approved Partner Publisher (APP) organizations?” tab_id=”1703866464107-6b1fc888-76f8″][vc_column_text css=””]The Cyber AB approves APPs to deliver certification curriculum and publish a list on the Marketplace Edwards is proud to be an APP, and we now have our second Cyber AB approved publication: the CMMC Certified Professional Field Guide and Exam Prep Manual based on CMMC 2.0. Visit our training portal for upcoming courses.[/vc_column_text][/vc_tta_section][vc_tta_section title=”Why should an Organization Seeking Certification (OSC) engage an Registered Provider Organization (RPO) to provide CMMC consulting services?” tab_id=”1703866464108-18134867-9c30″][vc_column_text]Many OSCs need a trusted consultant to support their CMMC journey from preparation through certification. RPOs employ credentialed Registered Practioners, who are qualified to provide CMMC consulting and support to OSCs in the Defense Industrial Base (DIB). The Cyber AB created the RPO designation to provide approved organizations known for their quality and dedication to CMMC standards. Edwards is an RPO, listed on the CMMC marketplace, and has RPs on staff.[/vc_column_text][/vc_tta_section][vc_tta_section title=”Is there a list of accredited Certified Third-Party Assessor Organization (C3PAOs)?” tab_id=”1703866464109-f5298a81-136b”][vc_column_text]A comprehensive list is available on The Cyber AB Marketplace. Edwards is a candidate C3PAO, expected to receive the full designation in September of 2022.[/vc_column_text][/vc_tta_section][vc_tta_section title=”Does Edwards provide CMMC training and certifications?” tab_id=”1703866464109-2f6f362a-49fd”][vc_column_text]Yes! Edwards is a Cyber AB approved Licensed Partner Publisher (LPP). We currently offer Certified CMMC Professional (CCP) training based on the Cyber AB curriculum. Contact us at training@edwps.com or visit our training portal for more information.[/vc_column_text][/vc_tta_section][vc_tta_section title=”What is CUI?” tab_id=”1703866464110-21b5fac8-a743″][vc_column_text]Controlled Unclassified Information. Organizations transmitting, storing or processing CUI must achieve at least CMMC Level 2.[/vc_column_text][/vc_tta_section][vc_tta_section title=”What is FCI?” tab_id=”1703866464110-b46aa297-c3b4″][vc_column_text]Federal Contract Information. Organizations handling FCI must achieve, at minimum, CMMC Level 1.
[/vc_column_text][/vc_tta_section][vc_tta_section title=”What is the difference between each Maturity Level and how do I know which one applies to my organization?” tab_id=”1703866464111-40c1b5c3-e5ce”][vc_column_text]The CMMC Levels (Level 1 – Level 3) are dependent upon what type of data you and your subcontractors hold, process, or create in support of DoD contracts. All DoD contractors and subcontractors are required to attain at least CMMC Level 1 compliance if they handle Federal Contract Information (FCI). Those processing Controlled Unclassified Information (CUI) must achieve at least CMMC Level 2. More information about the levels and corresponding requirements, as well as impact to your business, is one of the focuses of our informational courses.[/vc_column_text][/vc_tta_section][vc_tta_section title=”When can I get certified?” tab_id=”1703866464111-d75bd166-e942″][vc_column_text]Once the final rule is published in early 2023, The Cyber AB suggests that you plan for the certification process to take 6+ months. More information to follow in 2023.[/vc_column_text][/vc_tta_section][vc_tta_section title=”What is the CMMC certification process?” tab_id=”1703866464112-df96dace-3ed4″][vc_column_text]To become CMMC certified, an organization should prepare with an RPO before scheduling an assessment with a C3PAO. The certification is valid for 3 years. More information can be found on The Cyber AB website or by participating in one of our informational CMMC courses.[/vc_column_text][/vc_tta_section][vc_tta_section title=”What is the difference between a RPO and a C3PAO?” tab_id=”1703866464113-d6fe648f-a89e”][vc_column_text]Many OSCs need a trusted consultant to support their CMMC journey from preparation through certification. RPOs employ credentialed Registered PR actioners, who are qualified to provide CMMC consulting and support to OSCs in the Defense Industrial Base (DIB). The CyberAB created the RPO designation to provide approved organizations known for their quality and dedication to CMMC standards. Edwards is a Registered Provider Organization, designated through the CyberAB, and several members of our Cybersecurity Team are Registered Practitioners.[/vc_column_text][/vc_tta_section][/vc_tta_accordion][/vc_column][/vc_row][vc_row][vc_column][vc_tta_accordion style=”modern” active_section=”0″ collapsible_all=”true” title=”Consulting & Audits”][vc_tta_section title=”Is there a list of assessors who receive formal Cyber AB authorized training?” tab_id=”1703869323158-ec33aa9f-c86e”][vc_column_text css=””]A list of CCPs and CCAs is on The CMMC Marketplace.[/vc_column_text][/vc_tta_section][vc_tta_section title=”How can I get assessed?” tab_id=”1703869323158-53a46492-2f39″][vc_column_text]Organizations Seeking Certification (OSC) should contract with a RPO or a C3PAO to help prepare for a certification from CMMC. Only C3PAOs can conduct the official assessment, and you cannot contract with the same provider for both the pre-assessment consulting services (i.e., RPOs) and the actual CMMC assessment/audit (i.e., C3PAO). You can find verified RPOs and C3PAOs on The CMMC Marketplace.[/vc_column_text][/vc_tta_section][vc_tta_section title=”How can I become an Assessor?” tab_id=”1703869323159-c8d20a05-4a51″][vc_column_text css=””]You must first receive proper training. Most APPs and ATPs aim to deliver the CMMC Certified Professional (CCP), CMMC Certified Assessor (CCA) Level 1 and CCA Level 2 classes. More information can be found on The Cyber AB website.[/vc_column_text][/vc_tta_section][vc_tta_section title=”How can I get assessed?” tab_id=”1703869323159-14245bff-3ac2″][vc_column_text]Organizations Seeking Certification (OSC) should contract with a RPO or a C3PAO to help prepare for either Level 1 or Level 3 certification from CMMC. Only C3PAOs can conduct the official assessment, and you cannot contract with the same provider for both the pre-assessment consulting services (i.e., RPOs) and the actual CMMC assessment/audit (i.e., C3PAO). You can find verified RPOs and C3PAOs on the CMMC Marketplace.[/vc_column_text][/vc_tta_section][vc_tta_section title=”When can I get assessed?” tab_id=”1703869323159-99eecae5-3651″][vc_column_text css=””]You can begin the process of readiness anytime. Once the final rule is effective mid-December 2024, C3PAOs will begin formal assessments.[/vc_column_text][/vc_tta_section][vc_tta_section title=”How do I choose my Certified Third Party Assessment Oranizations (C3PAO)?” tab_id=”1703869323160-383908db-e335″][vc_column_text]The CMMC Marketplace lists many C3PAOs with some background information on each organization, including Edwards Performance Solutions. It is important to understand the agreed upon level of assessment your organization needs and the scope of the assessment and pricing prior to entering into a contract with a C3PAO.[/vc_column_text][/vc_tta_section][vc_tta_section title=”How to prepare for an audit?” tab_id=”1703869323161-03db97e5-99b0″][vc_column_text]Many RPOs and C3PAOs are available to assist your organization in preparing for the assessment. You can select from many already available on the CMMC marketplace or contact us at Info@EdwPS.com to discuss how Edwards Performance Solutions can help you prepare.[/vc_column_text][/vc_tta_section][vc_tta_section title=”Who am I able to work with?” tab_id=”1703869323161-e8b6326b-93fd”][vc_column_text]Organizations Seeking Certification (OSCs) should contract with a RPO or a C3PAO to help prepare for a certification from CMMC. Only C3PAOs can conduct the official assessment, and you cannot contract with the same C3PAO for both the pre-assessment consulting services and the actual CMMC assessment. You can find verified RPOs and C3PAOs on the CMMC Marketplace.[/vc_column_text][/vc_tta_section][vc_tta_section title=”Are there tools available to prepare for a Certification or an Assessment?” tab_id=”1703869323161-3d444a74-9332″][vc_column_text]The CMMC Assessment guides for Level 1 and Level 2 are available on the Acquisition & Sustainment website.[/vc_column_text][/vc_tta_section][/vc_tta_accordion][/vc_column][/vc_row][vc_row][vc_column][vc_tta_accordion style=”modern” active_section=”0″ collapsible_all=”true” title=”Education & Training”][vc_tta_section title=”When will The Cyber AB Assessment Courses be formally created?” tab_id=”1703870964729-4affbec6-bc35″][vc_column_text]A current list of assessment courses can be found on the Edwards website.[/vc_column_text][/vc_tta_section][vc_tta_section title=”How long is the course?” tab_id=”1703870964730-1deaa74d-9132″][vc_column_text css=””]Our standard CCP and CCA courses are 5 days. We offer virtual instructor led, in-person, and hybrid training options. We also offer a self-paced CCP Guide Learning course with access to our instructors, providing even more learning flexibility. Visit our training page for more detailed information about the length of each course.[/vc_column_text][/vc_tta_section][vc_tta_section title=”What do I get for training?” tab_id=”1703870964730-3bcd19b7-3320″][vc_column_text]Edwards will include many additional resources with the live, instructor-led CMMC courses. Check our training page for more information on what we include with each course – materials will range from the official exam prep guide, to editable digital workbooks, and more.[/vc_column_text][/vc_tta_section][vc_tta_section title=”Do I have to take the training in a specific order?” tab_id=”1703870964731-d3143e36-26d2″][vc_column_text]Yes. Participants in the Certified CMMC Assessor (CCA) Course will not be permitted to take the associated exam until they have provided proof of Certified CMMC Professional (CCP) Course and Exam. In other words, the official Cyber AB courses will build upon each other. You can find links to these courses along with what is included in the registration, on our training page.[/vc_column_text][/vc_tta_section][vc_tta_section title=”Will the course information stay up to date?” tab_id=”1703870964731-e35db711-5db0″][vc_column_text]Our courses are updated continuously to provide the most accurate recent information about CMMC.[/vc_column_text][/vc_tta_section][vc_tta_section title=”Is there a list of assessors who receive formal Cyber AB authorized training?” tab_id=”1703870964731-b390c507-729a”][vc_column_text]Once the standard is complete, the training is developed, and Certified CMMC Assessors are certified to conduct assessments, The Cyber AB will release a publicly available list of CCAs on their website.[/vc_column_text][/vc_tta_section][/vc_tta_accordion][/vc_column][/vc_row]