Cybersecurity Maturity Model Certification (CMMC) Terminology and FAQs
Some of the most common terms associated with CMMC include:
Controlled unclassified information (CUI): Information created and/or possessed by the government, or that an entity made or possesses on the government’s behalf, that a law, regulation or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. The full CUI Registry includes the following organizational index groupings:
- Critical infrastructure
- Export control
- International agreements
- Law enforcement
- Natural and cultural resources
- Procurement and acquisition
- Proprietary business information
CMMC Third-Party Assessor Organization (C3PAO): Organizations like NSF-ISR which are authorized to manage the CMMC assessment process
Department of Defense (DoD): The largest U.S. government agency and an executive branch department of the federal government that coordinates and oversees all government functions directly related to national security and the U.S. Armed Forces
Defense industrial base (DIB): The organizations and their subcontractors that provide goods and services to the Department of Defense
Defense Federal Acquisition Regulation Supplement (DFARS): A set of rules regarding federal defense procurement methods, requirements, policies, authority delegations and procedures
For official use only (FOUO): A document designation used by the Department of Defense
Organization seeking certification (OSC): An organization that is pursuing the Cybersecurity Maturity Model Certification (CMMC)
Provisional Assessor (PA): A credentialed individual who is authorized to deliver CMMC assessments
Registered Provider Organization (RPO): An organization that provides advice and recommendations on CMMC to its clients. It is the “implementer” and consultant, but does not conduct certified assessments. Any references to “non-certified” services means that an RPO is not authorized to conduct a certified assessment.
Registered Practitioner (RP) or CMMC Registered Practitioner: An individual who provides guidance in the form of gap assessments, but who does not conduct certified assessments; the RP participates as an assessment team member during the provisional period
Supplier Performance Risk System (SPRS): Essentially the DoD's acquisition system, which is used for identifying, assessing and monitoring unclassified performance of suppliers and product performance information
Frequently Asked Questions
Who will use CMMC?
Department of Defense contractors and subcontractors -- all companies conducting business with the DoD will need CMMC.
When will the current version of CMMC be released?
Version 2.0 was launched in November 2021 and is currently in the rulemaking process. CMMC 2.0 will become contractually required once rulemaking is completed.
Will there be a self-certification?
Yes for CMMC Level 1 and a subset of Level 2 programs. Self-assessments will be required on an annual basis.
Who will perform the CMMC assessments?
Assessments will be performed by third-party companies, like NSF International Strategic Registrations (NSF-ISR). CMMC Level 3 assessments may be performed by DoD assessors within the services (e.g. the Defense Contract Management Agency (DCMA) or the Defense Counterintelligence and Security Agency (DCSA).
Much like other certifications, your organization will need to coordinate your assessment with an accredited and independent third-party certification organization to request and schedule your CMMC assessment.
What other cybersecurity control standards are combined within the CMMC?
The CMMC combines several cybersecurity control standards such as NIST 800-171, NIST 800-53, ISO/IEC 27001, ISO/IEC 27032, AIA NAS9933 and others into one unified standard for cybersecurity. Any equivalencies or acceptance standards, if established, will be implemented as part of the rulemaking process.
Who will see my assessment results?
The DoD will see your certification. CMMC levels will not be publicly accessible.
What happens if an organization is compromised after being certified to CMMC?
The organization will not lose its certificationbut based on the circumstances surrounding the compromise and the direction of the government program manager, an organization may be required to be recertified to CMMC.
How will an organization know what the CMMC level is required for a contract?
The appropriate CMMC tier will be determined by the government (i.e. not everything requires the highest level) for the contracts an organization administers. The required CMMC level will be contained in sections L & M of the Request for Proposals (RFPs), making cybersecurity an “allowable cost” in DoD contracts.
Will CMMC certifications and the associated third-party assessments apply to classified systems and/or classified environments within the defense industrial base (DIB)?
The CMMC is intended to ensure appropriate levels of cybersecurity practices and processes are in place to protect controlled unclassified information (CUI) that resides on the Department of Defense’s industry partners’ unclassified networks.
How much does CMMC cost?
The goal is for CMMC to be cost effective and affordable for small businesses to implement at the lower CMMC levels.
Determining CMMC assessment costs will depend on multiple factors including the CMMC level, the complexity of the Organization Seeking Certification (OSC) unclassified network for the certification boundary and other market forces. The Department of Defense provided rough, order-of-magnitude cost estimates for CMMC assessments as part of the Federal Register Notice for Defense Federal Acquisition Regulation Supplement (DFARS) Case 2019-D041.
The certification cost will be considered an allowable, reimbursable cost and will not be prohibitive. For contracts that require CMMC, you may be disqualified from participating if your organization is not certified to the required CMMC level.
How often will organizations need to be reassessed?
Organizations will generally need to be reassessed every three years for Level 2 and Level 3 as a CMMC certificate will be valid for three years. CMMC Level 1 self-assessments will need to be conducted on an annual basis.
What if our organization does not handle controlled unclassified information (CUI)? Is certification to CMMC required anyway?
Most likely yes. If a DIB company does not possess, store or transmit CUI but possesses Federal Contract Information (FCI), it is required to meet FAR clause 52.204-21 and must be certified at a minimum to CMMC Level 1.
Are there any organizations that are exempt from CMMC certification?
Yes, CMMC certification is not required for organizations that solely produce commercial-off-the-shelf (COTS) products.
What is the DoD’s phased rollout plan for CMMC?
The publication of materials relating to CMMC 2.0 reflect the Department’s strategic intent with respect to the CMMC program; however, CMMC 2.0 will not be a contractual requirement until the Department completes rulemaking to implement the program. The rulemaking process and timelines can take 9-24 months. CMMC 2.0 will become a contract requirement once rulemaking is completed.
Once CMMC 2.0 is codified through rulemaking, the Department will require companies to adhere to the revised CMMC framework according to requirements set forth in regulation.
According to the DoD CIO, Stacy
Bostjanick, the federal rulemaking process around CMMC 2.0 is proposed to be
completed by March 2023.
Why Choose NSF International Strategic Registrations (NSF-ISR)?
Gain an advantage with NSF-ISR’s information security team who are experts in information security systems, providing the sense of protection you need to operate in a world of uncertainty. Whether you are protecting your own system or managing service for others, our professional approach focuses on service performance.
For over 20 years, NSF-ISR has offered comprehensive management systems registrations to internationally accepted standards across industries, focusing on information security, quality, health and safety, environment and sustainability. Our parent company NSF has provided audits, certification, testing and, separately, training services for the food, water and health science industry for over 75 years.
- NIST 800 assessments: Conducting a security controls assessment against the NIST guidelines
- ISO security assessment (ISO/IEC 27001, ISO/IEC 20000-1 and others)
- Custom audit assessments: Auditing to customer specifications across multiple disciplines
- Channel partner management: NSF-ISR can manage your channel partners, allowing full-scale outsourcing
- Channel partner assessments: NSF-ISR can audit your partners to certain specifications