· 9 min read
Cybersecurity Maturity Model Certification (CMMC) Terminology and FAQs
Some of the most common terms associated with CMMC include:
Controlled unclassified information (CUI): Information created and/or possessed by the government, or that an entity made or possesses on the government’s behalf, that a law, regulation or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. The full CUI Registry includes the following organizational index groupings:
- Critical infrastructure
- Export control
- International agreements
- Law enforcement
- Natural and cultural resources
- Procurement and acquisition
- Proprietary business information
CMMC Third-Party Assessor Organization (C3PAO): Organizations like NSF-ISR which are authorized to manage the CMMC assessment process
Department of Defense (DoD): The largest U.S. government agency and an executive branch department of the federal government that coordinates and oversees all government functions directly related to national security and the U.S. Armed Forces
Defense industrial base (DIB): The organizations and their subcontractors that provide goods and services to the Department of Defense
Defense Federal Acquisition Regulation Supplement (DFARS): A set of rules regarding federal defense procurement methods, requirements, policies, authority delegations and procedures
For official use only (FOUO): A document designation used by the Department of Defense
Organization seeking certification (OSC): An organization that is pursuing the Cybersecurity Maturity Model Certification (CMMC)
Provisional Assessor (PA): A credentialed individual who is authorized to deliver CMMC assessments
Registered Provider Organization (RPO): An organization that provides advice and recommendations on CMMC to its clients. It is the “implementer” and consultant, but does not conduct certified assessments. Any references to “non-certified” services means that an RPO is not authorized to conduct a certified assessment.
Registered Practitioner (RP) or CMMC Registered Practitioner: An individual who provides guidance in the form of gap assessments, but who does not conduct certified assessments; the RP participates as an assessment team member during the provisional period
Supplier Performance Risk System (SPRS): Essentially the DoD's acquisition system, which is used for identifying, assessing and monitoring unclassified performance of suppliers and product performance information
Frequently Asked Questions
Who will use CMMC?
Department of Defense contractors and subcontractors -- all companies conducting business with the DoD will need CMMC.
When will the current version of CMMC be released?
Version 1.02 was released in March 2020. By April 2021 the industry should begin to see the CMMC requirements as part of RFIs.
Will there be a self-certification?
Who will perform the CMMC assessments?
Assessments will be performed by third-party companies, like NSF International Strategic Registrations (NSF-ISR). The CMMC website indicates some higher-level assessments may be performed by DoD assessors within the services (e.g. the Defense Contract Management Agency (DCMA) or the Defense Counterintelligence and Security Agency (DCSA).
Much like other certifications, your organization will need to coordinate your assessment with an accredited and independent third-party certification organization to request and schedule your CMMC assessment.
What other cybersecurity control standards are combined within the CMMC?
The CMMC combines several cybersecurity control standards such as NIST 800-171, NIST 800-53, ISO/IEC 27001, ISO/IEC 27032, AIA NAS9933 and others into one unified standard for cybersecurity. In addition to cybersecurity control standards, the CMMC will also measure the maturity of a company’s institutionalization of cybersecurity practices and processes.
Who will see my assessment results?
The DoD will see your certification. CMMC levels will not be publicly accessible.
What happens if an organization is compromised after being certified to CMMC?
The organization will not lose its certification. But based on the circumstances surrounding the compromise and the direction of the government program manager, an organization may be required to be recertified to CMMC.
How will an organization know what the CMMC level is required for a contract?
The appropriate CMMC tier will be determined by the government (i.e. not everything requires the highest level) for the contracts an organization administers. The required CMMC level will be contained in sections L & M of the Request for Proposals (RFPs), making cybersecurity an “allowable cost” in DoD contracts.
Will CMMC certifications and the associated third-party assessments apply to classified systems and/or classified environments within the defense industrial base (DIB)?
The CMMC is intended to ensure appropriate levels of cybersecurity practices and processes are in place to protect controlled unclassified information (CUI) that resides on the Department of Defense’s industry partners’ unclassified networks.
How much does CMMC cost?
The goal is for CMMC to be cost effective and affordable for small businesses to implement at the lower CMMC levels.
Determining CMMC assessment costs will depend on multiple factors including the CMMC level, the complexity of the DIB company’s unclassified network for the certification boundary and other market forces. The Department of Defense provided rough, order-of-magnitude cost estimates for CMMC assessments as part of the Federal Register Notice for Defense Federal Acquisition Regulation Supplement (DFARS) Case 2019-D041.
The certification cost will be considered an allowable, reimbursable cost and will not be prohibitive. For contracts that require CMMC, you may be disqualified from participating if your organization is not certified to the required CMMC level.
How often will organizations need to be reassessed?
Organizations will generally need to be reassessed every three years as a CMMC certificate will be valid for three years.
What if our organization does not handle controlled unclassified information (CUI)? Is certification to CMMC required anyway?
Most likely yes. If a DIB company does not possess, store or transmit CUI but possesses Federal Contract Information (FCI), it is required to meet FAR clause 52.204-21 and must be certified at a minimum to CMMC Level 1.
Are there any organizations that are exempt from CMMC certification?
Yes, CMMC certification is not required for organizations that solely produce commercial-off-the-shelf (COTS) products.
What is the DoD’s phased rollout plan for CMMC?
Until September 30, 2025, the Office of the Under Secretary of Defense for Acquisition and Sustainment must approve the inclusion of the CMMC requirement in any solicitation.
The Department is currently working with military services and defense agencies to identify candidate programs that will implement CMMC requirements during the FY2021-FY2025 phased rollout. During the first year of the rollout, the Department will require no more than 15 new Prime acquisitions to meet CMMC requirements as part of a CMMC pilot program. These contracts will focus on mid-sized programs that require the contractor to process or store CUI (CMMC Level 3). Primes will be required to flow down the appropriate CMMC requirement to their subcontractors.
For subsequent fiscal years of the rollout, the Department intends to incorporate CMMC Levels 4 and 5 on a small number of contracts while increasing the quantity of Prime acquisitions that include a CMMC requirement to the following targets:
Why Choose NSF International Strategic Registrations (NSF-ISR)?
Gain an advantage with NSF-ISR’s information security team who are experts in information security systems, providing the sense of protection you need to operate in a world of uncertainty. Whether you are protecting your own system or managing service for others, our professional approach focuses on service performance.
For over 20 years, NSF-ISR has offered comprehensive management systems registrations to internationally accepted standards across industries, focusing on information security, quality, health and safety, environment and sustainability. Our parent company NSF International has provided audits, certification, testing and, separately, training services for the food, water and health science industry for over 75 years.
- NIST 800 assessments: Conducting a security controls assessment against the NIST guidelines
- ISO security assessment (ISO/IEC 27001, ISO/IEC 20000-1 and others)
- Custom audit assessments: Auditing to customer specifications across multiple disciplines
- Channel partner management: NSF-ISR can manage your channel partners, allowing full-scale outsourcing
- Channel partner assessments: NSF-ISR can audit your partners to certain specifications