CMMC Frequently Asked Questions

As one of the largest Licensed Training Providers (LTP) and Registered Provider Organizations (RPO) accepted into the CMMC Accreditation Body (CMMC-AB), Learning Tree is able to provide you with the most relevant information and advice to help you on your certification journey. Here’s a list of our most frequently asked questions, updated as a result of the U.S. government announcement on November 4, 2021 regarding a new 2.0 model.

 

Q: What is CMMC?

A: CMMC stands for Cybersecurity Maturity Model Certification. It is designed to assess the security posture of Defense Industrial Base (DIB) companies to verify that appropriate practices and to ensure procedures are implemented prior to granting defense contracts.

 

Q: Is there a replacement for CMMC 1.0 now that it is undergoing significant change?

A: While CMMC 2.0 is under development, the Pentagon is encouraging defense contractors to follow cybersecurity practices laid out by the National Institute of Standards and Technology (NIST 800-171)

 

Q: Is there an approximate time frame for rolling out CMMC 2.0?

A: The discussed time frame is somewhere between 9 and 24 months to finalize the rule making efforts. This includes a 60-day public comment period prior to the rule taking effect.

 

Q: Why did they make such sweeping changes to CMMC 1.0?

A: To provide clear requirements and accountability. In addition, the Pentagon decided to revamp the CMMC because it was considered too costly and burdensome for many in the defense industry, especially small to medium-sized enterprises that do not have relevant data.

 

Q: How long will it be before CMMC 2.0 is released with contracts requiring certification?

A: New requirements will not show up in contracts for at least nine months, with the potential for the rule making process to stretch out as late as fall 2023.

 

Q: What is the DFARS Interim Rule?

A: Effective November 20, 2020, contractors were still required to self-assess and enter the Supplier Performance Risk System (SPRS) database. While some contracts will also need to take it all the way to CMMC certification, it is at the discretion of the Office of Undersecretary of Defense (OUSD) to state which new contract awards must be CMMC certified as of right now. The goal is to award more prime contracts annually to CMMC certified organizations. In fiscal year 2021, DoD requires only 15 prime contracts to be awarded with the new CMMC requirements, including prime subcontractors. By 2025, all organizations must be CMMC certified to successfully win contract awards.

 

Q: Will there be any formal announcements or communication regarding CMMC changes?

A: The Pentagon is aiming to publish details on the updated CMMC standards via the program’s website by the end of November.

 

Q: Do all contractors, sub-contractors and organizations need to be certified?

A: If you’re one of the 350,000 entities working directly (or indirectly) on Department of Defense (DoD) contracts containing Federal Contract Information (FCI) and/ or Controlled Unclassified Information (CUI), you must fully comply to the mandate. *2.0 Update: The DoD estimates that there are roughly 40,000 companies holding controlled unclassified information (CUI) and will still require a third-party assessment.

 

Q: My organization doesn’t handle CUI. Do we still need to be certified?

A: Yes. Even if the organization is only handling FCI, the organization still needs to be certified at level 1. The few exceptions are payment information necessary to process a transaction and contracts dealing with pure COTS products.

 

Q: What is FCI?

A: FCI is information provided by or generated for the federal government under contract not intended for public release. CMMC requirements specify that organizations handling FCI must minimally meet Level 1 (Performed – Basic Cyber Hygiene) certification.

 

Q: What is CUI?

A: CUI is information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and government-wide policies, excluding information classified under Executive Order 13526, Classified National Security Information, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended. CMMC requirements specify organizations storing/processing/transporting CUI must minimally meet Level 3 (Managed – Good Cyber Hygiene) certification.

 

Q: If mandate compliance doesn’t take full effect until October 2025, why should I worry about it now?

A: The CMMC program is meant to be phased in. Failure to comply and become an early adopter will likely lead to a significant decrease in awarded contracts. Early adopters will see a huge competitive advantage over non-certified contractors, and will be given exclusive bidding rights on contracts with CMMC requirements. Even prior to that October 2025 date, the DFARS Interim Rule applies.

 

Q: With the suspension of CMMC 1.0, will there still be a need for companies to seek certification?

A: While the Pentagon will not require the certification as part of any contract until after the rules have been finalized, nearly 500 companies fall into the “level three” category, working on highly sensitive programs. They will still need to follow “expert” cybersecurity practices.

 

Q: What is the DFARS Interim Rule?

A: Effective November 20, 2020, contractors were still required to self-assess and enter the Supplier Performance Risk System (SPRS) database. While some contracts will also need to take it all the way to CMMC certification, it is at the discretion of the Office of Undersecretary of Defense (OUSD) to state which new contract awards must be CMMC certified as of right now. The goal is to award more prime contracts annually to CMMC certified organizations. In fiscal year 2021, DoD requires only 15 prime contracts to be awarded with the new CMMC requirements, including prime subcontractors. By 2025, all organizations must be CMMC certified to successfully win contract awards.

 

Q: Who will conduct the Level 3 assessments? 

A: Unlike the CMMC 1.0 guidance where C3PAOs would conduct the assessments, they’ll now be audited by an internal DoD division, the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

 

Q: What does it mean when DoD says that some contractors will be able to self-attest (assess)? 

A: If a company doesn’t handle data deemed critical to national security, they will only have to self-attest to their cybersecurity practices on an annual basis.

 

Q: How is CMMC different from 800-53 or 800-171?

A: National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 is for all US federal agencies and any entity housing US federal information or information systems. 800-171 is meant for protecting CUI stored/processed/disseminated in nonfederal systems. CMMC is not about auditing to ensure that specific boxes are checked, but rather an assessment. CMMC is about ascribing the organization's cybersecurity posture as it pertains to CUI/FCI.

 

Q: Are there minimal and/or universal certification requirements that must be met to be awarded a contract?

A: Yes, NIST 800-171 and DFARS

 

Q: My organization didn’t bid on a contract but we assist one that did. Do we need to be certified?

A: Yes. If the organization handles CUI or FCI, even as a subcontractor, then that organization needs to be certified just as the prime contract owner is.

 

Q: My organization doesn’t handle CUI. Do we still need to be certified?

A: Yes. Even if the organization is only handling FCI, the organization still needs to be certified at level 1. The few exceptions are payment information necessary to process a transaction and contracts dealing with pure COTS products.

 

Q: What are the CMMC certification levels?

A: Level 1 – (Foundational) Self-Assessment/ Basic Safeguarding | Level 2 – (Advanced) NIST SP 800-171 Requirements) | Level 3 – (Expert) NIST SP 800-172 Requirements

 

Q: How will I know what CMMC level is required for a contract?

A: The DoD will specify the required CMMC level in Requests for Information (RFIs) and Requests for Proposals (RFPs).

 

Q: If I hold a Provisional Assessors (PA) and Provisional Instructor (PI) status, when do I have to take the official certification exam?

A: As a PA / PI, you have six months to take the exam to obtain this designation from the official release of an exam. For example, if you are a PI training CCP, you have six months to pass the CCP exam after the release of the CCP exam.

 

Q: Is there a correlation between APMG approved NCSP certifications and the CCP / CA-1, CCA-3 of CMMC-AB?

A: No, the objectives and intended audience for these certifications are different. The CMMC-AB certifications validate the skills of the “assessors.”

Start Taking Action and Strategize Toward CMMC Readiness Today

As the largest licensed training provider, Learning Tree CMMC training ensures:

  • The ability to navigate the CMMC Interim Rule (effective Nov. 30, 2020)
  • Total preparation for compliance audits
  • Comprehensive training to manage future updates

Let the experts at Learning Tree help build the right solution for your CMMC readiness needs. Contact us today to learn more.

 

Preferred method of contact?


Chat Now

Please Choose a Language

Canada - English

Canada - Français