CMMC – FAQ’S

When does CMMC go into effect?

V1.0 (now 1.02) of the CMMC was released on January 31st 2020. The audit program and training program are being developed and should be in full effect by fall/winter of 2020. CMMC will appear in Requests for Information (RFI’s) and Requests for Proposal (RFP’s) as early as November 2020.

How many controls (practices) does CMMC require?

There are different controls totals for each level within CMMC:

  • CMMC Level 1: 17 Practices
  • CMMC Level 2: 72 Practices & 34 Processes
  • CMMC Level 3: 130 Practices & 51 Processes (This is the 1st level that fully achieved NIST SP 800-171 coverage)
  • CMMC Level 4: 156 Practices & 68 Processes
  • CMMC Level 5: 171 Practices & 85 Processes

What is the minimum CMMC level you need to reach NIST SP 800-171?

CMMC Level 3 is the first target level fully addressing NIST 800-171 and it covers 20 controls beyond NIST SP 800-171 (a total of 130).

If I’m not CMMC certified what does that mean?

In the near future, you will no longer be able to win proposals to provide services in the DoD supply chain.

If we have relatively immature security program, how long will it take to get CMMC certified?

A reasonable assumption for achieving Level 3 CMMC readiness is 6 – 10 months. It will ultimately depend on institutional knowledge and how long you can get your “new normal” baked into your company culture & day to day processes.

How much does CMMC certification cost?

Until the auditor program is fully established the actual cost of the audit has not yet been established. A reasonable guess for a C3PAO audit is $20 – 40K.

Establishing an information security program that is capable of being CMMC Level 3 certified can be a notable expense dependent upon the current maturity of your program. If you already have a mature NIST 800-171 compliant environment in place it may be $20K or less. If you are starting from scratch it could be $50 – 150K.

What is the difference between CMMC and NIST 800-171?

CMMC is a certifiable standard that requires a third party audit to confirm that you are compliant with the standard, NIST-800-171 is (or was) a self-attestable standard to protect the same CUI that CMMC does. All organizations that become CMMC certified (level 3 or higher) will still need to be 800-171 conforming and the CMMC certification will demonstrate that they have achieved 800-171 as well.

With the DoD’s more “limited roll out” I heard about should we get CMMC certified this year?

Many of the companies in the Defense Industrial Base we are speaking with believe that it will be a competitive advantage to do so. Our understanding is that larger Prime’s will either require or favor those that are as they are building “pursuit teams”.

Should we start preparing for CMMC with a Gap Analysis/Assessment?

A gap assessment is a good approach if you know that you have a very mature information security program that includes the required CMMC artifacts (e.g., Risk Assessment, System Security Plan, etc.). If not, you are better off viewing this as an implementation, with establishing the scope of your CUI environment as the best first step.  See this blog for additional detail on approach.