Common CMMC Questions Don't worry you're not alone!

When do I need to seek CMMC certification?

Deadline is 2025 which means you should plan to seek an audit from a C3PAO, Third-Part Assessor Organization, through the CMMC-AB marketplace before the end of 2025. Make sure you don’t wait for the last minute so you have time for audit finding remediation. 

What if I fail the Audit?

You will have 60 days to resolve the findings from the audit via a corrective action report and seek remediation from the same auditing firm.

Is this certification a one and done?

No, you need to get re-certified every 3 years. Cyber security in general is a perpetual effort which requires a continuous improvement mentality.

What’s the best place to start getting compliant?

CMMC requirements are mostly made up from NIST 800-171 V2 publication which can be found here -> SP 800-171 Rev. 2, Protecting CUI in Nonfederal Systems and Organizations | CSRC (nist.gov). Start with a gap analysis using their spreadsheet to track where you are and where you need to be. The CMMC-AB also has a 10 step process on their website you should follow.

What CMMC maturity level should I seek certification for?

For best practice, no matter what industry your business is in, you should strive for CMMC ML-1 which gives you a basic cyber security hygiene.

If you are planning to control CUI data in future contracts – CMMC ML-2 is a good transitionary framework to prep for getting ML-3 compliant.

Currently handling CUI data? ML-3 is what you should strive for. This is a very common maturity level for mid-teir suppliers.

If you are a top tier supplier in the defense industrial base ML-4 &ML-5 should be considered.

Why do I need to seek CMMC certification?

If your business is in the defense industrial base supply chain you will need to seek certification to have the ability to sign new contracts or continue supplying product on existing agreements. In other words, if you supply product directly to the government, to top tier suppliers like GE or Raytheon, or you are lower down the supply chain – You will need to start planning to seek CMMC compliance.

We are a small Manufacturing company with a lean I.T. staff and tight budget – How do others in my situation plan to become compliant?

You will have 90 days to resolve the findings from the audit via a corrective action report and seek remediation from the same auditing firm.

What is CUI & how do I determine it’s on my network?

Controlled Unclassified Information, in other words, sensitive data that’s specifically marked by the DoD which isn’t classified information. ITAR data is a good example of this, but you should first ask yourself these 3 questions 

  1. Where do you get your contracts and technical drawings,
  2. Where do you store them on your network or cloud service.
  3. Where and who do employees you send them to.

You’ll need to work with your customer-facing employees to understand what contracts have CUI markings (Controlled Unclassified Information (CUI) | GSA). Microsoft Active Directory Rights Management Service, ADRMS, or Microsoft Azure Information Protection, AIP, are a couple solutions that can help you identify, mark, and safe-guard this data with

 

 

Cyber Security

Maturity Levels (ML)

Level 1

17  Practices

Basic cyber hygiene – All businesses should use for best practices.

Level 2

55 Practices
34 Processes

Intermediate cyber hygiene- Used to transition business to protect CUI data.

Level 3

58 Practices
17 Processes

Good cyber hygiene – Consists mostly of NIST 800-171 & DFARS frameworks. If you manage CUI data, this is a mandatory level to reach.

Level 4

26 Practices
17 Processes

Proactive Cyber Hygiene- Focused on reducing risk of advanced persistent threats

Level 5

15 Practices
17 Processes

Progressive Cyber Hygiene – Advanced cyber security framework that is highly optimized for mitigating advanced persistent threats.

Cyber Security

Commonly used Acronyms

CMMC-AB

Cybersecurity Maturity Model Certification  – Accreditation Body

CP

Certified Professional (CMMC)

CA

Certified Assessors (CMMC)

OSC

Organization Seeking Certification

ITAR

International Traffic in Arms Regulations

NIST

National Institute of Science and Technology

C3PAO

Third-Party Assessor Organization (CMMC)

CUI

Controlled Unclassified Informatin

RPO

Registered Provider Organization

CATM

CMMC-AB Approved Training Material

LTP

Licensed Trained Professional (CMMC)

RP

Registered Practitioner (CMMC)

FIPS

Federal Information Processing Standards

DLP

Data Loss Prevention or Data Leak Prevention

SIEM

Security Information and Event Managment

SSP

System Security Plan

FedRAMP

Federal Risk and Authorization Management Program

FCI

Federal Contract Information

EAR

Export Administration Regulations

AC-MC

Access Control Maturity Capability

RBAC

Role-based access control

DIB

Defense Industrial Base

FedRAMP

Federal Risk and Authorization Management Program

DFARS

Federal Contract Information

10 Steps to Certification

Step 1

Understand the CMMC Requirements

Step 2

Scope your business’s cyber security foot print

Step 3

Identify what maturity level you are seeking.

Step 4

Perform a gap analysis based off your ‘Step 2’ scope

Step 5

Work to close your previously identified gaps (Longest Step)

Step 6

Find a C3PAO in the CMMC-AB marketplace

Step 7

Conduct the assessment with the choosen C3PAO

Step 8

Remediate any findings within 90 days

Step 9

Audit is submitted to CMMC-AB and reviewed

Step 10

Obtain your 3 year certification

Need more help?

We’ve partnered with the best CMMC gap analysis partners to get you on the right path. We take pride in setting you up with the right vendors at the best price. Send your inquiry to info@modertech.group to get started.

Our brokerage services are zero cost to you.