Common Questions About CMMC Certification
We know how confusing CMMC can be for many businesses. Luckily, Bravo is here to help! The Cybersecurity Maturity Model Certification (CMMC) is a new standard introduced by the Department of Defense that will serve as framework to enforce Defense Federal Acquisition Regulation Supplement (DFARS) requirements.
Unlike NIST 800-171, becoming CMMC certified entails a third-party audit of your business, instead of conducting it yourself. While CMMC and NIST seem similar, CMMC builds upon the framework of NIST 800-171 to better encompass cybersecurity posture and standing. Companies can capitalize on already-in-progress NIST initiatives as they work toward their appropriate CMMC Level Compliance.
So, how do you prepare for this audit? Here’s some commonly asked questions and answers:
Do I need to be CMMC Certified?
Anyone who does business with the Department of Defense (DoD) must be certified, even subcontractors.
Can I not do self-certification for CMMC?
No, the CMMC requires that a third-party be involved to audit your company in order to accurately assess its security posture in accordance with criterion provided by the DoD. Upon being certified, you will be designated to one of the five levels specified within CMMC.
What are the levels of CMMC?
CMMC is made up of five levels. Starting at Level One, they are Basic Cyber Hygiene, Intermediate Cyber Hygiene, Good Cyber Hygiene, Proactive Cyber Controls, and lastly, Advanced/Progressive Cyber Protection. The higher the level you are awarded, the more advanced your security posture.
What is CMMC Level 2 for?
According to DoD, no contracts will require CMMC Level 2. It’s been described as a bridge to CMMC Level 3. Even though no contract will require CMMC Level 2, it may be required by some partners, primes, or investors.
How much does CMMC cost?
The DoD has determined that the costs to prepare for CMMC will be considered an allowable cost, meaning that they can be billed directly to the DoD and will be reimbursable. To read more, check out our blog on the cost of CMMC.
Does the certification requirement apply to grants as well as contracts?
As of now, the requirement applies to DoD contract funding only, and only is associated with the project when the RFP/RFI includes a statement pertaining to the CMMC level that applies.
What’s the best way to prepare for certification?
The first step is assessing your company’s security gaps and weaknesses. If remediation is necessary to bring your company up to the standards of the level for which you’d like to be audited, bringing in a Managed Security Service Provider (MSSP) with expertise in CMMC assessments and remediation can prove to be beneficial to get your business on the right path. Learn more about Bravo’s CMMC services here.
What can I expect from the audit?
The 3rd Party Assessment Organizations (3PAO) will conduct a thorough review of your System Security Plan (SSP) in order to assess your handling of Controlled Unclassified Information (CUI). The 3PAO will then review your Plan of Action & Milestones (POA&M) to address weak spots and possible remediation for those in order to eliminate the risk that comes from them. From there, your policies, standards, and procedures are evaluated to see if they align with your SSP and if it supports the requirements associated with the level you are being audited for. One main component the auditors are looking for is maturity in your control responses. Therefore, it’s important to not wait until the last minute to prepare for CMMC.
How can I learn more about CMMC?
We will continue to periodically update this list of questions for your convenience.
Contractors that want to get CMMC ready or have questions on the new regulation should contact Bravo below: