CMMC: Some Frequently Asked Questions
The National Defense Industrial Association has held a series of webinars for its members focusing on the latest news coming out of the Defense Department on the Cybersecurity Maturity Model Certification.
NDIA Senior Vice President of Strategy and Policy Wes Hallman, Director of Regulatory Policy Nick Jones and Principal Director of Strategy Corbin Evans led a webinar Feb. 18 and answered some written questions posed by members afterwards.
The next members-only webinar is scheduled for April 15.
The questions and answers from that previous session have been edited for clarity and length.
Any sense of how CMMC will be applied to foreign contractors including who and how they will be audited and by what agency?
It will be applied to foreign contractors that do business directly with the Defense Department or as part of its supply chain. The CMMC Accreditation Body is working to stand up Third Party Assessor Organizations (C3PAOs) in foreign locations to allow companies to receive certifications. It will likely not be a quick process, however.
Some international suppliers are having difficulty getting into the Supplier Performance Risk System (SPRS) to register their National Institute of Standards and Technology (NIST) self-assessment. Some requests have been sitting for many days. Is there a help number or help contact to assist with processing SPRS requests for suppliers?
The SPRS system is run by the Navy. A contact number is listed on its website: https://www.sprs.csd.disa.mil.
How long is the process to become Level 3 CMMC compliant?
It will vary per company depending on size, sector and current level of compliance with NIST 800-171. For those companies that are in full compliance with NIST 800-171, it likely will not take much time to add the additional controls necessary to get to CMMC Level 3 compliance.
Are “pathfinder” and “pilot” CMMC contracts different?
Yes. Pathfinders were conducted by the Defense Department and internal to their purposes. Think tabletop exercises, etc. Pilots will consist of all contracts that contain CMMC language released between now and 2026.
We supply raw materials — commercial-off-the-shelf (COTS) items. My understanding is that we are not required to achieve CMMC. We handle zero controlled unclassified information (CUI). Will we ever be required to become certified?
As long as you truly do COTS items and handle no CUI you will not need to enter the program as it is currently designed.
What is the reason for designating controlled unclassified information? Is it actually classified or isn’t it? If it is, why not just call it that under current classifications such as “Confidential,” “NoForn,” etc.? CUI confuses the workforce.
It is not classified as it is protected at a lower level than classified data. The classified data protection requirements are much more robust than those being considered by the CMMC program to protect CUI.
Do you have to do a self-assessment for every contract that has NIST 171 in it?
You should be able to do one assessment that covers your organization.
Does a subcontractor have to share their 800-171 self-assessment scorecard with the prime, or just confirm that its score is uploaded to the Supplier Performance Risk System?
Just upload to the SPRS. Some primes may require it in the future as part of their subcontracts but it will vary from prime to prime.
The Defense Federal Acquisition Regulation Supplemental rules do not change the government cost accounting rules at all. So, is the opinion of the Defense Department’s office of the undersecretary of defense for acquisition and sustainment relevant on allowability?
At this point the allowability of costs related to complying with the program are hotly debated. We obviously understand that this has the potential to be a major cost for contractors and we want to ensure that the government understands that and reimburses contractors for that cost to the fullest extent possible.
I was recently advised that if we supply COTS materials to the federal government or any of their primes, and we do not handle CUI that we are not required to be CMMC certified, or even SPRS self-assessed.
We were under the impression that CMMC has to do with the transmittal of data, computer hygiene and processes. We supply military-specific adhesives and tapes and we also convert tapes by slitting the rolls, which could be interpreted as a form of manufacturing or contract manufacturing?
We are not sure, but we believe that we do not handle CUI. A couple of our prime supply customers have asked us to plan on getting certified. Can you please advise?
If you truly provide COTS products and do not handle CUI, you do not need to be part of the CMMC program. Military-specific items are a version of modified COTS and may need to be part of the program, but it is unclear at this point.
We are a manufacturer that handles CUI — mostly drawings — from a prime contractor. When we receive drawings and other related CUI for a project, our engineer creates a less-detailed drawing in order to send instructions to a machine shop for machining the parts. The original drawing is never sent to the machine shop, but is our engineering drawing considered CUI? This drawing is used in order to program their machines. Has there been direction on whether machine shops will need to achieve CMMC? If so, what level?
Hard question. The two schools of thought are that CUI has to come from government, the other is that CUI can be created during the contact or from other CUI material. We’re waiting on an answer, too.
What exactly does the “pilot” designation mean? Does it impact anything tangible?
No. It is the classification given to contracts that have CMMC language over the next several years until 2026.
Are you saying that the self-assessment and SPRS submission is not required until such time you receive a new contract or subcontract or renewal? I thought the stated deadline was Nov. 30, 2020?
Yes. There is not a requirement to upload your self-assessment into SPRS until you receive the amended DFARS language in a new contract or as part of a contract modification/change order.
Do you know if there is a central location to see the schedule for the Defense Industrial Base Cybersecurity Assessment Center’s assessments of new Third Party Assessor Organizations (C3PAOs)?
No. The schedule is not public. DIBCAC will contact you.
Is there a list of pathfinder contracts?
If the contract is awarded prior to primes being able to discuss the CMMC requirements with subcontractors, how will the prime know if they will actually be able to complete the scope? Subs may drop out or not meet the requirement, leaving the prime unable to perform certain tasks?
This is an issue with the timing as it is currently understood. We have raised this question to the Defense Department, but no answer yet.
Are you concerned organizations are not systematically able to adapt to these changes? Does that need to be addressed?
Yes, this is a major concern. The loss of companies from the defense industrial base may be a consequence of CMMC and is one we are trying to mitigate.