2021 CMMC FAQ
Q1: What is CMMC?
The Cybersecurity Maturity Model Certification (CMMC) model is a set of mandatory cybersecurity requirements that all 300,000+ DoD defense contractors MUST both implement and have the implementation verified by an independent third-party auditor even before a DoD contract can be bid on or awarded. There are no exceptions or waivers; this applies to every DoD supplier, including all prime and subcontractors.
Q2: Why the new changes?
The continual theft of intellectual property and sensitive information via the supply chain of the Department of Defense (DoD) has become a major threat to U.S. economic and national security.
To secure all classified data, the DoD has created the Cybersecurity Maturity Model Certification (CMMC) to ensure that all contractors (including prime and subcontractors) are practicing and maintaining the best cybersecurity practices. The days of self-assessments without third-party verification have come to an end.
Q3: How will CMMC affect my business?
CMMC will be mandatory for all DoD contractors (both prime and subcontractors). Self-attestation will no longer be acceptable as CMMC requires an independent third-party certification. The protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) will become a pass-fail contract award criteria.
Q4: What are the 5 steps to CMMC compliance?
Assess your compliance against NIST 800-171 and CMMC Maturity Level 3.
Document your System Security Plan (SSP).
Document your Plan of Actions & Milestones (PoAM).
Implement your PoAM & the Required Controls.
Maintain your NIST & CMMC Compliance.
Q5: Does CMMC require ongoing compliance?
Yes. Part of your compliance includes an action plan of how you will consistently remain CMMC compliant.
Q6: How do I prepare for CMMC right now?
Effectively preparing for CMMC is a relatively straightforward process, since the DoD has made NIST 800-171 the main foundation for the CMMC certification.
If your DoD contract's fine print contains the DFARS 252.204-7012 "Safeguarding Covered Defense Information and Cyber Incident Reporting" clause, you will need to take action now to be able to bid on or accept DoD contracts.
Need Help with NIST or CMMC?
At Encompass IT Solutions, we are helping DoD contractors throughout Connecticut and Massachusetts with their NIST 800-171 DoD Self-Assessment Score Reports, their System Security Plan (SSP), their Plan of Action & Milestones (PoA&M), and Supplier Performance Risk System (SPRS) submittals. As a result, these prime and subcontractors are eligible to bid and win DoD contracts with their perfect score of 110/110 controls, as defined by the NIST 800-171 requirements. We have a team of cybersecurity experts with a wealth of knowledge regarding NIST 800-171 and the upcoming CMMC regulations, and we'd love to be a resource for you.