CMMC FAQs

1. What is CMMC trying to address?
   • CMMC aims to enhance cybersecurity within the defense industrial base (DIB) by ensuring that defense contractors and subcontractors protect sensitive unclassified information
2. Does my company need to be CMMC certified?
   • If your company handles Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) for the DoD, you will need to be CMMC certified.
3. What CMMC level should my company seek?
   • The required CMMC level depends on the sensitivity of the information your company handles. Higher levels require more stringent cybersecurity practices.
4. How does my company get certified?
   • Companies must undergo assessments conducted by CMMC Third-Party Assessment Organizations (C3PAOs) to achieve certification.
5. Who grants the certification?
   • Certification is granted by authorized C3PAOs after successful completion of the assessment.
6. How much will it cost to implement CMMC?
   • The cost varies based on the CMMC level, the complexity of your company’s network, and market forces. Costs incurred to meet existing contract requirements for safeguarding information are not considered part of the CMMC implementation cost.
7. What resources are available to assist companies in complying with DoD cybersecurity requirements?
   • The DoD provides various no-cost Cybersecurity-as-a-Service resources to support compliance efforts.
8. Will companies need to comply with CMMC 1.0 after the revised program is implemented?
   • No, the revised CMMC framework replaces the initial version, often referred to as “CMMC 1.0”.
9. When will CMMC be required for Department of Defense contracts?
   • CMMC will be implemented contractually when the DFARS clause 252.204-7021 is revised, and 60 days after the 48 CFR rule is published as final in the Federal Register.
10. Why did the Department revise CMMC?
    • The DoD revised CMMC to reduce costs for small businesses, increase trust in the assessment ecosystem, and clarify cybersecurity requirements.

Additional FAQs

11. What are the different levels of CMMC?
    • Level 1: Basic safeguarding of FCI, requiring annual self-assessment.
    • Level 2: Intermediate cybersecurity standards, requiring third-party assessments.
    • Level 3: Advanced cybersecurity practices, requiring third-party assessments.
12. Do subcontractors need to get certified?
    • Yes, subcontractors handling sensitive unclassified DoD information must achieve the required CMMC level as specified by the prime contractor.
13. Can CMMC requirements apply to non-DoD subcontractors?
    • While CMMC is primarily for DoD contracts, other federal agencies may adopt similar cybersecurity requirements, potentially extending CMMC-like standards to non-DoD subcontractors1.
14. What certifications are needed for employees or third parties working on CMMC certification?
    • Employees and third parties involved in CMMC certification should have relevant cybersecurity certifications such as Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), or Certified Information Systems Auditor (CISA). Additionally, C3PAOs must be authorized by the CMMC Accreditation Body.
15. How long does it take to achieve CMMC Level 2 compliance?
    • On average, it takes 12-18 months to build the technical environment and organizational program needed to meet NIST 800-171 and its 320 assessment objectives

AWS and Azure Specific FAQs

18. How does AWS support CMMC compliance?
    • AWS provides a range of services and tools to help organizations meet CMMC requirements. AWS offers compliance programs and resources, including AWS Artifact, which provides access to security and compliance reports, and AWS Config, which helps assess, audit, and evaluate the configurations of AWS resources.
19. How does Azure support CMMC compliance?
    • Azure supports CMMC compliance by offering a range of compliance offerings and tools. Azure provides detailed documentation and guidance on implementing CMMC controls and ensures that its cloud services meet the necessary security requirements. Azure also offers Azure Policy and Azure Security Center to help manage and monitor compliance.
20. Can AWS and Azure be used to achieve CMMC Level 3 compliance?
    • Yes, both AWS and Azure can be used to achieve CMMC Level 3 compliance. However, organizations must ensure that their implementation of AWS or Azure services meets the specific CMMC Level 3 requirements, including the necessary security controls and practices.
21. What are the key differences between AWS and Azure in terms of CMMC compliance?
    • Both AWS and Azure offer robust tools and services to support CMMC compliance, but they may differ in terms of specific features, integrations, and user interfaces. Organizations should evaluate both platforms to determine which best meets their specific needs and compliance requirements.
22. Do AWS and Azure provide any specific tools for CMMC assessments?
    • Yes, both AWS and Azure provide tools to assist with CMMC assessments. AWS offers AWS Audit Manager to automate evidence collection and AWS Security Hub to centralize security alerts. Azure provides Azure Policy to enforce organizational standards and Azure Security Center to manage security posture.

Microsoft GCC High Specific FAQs

23. What is Microsoft GCC High?
    • Microsoft GCC High is a cloud environment designed to meet the unique and evolving requirements of the U.S. Department of Defense (DoD) and contractors holding or processing DoD controlled unclassified information (CUI) or subject to International Traffic in Arms Regulations (ITAR).
24. How does Microsoft GCC High support CMMC compliance?
    • Microsoft GCC High meets the compliance requirements for various certifications and accreditations, including NIST SP 800-53 controls at a FIPS 199 High Categorization. It provides a secure environment for handling sensitive information and supports the necessary security controls for CMMC compliance.
25. Who is eligible to use Microsoft GCC High?
    • Organizations that meet the eligibility requirements, such as those holding or processing DoD CUI or subject to ITAR, can use Microsoft GCC High. Eligibility is confirmed through a validation process1.
26. What are the key features of Microsoft GCC High?
    • Microsoft GCC High offers enhanced security and compliance features, including background screening for personnel, strict access controls, and compliance with U.S. government standards. It also provides tools for managing and monitoring security posture.
27. Can Microsoft GCC High be used for non-DoD contracts?
    • While Microsoft GCC High is primarily designed for DoD and ITAR-related contracts, it can also be used by other government agencies and contractors that require a high level of security and compliance.
28. How do I get started with Microsoft GCC High?
    • To get started with Microsoft GCC High, organizations need to engage their account team or preferred partner to initiate the validation process. Once eligibility is confirmed, they can purchase licenses and set up their environment.