CMMC 2.0 FAQs
Do you have a question about CMMC compliance? Check out our frequently asked questions below or contact our team of certified professionals for help.
What’s different about CMMC 2.0?
What organizations need to comply with CMMC 2.0?
- DoD prime contractors
- DoD subcontractors
- Suppliers at all tiers in the DIB
- DoD small business suppliers
- Commercial suppliers that process, handle, or store CUI
- Foreign suppliers
- Team members of DoD contractors that handle CUI such as IT managed service providers
Why is CMMC compliance important?
DIB contractors hold and use sensitive government data to develop and deliver goods and services. CMMC compliance helps ensure that they secure this information the same way that military departments and government agencies do.
What is the relationship between NIST 800-171 and CMMC?
Compliance with NIST standards are levied as contractual requirements through inclusion of clauses such as FAR 52.204-21 and DFARS 252.204-7012. CMMC requirements result in a contractor self-assessment, or a third-party assessment by a CMMC Third Party Assessor Organization (C3PAO), to determine whether the applicable NIST standard (as identified by the DFARS clause) has been met. Under CMMC 2.0, a Level 2 assessment will be conducted against the NIST SP 800-171 standard and a Level 3 assessment will be based on a subset of NIST SP 800-172 requirements.
Does CMMC apply to all government contractors?
Today CMMC applies only to DoD contractors, and the DoD is now beginning to require certification with certain contracts. In the future, CMMC may apply all non-DoD government contractors as well.
Is this required by DIB?
CMMC is a certification program introduced to improve supply chain security in the defense industrial base (DIB). By the end of 2025, the DoD will require all contractors to be certified to one of the three CMMC levels.
What steps are involved in becoming CMMC 2.0 compliant?
Becoming compliant involves identifying your required compliance level, conducting a gap assessment, and implementing the necessary cybersecurity controls. Organizations must document policies and undergo third-party assessments.
How long does the certification process take?
The timeline can vary depending on your organization’s preparedness and the level of compliance required. On average, the entire process can take anywhere from 12-18 months.
How often do we need to renew our certification?
CMMC 2.0 certifications must be renewed every three years. Organizations are required to undergo a new assessment to ensure that they continue to meet standards for their compliance level. Significant changes such as mergers and acquisitions could trigger the need for a new third party assessment if changes to the assessed system take place. Additionally, Organizations will also need to complete an annual self-assessment.
What types of data require protection under CMMC 2.0?
CMMC 2.0 focuses on protecting Federal Contract Information and (FCI) and Controlled Unclassified Information (CUI).
When will CMMC 2.0 be fully implemented?
Where can I find more resources on CMMC 2.0?
Don’t Miss Out On Contracts! Meet CMMC 2.0 Compliance Requirements.
As a Registered Provider Organization (RPO), our team at CTI has CMMC certified professionals to help support all your CMMC needs. We have over 20 years of combined experience supporting DoD programs in information technology, information assurance, and cybersecurity. Contact us today to discuss more about your unique situation and how we can help!
Learn more about CTI’s LevelUp Roadmap & Process here!