Question 1

When does CMMC go into effect?

Accepted Answer

V1.0 of the CMMC was released on January 31st 2020. The audit program is being developed and should be in full effect by fall of 2020.  CMMC will appear in Requests for Information (RFI's) and Requests for Proposal (RFP's) as early as August 2020.

Question 2

How many controls does CMMC require?

Accepted Answer

There are different controls totals for each level within CMMC:
CMMC Level 1: 17 Controls
CMMC Level 2: 72 Controls & 2 Processes
CMMC Level 3: 130 Controls & 3 Processes (This is the 1st level that fully achieved NIST SP 800-171 coverage)
CMMC Level 4: 156 Controls & 4 Processes
CMMC Level 5: 171 Controls & 5 Processes

Question 3

What is the minimum CMMC level you need to reach NIST SP 800-171?

Accepted Answer

CMMC Level 3 is the first target level fully addressing NIST 800-171 and it covers 20 controls beyond NIST SP 800-171 (a total of 130).

Question 4

If I’m not CMMC certified what does that mean?

Accepted Answer

Starting as early as August 2020, you will no longer be able to submit proposals to provide services in the DoD supply chain.

Question 5

What is the difference between CMMC and NIST?

Accepted Answer

CMMC is a certifiable standard that requires regular audits to obtain and maintain certification. NIST is a self-attestable standard that allows organizations to self-attest to their own security maturity.

Question 6

If we have relatively immature security program, how long will it take to get CMMC certified?

Accepted Answer

A reasonable assumption for achieving Level 3 CMMC readiness is 6 – 10 months.

Question 7

How much does CMMC certification cost?

Accepted Answer

Until the auditor program is fully established the actual cost of the audit has not yet been established. A reasonable guess for the audit is $20 – 40K.
Establishing an information security program that is capable of being CMMC Level 3 certified can be a notable expense dependent upon the current maturity of your program.  If you already have a mature NIST 800-171 compliant environment in place it may be $20K or less.  If you are starting from scratch it could be $50 – 150K.  See this blog for a better explanation on the price ranges.

Question 8

What is the difference between CMMC and NIST 800-171?

Accepted Answer

CMMC is a certifiable standard that requires a third party audit to confirm that you are compliant with the standard, NIST-800-171 is a self-attestable standard to protect the same CUI that CMMC does.  All organizations that become CMMC certified (level 3 or higher) will still need to be 800-171 conforming and the CMMC certification will demonstrate that they have achieved 800-171 as well.

Question 9

With the DoD’s more “limited roll out” I heard about should we get CMMC certified this year?

Accepted Answer

Many of the companies in the Defense Industrial Base we are speaking with believe that it will be a competitive advantage to do so. Our understanding is that larger Prime’s will either require or favor those that are as they are building “pursuit teams”.

Question 10

Should we start preparing for CMMC with a Gap Assessment?

Accepted Answer

A gap assessment is a good approach if you know that you have a very mature information security program that includes the required CMMC artifacts (e.g., Risk Assessment, System Security Plan, etc.).  If not, you are better off viewing this as an implementation, with establishing the scope of your CUI environment as the best first step.  See this blog for additional detail on approach.