Stacy Bostjanick, Director of CMMC Policy for the OUSD A&S, DoD, Mike Raeder, former Deputy CISO, Director Information Security for Northrop Grumman, and Alise Brzezinski, Practice Lead CMMC for Fortalice Solutions collaborated to answer viewer questions from our latest webinar, “Everything You Wanted to Know About CMMC Preparedness”. If you missed this webinar or would like to watch it again, you can view it below.
How are COTS out-of-scope (e.g., from an application security review) but not in their role to support a broader system?
A COTS provider of a component that has not been updated for DoD purposes is exempt. If the COTs provider receives CUI they will need to achieve CMMC Level 3.
Why is NIST SP 800-171 R1 referenced and not NIST SP 800-171 R2?
R2 changed to 800-172
I was under the impression that there were only 17 domains? Was a domain added recently?
There are only 17 the 18th one was consolidated with one of the others.
There was some early discussion of some of the costs associated with CMMC compliance being reimbursable from DOD. Is that still the case? What is reimbursable? And how will it be done - through contracts?
It is an allowable cost under your overhead and G&A rates to the level 3.
We have multiple CAGE codes in our company, many need to be compliant with CMMC L3. Should the NIST 800-171 self-assessment be submitted for each CAGE code or if we have one SSP covering multiple CAGE codes, can we just submit once in SPRS system?
I think Stacy answered this during the panel. I believe she said it was possible to submit a single self-assessment to multiple cage codes, but this should be verified.
How would you know the CMMC level you need to comply with?
This information will be in RFP for bidding and in the final contracts and should be disseminated from prime contractors to their subs as needed.
Will there be some contracts that require less than Level 3 certification? If not, why even have a Level 1 and Level 2?
Yes. It is expected Level 1 will be used in DoD contacts. It’s possible that level 2 does get added, but at this time, level 2 is not planned as a common protection level for DoD contracts and is intended to be used as a roadmap step to get from L1 to L3.
Alise mentioned that COTS are out of scope. Could you please elaborate on that? For example, would an SAP ERP system be considered out of scope?
COTS products, unaltered and by themselves, would typically be OUT of scope. However, if COTS systems are used to access, store or transmit CUI, then they would be in scope for compliance under CMMC.
Is there any overlap between CMMC controls and NIST CSF?
There certainly are similarities between some of the controls and control families in CMMC and the NIST CSF.
I'd like to hear more detail on COTS - out of scope - commercial off the shelf software? Do I interpret this to mean that the scope of plan should not include commercial systems such as the Windows operating system and scope focused on the unique developed solutions a party is using to provide government services?
Similar to the first COTS question. If COTS systems are used in the creation, access, storage or transmission of protected data as defined under a DoD contract, the COTS product needs to comply with the CMMC level specified in the contract.
How much time should be allocated to reviewing each control for Level 3 maturity (e.g., should an organization anticipate 1 to 2 hours per control for review)? What should a readiness assessment cost - recognizing variance based on size and complexity of the organization?
Each organization is unique and can be at different stages of control maturity. The cost and time to prepare for a C3PAO engagement is going to vary based on where your cyber program maturity sits today and the gaps that need to be closed to be ready for the assessment. A good approach would be to look at the controls and determine how likely you feel your organization will receive a contract in the future that may contain the CMMC requirement and back plan from there. The cost is considered allowable under the contract.
How is the identifying and dealing with CUI affected by workers teleworking due to COVID? For example, if my accountant looks up contract information in Quickbooks on her home computer do I need to validate her computer or just the process we call out to secure it?
This is similar to the COTS question in that any system used to access, transmit, store CUI will be required to comply to L3 controls as defined in the CMMC.
With the recent release of NIST 800-53 Rev 5, will this impact the number of Level 3 practices that organizations will need to implement to reach this level?
I think Stacy answered this during the panel as well. I think she said currently it will not impact the model as it stands to today, but keep in mind that the DoD developed this to be an agile framework that can be updated and improved, and the threat environment changes.
Am I able to have an audit scheduled that would perform L1 for most of my enterprise system and L3 for just a few systems? If I fail the L3, would I still be able to pass the L1?
I not 100% sure on this one, but I think that for right now, the CMMC 3rd party assessor organizations are being trained to assess at L3 only. L4/L5 are being planned in the future. A while back I heard that L1 was going to be a self-attestation since it was based on the existing FAR cyber controls.
If we believe we don't have CUI but our customer requests us to provide a CMMC certification, can we refuse?
CMMC is a contract requirement. Contractors should have a discussion with their primes or customer program offices if there is a question over the existence of CUI and the required level of compliance on any specific program.
How can the GSA Stars contract require CMMC accreditation, since DoD is only selecting 15 contracts for FY21?
I am not familiar with the GSA STARS contract, but as I understand it, currently the DoD is the only organization actively working the CMMC into contracts, however, there has been interest from other government agencies and organizations who may adopt the CMMC in the future.
How do you know when you will need to be CMMC compliant for your contracts? What date?
It will be in RFPs for new DoD contracts and recompetes following the published role out schedule. Prime contractors should be communicating the contract requirements to their subs as part of the bidding process.