Frequently Asked Questions

  • What Type of Deliverables or Documentation does CMMC Require?
    Like NIST 800-171, it is a requirement of CMMC to provide a System Security Plan as well as policies and procedures on how you implement the practices found in CMMC. The auditor will most likely need to provide a Report on Compliance, like that of PCI and FedRAMP.
  • Can we Help Contractors Perform a CMMC Assessment AND Perform their Audit?
    No. They have made it quite clear that they do not want the organizations who are performing the audits to also be the ones implementing the CMMC requirements for the contractor.
  • Who is going to be Accrediting These CMMC Auditors?
    An organization called the CMMC Accreditation Body. This is a non-profit organization that has signed an MOU with the DoD and will be the entity vetting and selecting C3PAOs. This process has not yet begun.
  • How do we Become a CMMC Auditor?
    You will need to become an accredited 3rd party commercial certification organization. We are not sure what the exact steps are on how to get this done right now. We do know that you will need to go through some sort of a vetting process to become an accredited auditor. Once you’ve become accredited you will be able to start auditing companies and handing out certifications.
  • How Much will this Whole Process Cost Me?
    We can’t say for sure. That depends entirely on the market. Ms. Katie Arrington and her team have made it clear that they are trying to keep the cost down and are encouraging industry to automate as much of this process as possible. ComplyUp is taking that approach and applying it to our business model. Our software is cost-effective and practical. Our existing 800-171 platform can get you your NIST 800-171 documentation, and when the time comes, we’ll migrate you to the new CMMC standard at no additional cost. We’ve also screened several auditing organizations and selected our partners based on the promise that they keep their costs low when working with our clients. The cost and associated assessment will likely scale with the level requested.
  • How Often do we Need to re-certify?
    Current information suggests most CMMC levels will require recertification once every 3 years.
  • What are Step I can Take Now to Prepare for CMMC Certification?
    1. Get NIST 800-171 documentation out of the way. This will get you through many of the CMMC Level 3 requirements and keep you compliant with the current DFARS clause.
    2. Identify the remaining CMMC requirements you expect to be subject to (future RFPs or your prime will determine what level you need to meet). Be ready to address any gaps you find and implement solutions to remediate them since CMMC requires 100% implementation. Identify and hire a reputable cyber company to help with pre-audit support.
    3. Identify an authorized 3rd party to audit your assessment and give you a certification for the level you need. There are currently no companies that are accredited to give an official CMMC audit and certification, but the CMMC AB has indicated a small number will be available soon.
  • Which Level of CMMC will I Need to be Certified in?
    We’re not sure yet. This will depend entirely upon what level of certification your contract requires and the sensitivity of the information you handle. We can say this: ALL companies handling CUI can expect to need to certify at a CMMC Level 3 certification (which will include all 110 controls from NIST 800-171) at a minimum. Levels 1 and 2 will be required of companies that handle FCI (Federal Contract Information) while Levels 4 and 5 will be required among a small subset of contracts handling extremely sensitive information. The safe bet at this point is to shoot for a Level 3.
  • What if we Don’t Handle CUI? Do we Still Need to be Certified?
    Yes. All companies doing business with Department of Defense will need to obtain CMMC.
    Even if you are a subcontractor.
  • Is CMMC Self-Certification?
    Unlike NIST 800-171, CMMC cannot be self-certified.
  • CMMC and NIST 800-171 are Different?
    Yes. Many of the same controls that are in NIST 800-171 will be included in CMMC along with controls from other standards such as ISO, FedRAMP, and various NIST frameworks.
    CMMC also requires a 3rd party audit in order to gain certification, whereas 800-171 is a “self-certification”.
  • Is the CMMC Framework Available to the Public?
    Yes. Version 1.02 is available at
  • What is CMMC?
    The Cybersecurity Maturity Model Certification is a new standard that will take the place of NIST 800-171 on DoD contracts. CMMC is not entirely derived from NIST 800-171; rather, it builds upon it along with many other regulations to create five levels of certification that will better reflect the type of cybersecurity that a contractor will need to attain for a particular contract.
  • If CMMC is Replacing NIST 800-171, why would I need to Comply with 800-171 now? Why not just Start with CMMC?
    CMMC and NIST 800-171, while very similar, are different frameworks. The current DFARS clause requires compliance with NIST 800-171, not CMMC. They’re different frameworks that require different documentation. When you enter your information into the SPRS it is asking for a score of your NIST assessment as well as whether or not you have a NIST System Security Plan. Also, it’s good practice to get compliant with NIST first as it is the current requirement but also because as you work your way through NIST, you are also working towards CMMC L3 certification (being that you can map the 110 controls in NIST to CMMC L3).
  • How does NIST 800-171 Relate to CMMC?
    NIST 800-171 is the current requirement in contracts containing the DFARS clause 252.204-7012. CMMC is positioned to start replacing NIST 800-171 in contracts starting in 2021 and gradually rolling out over the next 5 years.
    CMMC contains 5 levels of certification ranging from “basic cyber hygiene” to “advanced”. NIST 800-171 is comparable to CMMC Level 3, as far as the requirements go. All 110 controls for NIST 800-171 can be found in CMMC Level 3. Essentially, if you are 100 percent implemented on NIST 800-171 then you are a good bit of the way done with CMMC Level 3.
  • How do I Generate my SPRS Score?
    You’ll need to conduct a basic assessment of NIST 800-171. This will require you to answer implemented, not implemented, or partially implemented to each of the 110 requirements. You’ll then need to score those answers against the DoD scoring algorithm. Each requirement is weighted separately. The lowest score you can have is -203 with the highest being 110.
    There is no failing score and there is no passing score. The only requirement that hints at failing is the requirement to produce a System Security Plan. If you do not have a System Security Plan created, then you will have to enter a score of Not Available (not technically failing but certainly not complying). So, in order to comply with NIST 800-171 you’ll need your SPRS score, a System Security Plan and a Plan of Action and Milestones.
  • What are the Steps Involved with Becoming NIST 800-171 Compliant? Where do I Begin?
    First, you’ll need to identify what CUI or FCI you are receiving from the DoD or prime. This will help you to “scope” your environment out. This, often, is easier said than done. You may need to consult with your contracting officer or prime contractor to properly identify this sensitive information.
    Debatably, scoping is the next step in the NIST process. Identify the IT systems that need to be assessed. It is possible your network is split up into different sections. Maybe your office computers are on an entirely different network than your production or manufacturing servers (where the CUI is processed). If so, you may be able to focus your assessment on the production servers exclusively.
    Once you’ve “scoped” out the environment(s) (or system) that needs assessed, you’ll need to complete a gap assessment of that environment(s). Start by working your way through each of the requirements, one by one. The requirements are identified in Section 3 of NIST 800-171. They’re broken down into 14 families. Read the requirement, consider your environment, and work out a response. If the requirement is implemented, you’ll need to document how you’ve implemented it. If it is “Not Implemented” you’ll need to create plans on how you intend to remediate the deficiency.
    Then, when you have conducted your gap assessment, you’ll need to score that assessment using the DoD scoring algorithm. This will give you a score of between -203 and 110. This score, along with some information on your System Security Plan and POAMs, will need to be entered into the SPRS system.
  • Does NIST 800-171 Apply to Subcontractors?
    The DFARS clause 252.204-7012, which contains the requirement for compliance with NIST, flows down from the prime to the subcontractors. In fact, even if you’re a sub and you have other subs underneath you, you’ll need to require NIST compliance of your subs as well.
  • What is a System Security Plan and POAM?
    A System Security Plan is a document that shows how you’ve responded to each of the 110 controls/requirements in NIST 800-171. It should outline system boundaries, system interconnections and responses to the controls. This, essentially, means that you’ll need to respond to each requirement as either Implemented, Not Implemented, Not Applicable or Partially Implemented. Once you have given the control a status, you’ll need to describe why you selected that status. If the control is implemented, then describe how your organization meets the requirement. If the control is not implemented, then you’ll need to create a POAM for that requirement.

    A POAM is a Plan of Action and Milestones. When you find a deficiency, or a requirement that your organization does not currently meet, then you’ll need to create a plan to get that deficiency remediated. That plan is your POAM. It shows that you have acknowledged the deficiency and have a good plan for getting the requirement implemented. POAMs will consist of the reason for the deficiency, plans to correct the deficiency and a realistic timeline of when those plans will be completed.

    You’ll need both your System Security Plan and Plan of Actions and Milestones to claim compliance to NIST 800-171.
  • What is CUI?
    Controlled Unclassified Information (CUI) is the data the government wants you to protect. You may have access to it for manufacturing items used by DoD or for executing a services contract. They believe its sensitive enough to warrant specific cyber defenses to keep it safe.
  • How Do I Comply with NIST 800-171
    NIST 800-171 is a list of 110 requirements regarding cybersecurity. To claim NIST 800-171 compliance you need to assess your organization against each of the requirements, formally document how you meet each requirement, and plan to make changes to your IT systems and processes as necessary to resolve any deficiencies you discovered during the assessment.
    You’ll need to be able to present 3 items to claim compliance to NIST 800-171:
    • A System Security Plan
    • Plan of Action and Milestones
    • Your SPRS score
No questions matching current filter