Top 10 Questions We’re Asked Most About CMMC

Updated September 6, 2023

With the recent news from the DoD surrounding CMMC codification, many businesses are revisiting what compliance may look like in the upcoming months. Without final rules being shared up to this point, there’s still a lot of unknowns that are paralyzing business leaders from taking action.

We asked our team of experts what questions they’re seeing come up most often and the advice they give to our customers at USX Cyber.

1. What is CMMC, and why is it important for government contractors?

CMMC, or the Cybersecurity Maturity Model Certification, is a framework introduced by the DoD to enhance cybersecurity practices in the defense supply chain. It’s essential because it ensures that organizations handling Controlled Unclassified Information (CUI) maintain a strong cybersecurity posture, protecting sensitive data and national security.

2. When will CMMC become a requirement for defense contracts?

The timeline has varied over the past few years but with the DoD’s recent update and its submission to the Office of Management and Budget for review, we can expect to see this appear in the next year or so. While there’s still time to get compliant, it’s best not to wait much longer. Getting compliant ahead of time ensures that you won’t fall behind on new contracts and can make your business a more competitive option for current bids knowing that compliance is already taken care of.

3. How does CMMC differ from NIST SP 800-171?

CMMC builds upon NIST SP 800-171 by adding more depth and specificity to cybersecurity requirements. It introduces three levels of maturity, indicating a progression in security practices, and focuses on safeguarding Controlled Unclassified Information (CUI). At this time, CMMC is applicable only to contractors currently working or planning to work with the DoD, while NIST 800-171 covers businesses that may not be working with the DoD but still deal with CUI. 

4. What level of CMMC certification do I need?

The specific CMMC level required depends on the type of contracts you have or plan to pursue. The DoD will specify the required level in the Request for Proposal (RFP) or contract. It’s important to align your cybersecurity efforts with these requirements. You should also note that the level of compliance in the contract may not apply to all of the subcontractors producing work under that RFP. Each contractor will only need the level of compliance aligned with the data that they specifically work with, not what’s defined in the contract as a whole. For example, if a prime contractor requires compliance at Level 3, but they’re only passing Federal Contract Information to their subcontractors to complete a certain aspect of the contract, that subcontractor only needs to be certified at a Level 1.

5. How do I prepare for a CMMC assessment?

Subcontractors should really start by understanding the most up-to-date CMMC requirements and aligning their cybersecurity practices from there. Reviewing resources such as USX Cyber’s CMMC Webinar from earlier this year can help build and renew that necessary context. Once a business better understands this new rulemaking, it’s a good idea to conduct a self-assessment to identify gaps and areas needing improvement. USX Cyber also provides a free consult to review your current cybersecurity practices and the CMMC gaps you may need to address.

6. What’s the role of a Certified Third-Party Assessor Organization?

C3PAOs conduct official assessments to determine an organization’s level of CMMC compliance. They evaluate your cybersecurity practices, policies, and controls to ensure they align with the requirements of the chosen CMMC level. A third-party assessor will be required for Level 3 compliance needs. Partnering with USX Cyber also provides access to our recommended assessors who will assist with compliance roadmapping alongside our team of experts.

7. How can my organization demonstrate CMMC compliance?

In order to demonstrate compliance, you’ll need to have full understanding and documentation of how your business satisfies the requirements for CMMC. This documentation and necessary expert support should come standard with any cybersecurity provider you’re working with. At USX Cyber, you gain direct access to our team of experts to provide the necessary documentation and controls when it’s necessary to demonstrate your compliance. 

8. Can subcontractors be held liable for non-compliance?

Yes, subcontractors will be held liable for non-compliance with CMMC requirements. Prime contractors and the DoD prioritize secure supply chains, which means compliance expectations extend to all tiers of the supply chain, including subcontractors. In fact, it’s common for many prime contractors to request or prefer subcontractors that are already compliant even though the rule making hasn’t been formally codified at this time.

9. What if we’re not ready for CMMC by the time contracts require it?

Non-compliance could lead to missing out on valuable contract opportunities which is why it’s important for businesses to consider and prepare for compliance now. Simply put, your business isn’t eligible to bid on contracts that require CMMC until you’re compliant and this includes acting as subcontractors for primes that are bidding on relevant RFPs. 

10. How can I ensure continuous compliance as regulations evolve?

It’s always a good idea to stay up-to-date with industry news and changes. However, it can be a lot to stay on top of a business as well as regulations and their complexities. Finding a cybersecurity partner who keeps status for you ensures you can focus on what really matters for your business. The team at USX Cyber not only stays up to date with compliance changes and needs, our own platform adapts and improves when there are changes. Making sure we not only know what’s coming up but also our customers are protected without even having to think about it.

What can I do now?

As details become formalized and updates are released, our team of compliance specialists will be sharing them regularly. Be sure to get in touch with a USX Cyber team member to talk more about how you can proactively prepare, learn what CMMC may mean for your business, and receive updates on this and other important cybersecurity topics.

Don’t let the unknown stall out the growth and operations of your business. By developing a deeper understanding of CMMC, you can ensure you’re ready for the change in upcoming contracts and bids.