F & Qs about NIST and CMMC Compliance

Compliance can be tricky, we get it. Here are so frequently asked questions for reference on NIST and CMMC Compiance. 

WILL MY ORGANIZATION NEED TO BE CERTIFIED IF IT DOES NOT HANDLE CUI?


DoD’s intent under CMMC 2.0 is that if a DIB company does not process, store, or transmit Controlled Unclassified Information (CUI) on its unclassified network, but does process, store or handle Federal Contract Information (FCI), then it must perform a CMMC Level 1 self-assessment and submit the results with an annual affirmation by a senior company official into SPRS.

 



WHAT IS THE DIFFERENCE BETWEEN A CMMC SELF-ASSESSMENT AND A BASIC ASSESSMENT REQUIRED AS PART OF THE DOD ASSESSMENT METHODOLOGY?


A CMMC self-assessment will apply to those companies that are only required to protect the information systems on which FCI is processed, stored or transmitted; and a subset of companies that are required to protect CUI. The CMMC self-assessment should be completed using the CMMC Assessment Guide codified in 32 CFR for the appropriate CMMC level. A CMMC self-attestation is a representation that the offeror meets the requirements of the CMMC level required by the solicitation. The CMMC program will require an annual self-assessment and an annual affirmation by a senior company official.


A “Basic Assessment”, as defined in DFARS clause 252.204-7020, NIST SP 800-171 DoD Assessment Requirements, means a contractor’s self-assessment of the contractor’s implementation of NIST SP 800-171 that -

  • Is based on the Contractor’s review of their system security plan(s) associated with covered contractor information system(s);

  • Is conducted in accordance with the NIST SP 800-171 DoD Assessment Methodology; and

  • Results in a confidence level of “Low” in the resulting score, because it is a self-generated score.

WHAT IS THE DEPARTMENT’S INTENT REGARDING ACCEPTANCE AGREEMENTS BETWEEN CMMC AND OTHER CYBERSECURITY STANDARDS AND ASSESSMENTS?


The Department is pursuing development of acceptance standards between CMMC and other cybersecurity standards and assessments, to include between CMMC Level 2 (Advanced) and the NIST SP 800-171 DoD Assessment Methodology for the high assessment confidence level, as well as CMMC Level 2 and the GSA Federal Risk and Authorization Management Program (FedRAMP) requirements for commercial cloud service offerings.
Furthermore, DoD is working with international partners to coordinate on potential agreements between CMMC and their respective cybersecurity programs.
Any such equivalencies or acceptance standards, if established, will be implemented as part of the rulemaking process.