CMMC Connect Podcast & FAQs

Looking for detailed insights on the latest CMMC updates and best practices?  

Listen to our CMMC Connect podcast replays to hear our experts dive deep into the most pressing questions from each session. 

Prefer a quick read? You can find concise summaries of key questions and answers below the podcast link.

September 2024

Can you share an update on where CMMC is at, and where to start for organizations just beginning to look into becoming CMMC compliant?

The CMMC rule (32 CFR) has finished its review and is now in the prep stage for Congress to review. The public comment period for the related 48 CFR rule is still ongoing and closes on October 15th. Organizations new to CMMC compliance should immediately contact a C3PAO because many are already backlogged, and certification could be delayed until 2025. It’s important to reach out now to get on the schedule, even if you’re not ready for certification yet.

How many days to expect editing after close of Public Comments (48 CFR)? Last (32 CFR) was done in less than 60 days, [Christmas-Valentines] so could this rule be edited/published by Thanksgiving?

The editing period depends on the volume of public comments received, but past experiences show that highly technical rules can be edited in less than 60 days. It’s possible that this rule could be edited and published by Thanksgiving, depending on the comment volume.

Is MSFT 365 in Government Cloud enough to meet the security of CUI communications? Or, is there a unique configuration needed?

Microsoft 365 Government Cloud (GCC) has the foundation to meet or exceed CMMC requirements, but it must be properly configured and managed. Unique configurations may be needed depending on the client’s specific environment, technology usage, and how the tools are implemented.

Is there any way to make my Microsoft commercial cloud instance work to meet CMMC requirements? If not, how hard is it to lift and shift to Gov Cloud?

Technically, for CMMC Level 1, you may use Microsoft Commercial Cloud, but Microsoft strongly advises against using it for any government-related data. For CMMC Level 2 (involving CUI), you must move to Government Cloud. The complexity of lifting and shifting depends on the environment, data, and integrations involved, but it is generally doable.

What's the most common licensing tier needed in Gov Cloud for Microsoft and what are services to get the mainstream security required by CMMC?<br />

The most common licensing tiers are G5 or G3 with G5 security add-ons. The services needed vary by the client’s specific requirements and could include things like Azure virtual desktops or virtual servers, depending on how the company operates and manages CUI.

I have DFARS 252.204-7012 in a contract, but no CUI as part of that project or anywhere else.<br /> I do have FCI in the system.<br /> Does the 7012 requirement mean I should comply with Level 1?<br />

If you have DFARS 252.204-7012 in your contract but no Controlled Unclassified Information (CUI), you may only need to comply with CMMC Level 1, which applies to the protection of Federal Contract Information (FCI). However, the presence of CUI in the future could change this requirement, so it’s crucial to assess your environment regularly and know the type of data you handle.

In performing CMMC assessment scoping, do you consider encrypted data as CUI data?<br />

Encrypted data is still considered CUI unless it is specifically excluded or marked otherwise. During CMMC assessments, the focus is on how the data is protected, not whether it is encrypted. CUI remains CUI even if encrypted, and assessors will check if it is properly marked and handled, as well as how encryption is applied.

Controlling printed CUI material - especially for a construction company/Identifying CUI data flows

For a construction company, printed CUI material must be physically controlled. This includes limiting access, secure storage when not in use, and preventing unauthorized access.

For data flow, the organization must identify where CUI enters, is processed, and exits the system. Understanding these flows is critical for setting the scope of the assessment and ensuring proper protections.

Does an IT consultant fall into scope as a Security Protection Asset at Level 2 if they have admin privileges to a CUI network?<br />

IT consultants with admin privileges to a CUI network are not typically considered security protection assets themselves. However, their access is governed by controls related to access control, identification, authentication, and audit requirements under CMMC, ensuring only authorized personnel handle CUI.

Who bears the ultimate responsibility when in a contract with prime it is not required that the supplier is CMMC Level 2 compliant, but still the prime shares CUI with the supplier by mistake, which is later on compromised from the supplier's infrastructure?<br />

If a prime contractor shares CUI with a supplier by mistake, which is then compromised from the supplier’s infrastructure, the incident must follow established incident response processes. This includes notifying the DoD within 72 hours and preserving relevant data for investigation. Responsibility ultimately lies with the party handling the data, but legal counsel should be consulted to clarify obligations.

Sub Processors and ensuring CMMC compliance across cloud services (Salesforce, O365, etc...)

For ensuring CMMC compliance with cloud services like Salesforce or O365, it’s essential to configure these services properly and confirm they meet FedRAMP Moderate or equivalent standards. A shared responsibility matrix should define which controls are handled by the cloud provider and which are the client’s responsibility. The correct configuration of the cloud services is vital to meeting CMMC requirements.

How is the Government reacting to the high cost to small businesses to prepare for and get assessed for CMMC compliance?<br />

The government has taken steps to help small businesses by offering resources like Manufacturing Extension Partnership (MEP) centers, which provide training and support. Additionally, some compliance-related costs can be submitted as allowable costs under certain contracts. Small businesses are encouraged to use these free resources and work with reputable providers to minimize the burden of compliance.

August 2024

When are we able to get certified and when are we required to get certified (earliest possible contract requirement)?

When will subcontractors need to be fully (no POA&M) self-certified to receive awards of certain government contracts?

Certification can start once the rule is finalized, which is expected around September 2024 . Joint surveillance assessments are anticipated to end at that time, allowing formal CMMC certifications to begin. Contractual requirements, enforced through 48 CFR, may start as early as March or April 2025, depending on the sensitivity of the contract. 

Subcontractors may be required to be fully certified (with no Plans of Action & Milestones, or POA&Ms) by prime contractors as soon as CMMC goes live. Prime contractors can impose certification requirements on their subcontractors at any time once CMMC becomes mandatory, and it’s likely that primes will push to get their subcontractors certified before the DoD formally includes CMMC requirements in its contract. 

A common point of confusion is the difference between fiscal year and calendar year in government timelines. When the DoD refers to Q1 of 2025, they mean the fiscal year, which begins on October 1, 2024. This is often misinterpreted as the calendar year, but in reality, CMMC requirements could begin to appear in contracts as early as October 2024​. 

What is the current landscape is for JSVAP?

Since everyone is expecting 32 CFR to be out in Oct. Will we be able to schedule a JSVAP in the time between 32 CFR being published and into effect?

As of August 2024, Joint Surveillance Assessments (JSVAPs) are still being scheduled through October 2024, with a major ecosystem stress test planned during the week of October 21-25, 2024. During this test, 30 assessments will take place. However, there is uncertainty about whether JSVAPs will continue after the CMMC rule (32 CFR) is finalized, which is expected to happen around September or October 2024​. 

Scheduling JSVAPs After 32 CFR is Published: Once the rule is published, it’s expected that CMMC certifications will begin, and JSVAs may no longer be conducted. Therefore, the opportunity to schedule a JSVAP between the publication of 32 CFR and when it goes into effect may be very limited. It’s recommended to schedule assessments as early as possible before the final rule is published, as the transition from JSVAPs to formal certifications is anticipated to happen quickly.

Costs to small businesses to become CMMC 2.0 certified?

How small businesses can get CMMC certification without breaking the bank.

The costs for CMMC certification will vary depending on the scope and complexity of the business’s environment. Factors like the number of locations and the scope of CUI data involved will influence the assessment cost. Small businesses can reduce costs by minimizing their CUI footprint.​

Can CMMC compliance be achieved in commercial cloud?

CMMC compliance in commercial cloud environments (e.g., Microsoft Commercial Cloud) may not meet certain requirements, particularly for more sensitive types of CUI data. It is recommended to use GCC or GCC High for environments dealing with CUI data with dissemination limitations.

Does Redspin have a solution to host small business for CUI and if so, how does that work?

Redspin offers cloud solutions and Managed Service Provider (MSP) services for CUI hosting. They do not host clients in their own enclave, but they can assist with consulting and help small businesses prepare for CMMC certification.

BYOD: Allowed as an in-scope asset as a view only (i.e., view-only to a secure cloud CUI enclave)?

If so, what would the specific control requirements be (e.g., administrative: AUP/owner security responsibility, technical via organization mdm, etc.)?

BYOD (Bring Your Own Device) can be allowed, but it requires strict controls, especially when accessing a secure cloud enclave. This includes controlling the flow of CUI data to devices and implementing encryption, audit logs, and strict security policies. VDI (Virtual Desktop Infrastructure) may also be a solution to restrict device capabilities. 

 

  • Administrative Controls:
    • Acceptable Use Policy (AUP): Establish and enforce an Acceptable Use Policy that clearly defines the security responsibilities of the device owner and what actions are permitted when accessing the CUI enclave.
    • Owner Security Responsibility: Device owners must be informed and held accountable for adhering to security protocols, including reporting any potential security incidents or device loss.
  • Technical Controls:
    • Mobile Device Management (MDM): Implement an organization-wide MDM solution to manage and secure BYOD devices. This ensures that security settings, such as encryption, password policies, and remote wipe capabilities, are enforced on all devices accessing CUI.
    • Virtual Desktop Infrastructure (VDI): Use VDI to limit the interaction between the device and the CUI. VDI allows for a virtual environment where the device acts only as an interface (keyboard and display) while keeping CUI securely within the cloud.
    • Encryption: Ensure all data transmitted to and from the device is encrypted, both at rest and in transit, to maintain the confidentiality of CUI.
    • Access Control: Implement role-based access controls (RBAC) to restrict access to CUI based on job function and ensure that only authorized personnel can view CUI.
    • Audit Logs: Continuously monitor and audit device usage logs to ensure no unauthorized actions are being taken and to maintain compliance with security requirements.
When does equipment need to be in FIPS mode and when does it not?

FIPS mode should always be enabled when handling CUI. The only exception is when devices have been upgraded to FIPS 140-3, which is still in the testing phase.

When is NIST going to make mobile application security part of the audit since so many of the DIB do business via mobile devices and hold data there?

While this is a growing concern, it is up to NIST to decide when mobile application security will be formally included in audits. However, the issue has been raised, and organizations are encouraged to contact NIST directly for guidance via email to: cyber4R&D@NIST.gov.

Difference between CMMC 2.0 and FedRAMP Moderate Equivalency Memo

CMMC 2.0 looks inward, focusing on how organizations protect their own environments and CUI data, while FedRAMP focuses outward on the authorization of cloud services to operate securely in external environments. FedRAMP uses NIST 800-53, while CMMC uses NIST 800-171.

What training and training certificates are mandatory for Level 1 and for Level 2?

For Level 1, general user training based on industry best practices is sufficient. For Level 2, organizations need more targeted training, including security and CUI-specific training for all employees, and role-based training for administrators and executives​.

How can we identify CUI or what is our obligation if they are not marked CUI?

If CUI is not marked, organizations should reach out to their contracting officers for clarification. In the meantime, it’s better to err on the side of caution and treat the data as CUI until confirmation is received​.

In Performing CMMC Assessment Scoping, do you consider encrypted data as CUI data?

Yes, encrypted data is still considered CUI, as encryption only protects the confidentiality of the data, not its classification​.

How much of the CMMC program is geared towards different types of data centers.

The CMMC program applies to all types of data centers, whether owned by the organization or a colocation. The primary concerns are physical protection and technical controls, such as cameras, badging systems, and access control.

How will this affect organizations that are in Partnership Intermediary Agreement with the government rather than a government contract?

Organizations under Partnership Intermediary Agreements should review their contracts to determine whether cybersecurity requirements like DFARS 7012 or NIST 800-171 apply. If these clauses are included, CMMC will likely be required.

What are appropriate tools for our CMMC program - the collecting of artifacts, creation of SSP, basically a file repository? Smartsheet, Teams, Apptega, SmarterD? What controls should be considered when making a decision for what to use?

There is no specific requirement for using particular tools to manage CMMC compliance. Organizations can use whatever tool works best for them as long as they meet control objectives and can document evidence of compliance. This can include tools like Smartsheet, Teams, or Apptega.

July 2024

Will FCI now be considered CUI and have to be treated as such,when a company in the DIB graduates from just being NIST 800-171compliant, in order to achieve CMMC level 2?

Thomas: FCI and CUI are two separate designations of data. When you’re going through CMMC Level 2, it doesn’t eliminate your Level 1 responsibilities because CMMC builds on the levels. For example, to achieve Level 3, you must first schedule and pass Level 2.

Level 1 focuses on FCI, and once all updates are made into SPRS, you will need to update those requirements annually. Is this documented? Absolutely. However, I can’t provide the document numbers off the top of my head, and Tara might be disappointed in me for that, but there are distinct regulations governing this.

In short, FCI will not become CUI, as they are different designations of data.

I had a C3PAO tell me that they will charge extra if we have anyPOA&Ms that they have to come back and re-evaluate. So, havingPOA&Ms is not really an option for us small companies with very limited funds and resources...

…Is that C3PAO operating normally by charging extra?

Tara: This situation highlights the importance of thoroughly reading your contracts with any prospective vendors providing CMMC assessment services. Here are some key questions you should be asking your C3PAO:

  • What happens if there is an item that needs to be placed on a POA&M, and someone has to come back in 180 days?
  • Is that covered by the outlined costs in the fee breakdown?

As an OSC, it’s not just your right but also your responsibility to clarify these things. At Redspin, we strive to be as transparent as possible with our fees, but it’s essential to understand these details with any C3PAO you work with. If a C3PAO demands a high fee to validate or close out a POA&M, you do have options. Under the CMMC assessment process, you can choose another C3PAO if you find their fees unreasonable. Often, other C3PAOs may offer more competitive pricing for such tasks.

How do we flow down CMMC requirements to subs who are not willing or able to invest as necessary to become compliant?

Jeremy: The simple answer is, you don’t. You either find new subcontractors or apply enough pressure for them to implement the necessary changes and become certified. If you’re flowing down DFARS 7012 requirements, your supply chain must comply with CMMC requirements, just like your team. They will need to get certified as well. If they refuse, you may need to find a new vendor to fill that role within your supply chain. I’ve encountered this issue frequently with clients, especially when dealing with MSPs. Some MSPs may say, “You’re our only DIB client, so we’re not going through CMMC just for you.” In such cases, clients have had to find new vendors to perform those services. Ultimately, CMMC compliance is a series of business decisions, and you might need to part ways with long-time partners if they’re not willing to participate in CMMC

What are the best ways to vet suppliers to determine their capabilities of protecting CUI?

Jeremy: This question ties into the previous discussion on flow downs and supply chain management. Once the CMMC rule is live and assessments are in place, the easiest way to vet your suppliers will be to check if they are CMMC compliant. Until then, the tried-and-true method is using security questionnaires. While they may not be the highlight of our day, they serve a very valid purpose. If you have a supply chain of subcontractors to whom you’re flowing down DFARS 7012 requirements, it’s essential to have a vendor management program in place. Don’t just send out the questionnaires—ensure they get completed and returned. Review the answers thoroughly, and don’t hesitate to follow up with additional questions. For instance, if a supplier provides an answer that needs more detail, ask for clarification or their plans to improve on areas that don’t meet your standards. Until CMMC certifications are fully operational and easily trackable, these security questionnaires remain your best bet for vetting suppliers.

Is the CMMC rule going to incorporate portion marking?

Tara: So, I think portion marking is often misunderstood. Whenever you have a question about how to mark our documentation or any media, the best place to start is nara.gov. NARA, the National Archives and Records Administration, is the executive agent over the CUI program. They make all the rules and decisions regarding how to mark things. Now, about portion marking: it’s a way to further delineate types of CUI or other classified data within a document. It’s not required, though. You can choose to mark your entire document as CUI or whatever classification applies without using portion markings. However, if you decide to use portion markings, you need to do it consistently. This means marking each table,figure, drawing, and paragraph separately to show how each part should be handled. So, while portion marking isn’t mandatory, if you use it, you must apply it consistently throughout the document.

Will NIST provide an updated SSP template and SPRS calculationsheet for rev. 3 of NIST sp 800-171?

Robert: Not at this time. NIST SP 800-171 Rev 3 will not be incorporated into the CMMC program for at least a year, likely until the end of next calendar year. This delay is due to the extensive updates needed. The rule and associated documents must first be realigned with NIST SP 800-171 Revision 2. As part of this transition, all the assessor training and documentation will need to be updated. There’s a lot to be done, so it won’t be happening soon. However, I believe Vicki and Ron from NIST are already working on a new document that can be used once the updated version becomes active within the CMMC program. But as of now, there’s nothing available for anyone to use.

What are the consequences of not doing CMMC?

Jeremy: If you have a CMMC requirement, and choose not to pursue CMMC, the consequence is that you will no longer be eligible for DoD contracts. It’s a straightforward decision, but it involves more than it seems at first glance. CMMC compliance is a business decision. I’ve spoken to companies where DoD contracts make up a minimal part of their business, and they chose to let those contracts go instead of pursuing CMMC. On the other hand,for companies where DoD contracts are a significant portion of their business, it makes complete sense to pursue CMMC. Be aware that CMMC is not going away. It will become a contractual requirement for newly issued contracts, particularly Level 2 contracts involving CUI. These requirements will be part of Phase Two of the rollout. In Phase Three, CMMC requirements will be retroactively incorporated into multi-year contracts already in place. So, if you want to do business in the defense industrial base, CMMC compliance will be necessary. Opting out of CMMC means opting out of the DIB space entirely.

At what point could CUI not be considered CUI?

Thomas: The short answer, is that it’s considered CUI until the executive agent says otherwise. The executive agent is the only one who can change the designation of CUI information. Now, will a single line still be considered CUI? The line itself, no, but in the context of the contract, ifit was provided to you as CUI, it remains CUI until the executive agent changes it. If you encounter such a situation, you need to have a conversation with your contracting officer. However, keep in mind that the contracting officer or even the DoD may not be the executive agent. They might be working with other departments, like the Department of State or other branches within the DoD, and will need to seek clarification from the executive agent. CUI is a federal designation created to facilitate communication and information sharing between different federal agencies. This sometimes requires going not just up the chain within the DoD, but also laterally to other organizations.

References & Resources:
  • Jeremy referenced a hot take in July of folks asking for a quick, easy CMMC Implementation Strategy checklist. Well, we created one!
  • Tara Referenced good practices to vet a C3PAO. Check out our “5 Time-Saving Tips for Evaluating an MSP, ESP, or C3PAO” white paper
  • Written by Tara, this collection CMMC Assessment Interview Guides is packed with questions you/your team could be asked during an assessment (there are 14 individual guides, 1 for each of the 14 domains)
  • Tara shared an image in the chat: CMMC Asset Categories Overview
  • We’d love your feedback! Please fill out our CMMC Connect Follow-Up Survey

June 2024

What is your estimate of the 800-171 Revision 3 class deviation timeline...

How long will it last? Are we required to be compliant with NIST 800-171 Revision 3 for CMMC Level 2, once the CMMC rule is effective?

Currently, we will continue to follow Revision 2. The exact timeframe is uncertain at this moment. However, we are aware that there are changes between Revision 2 and Revision 3. For more details, please refer to the white paper linked here. We are not required to comply with NIST 800-171 Revision 3 for CMMC Level 2 at this time.

In Performing CMMC assessment scoping, do you consider encrypted data as CUI data? How long will it last?

Yes. The data doesn’t change whether it is encrypted or not. CUI data remains CUI data regardless of its encryption state.

When will CMMC be finalized? Will it be required for non-DoD work, if so, what are targeted agencies and timeline?

The DoD has been aiming for the end of the fiscal year 2024 (September 30th, 2024)for CMMC finalization. As of today (July 1st), the DoD is adhering to this timeline, with the latest update indicating that all 32 CFR public comments have been adjudicated. The rule has now progressed back to OIRA/OMB. Will it be required for non-DoD work? We don’t know yet, but there are rumors that other agencies might adopt CMMC once it is finalized. We are closely monitoring the Department of Education and other agencies for any mention of “NIST 800- 171,” as this could indicate a shift towards CMMC. Recently, the General Services Agency (GSA)issued a solicitation specifically referencing “CMMC,” which is a significant indication. Given that CUI is a designation, it wouldn’t be surprising if CMMC appears in requirements from other agencies for reciprocity.

Can second or third-tier subcontractors qualify for a JSVA?

Yes, we have assessed subcontractors under JSVA. Subcontractors do have DFARS 7012 requirements. If you are wondering if you qualify, reach out to us!

References & Resources:

May 2024

Our users are using Remote Desktop to connect to GCC High (CUI) AVD machines using un/pw/mfa. Do the machines the users connect from fall in scope?

Maybe. When considering scoping, you are looking at the boundaries of your assessment. You can use solutions like remote desktop, VDI, etc.,for CMMC implementation. If you do not want your endpoints to be in scope, you must lock down those virtual instances to ensure that nothing can be copied or saved from that virtual interface. If you can achieve this, prove it, and demonstrate it, then your endpoints would not be in scope. However, if capabilities such as copy and paste, download, print, or screenshotting are still enabled, then your endpoints are likely still in play. It all depends on how tightly you lock down that remote or virtual interface.

What is the best solution for subcontractor information sharing and compliance?

There are many good solutions for this, but one that stands out is a GRC (Governance, Risk, and Compliance) tool like Cyturus. The Cyturus CRT tool allows you to map data back to one another and offers many other usefulfeatures. Another example of a GRC tool is FutureFeed. Tools like these let you store your documentation (such as your SSP) and other documents, then grant your subcontractors access. Any time they make a change, the tool provides a warning so you can review it. This approach ensures secure information sharing and compliance management.

Are there prerequisites for CCP training?

There are no prerequisites for CMMC Certified Professional(CCP) training itself, but there are requirements if you plan to sit for the CCP certification.

One prerequisite is having a college degree or 2 years of equivalent experience. It is also suggested that you have a certification such as CompTIA Security+.

You must complete the CCP class before taking the CCP exam. If you want to go further and become a CMMC Certified Assessor (CCA), there is another set of requirements. For more details please visit: 

CCP training

CCA training

The Cyber AB’s CCP Blueprint 

How can I get upper management to understand we shouldn't be waiting for CMMC to finalize?

This is always a challenge, right? The bottom line is that CMMC is merely a validation of requirements that are already in place. Upper management should be aware of this. By getting certified now, you are giving yourself a competitive advantage for bidding on contracts. The advantages of being proactive are significant compared to waiting, especially with potential logjams that may occur after rulemaking becomes final. If you wait to get certified until CMMC becomes final, you might end up in a queue for certification that could potentially last a year or two, depending on how things go. Another option is to get on a call with us! We are happy to learn about your unique business and explain the CMMC process to your leadership. At the end of the day, if you want to participate in the DIB space and secure DoD contracts, CMMC will provide you with a competitive advantage, particularly if you are a subcontractor. Subcontractors will see CMMC requirements in contracts from their primes long before the DoD mandates them. We have already heard from subcontractor clients that their primes are telling them the first to get CMMC certified will get all the primes’ business for 2025, and they will reassess in 2026 once things settle down. So there you go.

April 2024

Download Slides

This month, we answer audience questions such as flowdown requirements for subcontractors, timeline enforcement, and more… Tune in to learn.

March 2024

Download Slides

The group covers answers to audience questions including email requirements, sharing data when it comes to parent/child companies, and much (MUCH) more…

 

February 2024

Download Slides

We discuss the reality of the CMMC timeline, 48 CFR vs. 32 CFR, enclaves for small businesses, then open the floor to Q&A.

 

January 2024

Download Slides

A special 1 hour kickoff event covering the CMMC proposed rule, updates, timelines, and essential information. Then, our team hosts an interactive ‘Ask Me Anything’ (AMA) session addressing inquiries on MSP/ESP certification, training, CUI scoping, DIBCAC High certification, and more.

 

Register for the next CMMC Connect

Get started with Redspin Today

Helping you navigate CMMC.

Contact Us