Event Recording: 04.15.2021 – CMMC From the C3PAO’s Perspective

Q: How have you been instructed to handle non-compliant controls? I’ve heard that assessors should give contractors 90 days to fix any failures. Is this true?

A: This is true. Contractors will have the opportunity to rectify control failures within a 90-day window. This rule applies to all levels and controls of the standard.

Q: Are contractors able to be awarded contracts during the 90-day window given by the assessor to correct failures?

A: No, you cannot win the contract unless you hold the certificate.

Q: How much historical data is needed before undergoing an assessment?

A: It is recommended to provide 1 year of historical data. However, each assessor uses their own discretion (based on control and company) to decide what evidence is mature enough to meet compliance.

Q: How have you been instructed to treat data that you think is CUI (not marked as CUI) but the OSC disagrees? Is there a certain amount of unmarked CUI that triggers a level 3 requirement or is there assessor discretion?

A: The level is set in the contract so unmarked CUI wouldn’t trigger a level 3 requirement. The contract would. If there is some confusion regarding the definition of CUI, we’ve provided the links below to help clear that up. Review both websites:

• archives.gov
• https://www.acq.osd.mil/cmmc/

Q: Can you please review the 3 steps to gather evidence? Where does having policies and procedures fit into those 3 steps?

A: Policies and procedures (p&p) fit within every step of the evidence-gathering process. The “test” is when the assessor would review the p&p to ensure you meet all the controls. The “interview” and “see it” portion alludes to when you would have to enact the p&p to show the assessor that they meet the compliance standard.

Q: If we’re developing the necessary (new) documentation for CMMC L3 as a C3PAO, how/when is it defined as mature and compliant?

A: When you meet all controls within the level.

Q: What happens if we spin up a new lab that was not in the scope of a previous CMMC assessment? Do we have to have another CMMC assessment before that lab can be awarded contracts that require CMMC?

A: Yes, another CMMC assessment would need to be conducted because the lab is out of the scope of the originally awarded compliance.

Q: What percentage of companies that you’ve worked with think they are at level 3 and your assessment shows they aren’t even at level 1?

A: About 60% so far. But keep in mind, even one simple control/requirement at level 1 that does not meet compliance will disqualify you completely from any CMMC level – even if you comply with the other 129.

Q: How long does it take to get an appraiser to conduct an appraisal?

A: We refer to them as GAP Assessors. The timeline is dependent on the availability of the GAP Assessor. The Simple Helix Team can direct you to a partner of ours that could help you get started. The sooner you get on their books, the sooner the cost will start to take form. Contact us today at info@simplehelix.com and we’ll help get you started.

Q: Are there authorized vendors you must use?

A: No. CMMC is not prescriptive. You can do all of this in-house if you prefer. However, achieving compliance is no small task and it’s usually good to have a few experts on your side. If you’re looking for help, try reaching out to a few companies who identify with the following terms.

• GAP Assessor
• Implementer (like Simple Helix – info@simplehelix.com)
• C3PAO (like Stealth)

Q: We are going on the premise that our subcontractors who only supply COTS equipment will not have to comply with CMMC. Is that true?

A: That is a true statement.

Q: As a subcontractor, we need to share information with our other subcontractors for permits. There is a provision for sharing CUI for any lawful government process. Who decides when sharing CUI to entities that are not CMMC certified is allowed?

A: Realize that CMMC applies, today, specifically for DOD contracts.  When the contract uses the CMMC framework, everyone, including ALL subs, must meet at least a CMMC Level 1.  If you need to share CUI with someone that is not CMMC compliant, then you must provide a secure environment (enclave) for that contractor to use.  Simple Helix has multiple options to address this.  An example would be to use PreVeil where the subcontractor would get a free user account and you “share” the documents via PreVeil.  Realize that the subcontractor wouldn’t necessarily be able to “download” the document but they could view it. If you’re interested and would like to talk through your options, contact us at info@simplehelix.com.

Q: We have a subsidiary dedicated to Federal contracts. We needed to separate our employees in our commercial business from the federal contracts for many reasons. How far does CMMC go? Does it go outside the corporate boundary?

A: It does not go outside the corporate boundary. It was wise to separate the two factions of your company to isolate those involved with CUI. We call those separated spaces enclaves. You as the business set the scope and therefore would limit the scope to your federal contract’s teams.

Q: How do I get started as an assessor?

A: To get started visit https://cmmcab.org/. If you have the qualifications and expertise in the security assessment field you can apply at the CMMC-AB to become a PA/CA/ or RP.

Q: Are compensating controls taken into account when a control is deemed non-compliant by an assessor?

A: CMMC is an all-or-nothing standard. If you fail one control, another cannot cover the failure. You must meet all controls listed in the level you are trying to obtain.