Last updated on November 13th, 2023 at 03:34 am
The journey to CMMC Compliance can sometimes be a little confusing. We know it can be stressful when questions go unanswered, so we’ve compiled a list of FAQs to help you out! The answers provided are high-level so please feel free to reach out if you’d like for us to elaborate on certain subjects.
What is CMMC?
- CMMC is a new standard of cybersecurity compliance developed by the DoD that all U.S. Government Contractors will have to adhere to by 2026 in order to continue working with the Government.
Why is this happening?
- The U.S. government realized the threat of cybercrimes rises daily. To prevent U.S. adversaries from gaining insight regarding our defense technologies, our nation must seek to strengthen its cyber security hygiene. Because of this CMMC was created.
When will contractors have to be certified?
- Contractors must become CMMC Compliant prior to being awarded a contract that requires the standard. The roll-out of contracts requiring compliance will be a phased approach over a 5-year period starting with the release of 10 RFIs and RFPs in 2020. All contractors will have to be compliant by 2026.
Are prime contractors responsible for subs?
- Prime contractors will have to ensure all sub-contractors working under them are CMMC compliant. However, they are not responsible for the subcontractor’s journey to compliance.
What’s the difference between CMMC and DFARs or NIST 800-171?
- Unlike previous cybersecurity standards, CMMC requires that the contractors be audited to ensure they are compliant. It also important to note that the project plan or POA&M must be completed before the assessment.
How much will this cost?
- The cost depends on which level you choose to pursue/achieve. The higher the level, the more expensive it is to implement, manage, and maintain.
Can work towards CMMC be performed before the SSP is written?
- There are certain things that can be done prior to writing an SSP. However, keep in mind that the CMMC Compliance cannot be achieved unless an SSP is created.