This article is provided by Kieri Solutions, a cybersecurity provider specializing in CMMC compliance. Thanks to them for sharing some of the secret sauce!
This article is meant to provide short explanations on topics that are commonly misunderstood (and not performed correctly) by defense contractors. It will be updated over time. We’ve done a LOT of research on the CMMC and have decades of experience managing secure military networks, but this is a free article and the answers are summaries, so it is not guaranteed to be 100% correct for you. Talk to a cyber security expert, lawyer, or your contracting officer to be sure.
If you want to add to the question list, please comment below!
Q: What is CMMC or what is CUI?
Whoa, this article is going to be too advanced for you.
Go read these articles first:
Then come back and read through this article.
Q: Does my company even have CUI?
For your company to have Controlled Unclassified Information, you must meet these conditions:
- An official agreement with the United States Federal Government (like a contract)
A) The government provides CUI to you as part of the agreement, or B) You create the CUI on behalf of the agreement
Tip: Just because your company is developing cool technology on a topic that is normally controlled (like weapons systems), does not mean that it is automatically CUI. You need to have an active agreement with the Government.
Reference: DFARS 252.204-7012 review definition of “Covered Defense Information”
Q: Which of my data is CUI?
This is harder. The government SHOULD be labeling any CUI when they send it to you…
Tip: Reach out to your contract officer and ask them what their procedure for labeling CUI is.
If you create the CUI yourself, as part of a contract, then you need to identify and label it yourself.
Reference: DoD guidance for CUI
Q: Is it OK to email CUI?
In short, if you are using regular email messages to send or receive CUI, you are doing it wrong.
You should be doing this: “Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.”
That means that when you are sending CUI or storing CUI, it needs to be encrypted. Regular emails are NOT encrypted.
Reference: CMMC version 1.02 Appendix (review practice SC.3.177)
Q: How do I correctly send and receive CUI?
Very simply, you need to 1) Make sure that you are sending it to an authorized person (double-check that name), and 2) use an encrypted transport of some sort.
Here are some good options for encrypted transport:
- Use CAC certificates to encrypt emails.
- Employ a CUI-rated file share like GCC High SharePoint or in-house SFTP server and issue accounts to both sender and receiver.
- Use AMRDEC SAFE safe.apps.mil to send one-off files (needs a CAC to send, unless recipient creates a request for you).
Tip: Have a conversation with your Government counterparts and your partners to make a plan for how everyone will send CUI.
Q: Is my cloud vendor OK for CMMC level 3+?
First, go check the FedRAMP Marketplace. Search for your vendor’s name. Not in the list? You may have a big problem…
Don’t stop yet. Even if they were in the list, you need to check with your vendor and ask if they are DFARS compliant, and ask if your license is for that cloud.
Tip: If you didn’t specifically ask for their government solution (and pay more money), you probably aren’t on it.
Reference: CUI and Cloud Vendors – do you need FedRAMP?
Q: How do I tell if cloud security is “equivalent to FedRAMP”?
In DFARS 252.204-7012, the paragraph about cloud provider security states “the Contractor shall require and ensure that the cloud service provider meets security requirements equivalent to […] FedRAMP Moderate baseline…”
In theory, this means that your preferred cloud provider could meet requirements even if they aren’t on the FedRAMP marketplace.
In reality, every time I’ve reached out to a provider about their cybersecurity program, they weren’t even close to meeting security requirements. Even for vendors that advertise they are secure enough for government.
In reality, even if a provider gave you full access to review (they won’t), are you a FedRAMP auditor to judge if they are equivalent?
In our (Kieri Solution’s) experience, if a cloud provider puts in the extreme effort to meet FedRAMP requirements, they will always go get the certification. It generally isn’t worth the effort to evaluate non-FedRAMP certified clouds for equivalence.
Reference: DFARS 252.204-7012
Q: How much will CMMC assessment cost?
Good question. Market forces will probably be in charge of this. The minimum I’ve heard is $3,000 for a level 1 assessment of a small company (<10 computers). The DoD estimates it will cost $50,000 for a level 3 assessment. We will need to see how this goes.
Q: Is there a CMMC easy button? Can I just outsource this?
At CMMC level 1, there don’t seem to be big issues with outsourcing or using commercial cloud services.
At level 2 and above, outsourcing is a major concern and could cause you to fail your audit.
The best easy button is avoiding dealing with CUI. Even if your employees handle sensitive information, you might be able to avoid the problem by … 1) Using a partner’s network (which is CMMC-ready), 2) Use a government network.
Cloud vendors who advertise that their solution meets CMMC requirements normally just mean technical items like FIPS-validated cryptography. For example, even though Microsoft GCC High can handle many technical requirements, they aren’t going to automatically make your laptops secure or do background checks on your staff. No easy button there.
Q: Are mobile phones allowed at level 3?
I recommend getting an in-depth evaluation from a cybersecurity consultant for this question.
To know the answer, you need to go through ALL the CMMC requirements and evaluate them against your mobile phones. Can you secure your phones, or do they lack the ability for some requirements?
Q: Is public WI-FI allowed at level 3?
I don’t know of anyone who has failed an audit because their employees used hotel WI-FI. But it is not recommended, and most organizations prohibit public hotspots.
Using zero-trust architecture, smart software firewalls, and VPNs are ways to help protect your employee’s laptops when they travel.
The best practice for traveling workers is to issue them cellular hotspot devices. Yes this costs money.
There is precedent for allowing workers to use their home WI-FI, but you will want to couple this with cyber-hygiene training and a remote work agreement.
Q: Should I buy a set of policies for CMMC?
Maybe? It is just money, after all.
A lot of the time, when a company buys a set of $$policies, they just download them and ignore them.
Your policies need to reflect your organization’s actual practices. It is worse to have a policy that says “All systems will be patched within 5 days” and not patch your system, than it is to have a policy that says “We don’t believe in patching” and not patch your system. This is tongue-in-cheek, because both of those would totally fail, but I hope you understand the idea. Not following your policies is a problem.
Bad policies require a doctorate degree to understand and are never looked at. Good policies are written in plain English, and are referenced often.
Check our resources page for links to free policy templates. I recommend spending that $3,000 in labor, customizing the free policies, rather than buying policies and not customizing them.
Q: Should I sign up for a Compliance Platform?
Please be really careful about this. When you enter data into a cloud-based Compliance Platform (a website that lets you automatically create your CMMC compliance documents), you are possibly releasing CUI about your vulnerabilities to that cloud vendor. At the least, make sure they are located in the U.S.A and owned by U.S. Citizens. I personally suspect that these platforms need to be DFARS compliant (not just their hosting system, but the cloud platform itself). I haven’t seen any clarification from the Government on this exact topic yet.
Q: Can I use a Managed Service Provider?
There isn’t much official information available on this topic. (If you know of some, please comment)
At level 1, there doesn’t seem to be much concern about outsourcing your IT support.
At level 3+, it looks like there will be stringent requirements for provider companies. For example, they might be required to certify their information system at CMMC level 3+ too.
Since Managed Service Providers typically have multiple unnamed staff and remote management capabilities into your network, it is very risky to use an MSP unless they are cybersecurity super-stars AND you have a contractual agreement with them to perform CMMC level 3 screening and security on their own people and network.
Q: Can I use consultants?
Note: Before CMMC rolls out and DFARS 252.204-7012 is updated, there doesn’t seem to be any rule against using IT consultants. However, in the next few months, things are expected to change.
At level 1, there doesn’t seem to be much concern about outsourcing your IT support.
For level 3+, if a consultant needs to use their own information system to deal with your CUI (including sensitive network info), then you should verify that they meet CMMC level 3+ requirements.
Because consultants are named persons, you should be able to avoid vendor risk by having consultants use your company’s information systems and processes. This means performing background screens, signing agreements, providing training, issuing accounts, and issuing a laptop as though they were an employee. By having consultants use your information system while working for you, they keep all CUI within the scope of your existing network.
Q: Can my employees use home computers to work?
No. Edited: Mostly no (see comments).
Even at CMMC level 1, the practices say that you need to control and limit the use of personal devices connecting to your network or information. The example describes not allowing employees to work on Federal Contract Information using personal devices. At level 1, if you require security measures on home computers (like antivirus, patches, passwords, and restricting use by random family and friends), you can probably get away with it. But at that point, are they still “home” computers?
For higher levels that deal with CUI, the answer is HECK NO!
If your employees need to work from home, you should ideally be issuing them a company laptop or set up virtual desktops, or both. Yes, this costs money.
Q: When will the CMMC actually affect me?
There has been a lot of fear-mongering out there. If a salesperson threatens that you will lose your Government contracts after December 2020, they are using strong arm tactics and shouldn’t be trusted.
According to what the DoD and CMMC Accreditation Body has released publicly, the CMMC will be a gradual roll-out over 5 years (2026).
Starting around December 2020, new and renewing contracts will have the OPTION of including a CMMC level requirement in their Request for Proposals.
Like all government RFPs, they want to have some competition on their bids. So before releasing a CMMC requirement, the procurement officer is probably going to verify that at least two potential bidders have the certification. This means that procurement officers either need to wait for lots of companies to get certified, or give advance warning to potential bidders that the proposal will require CMMC.
Short opinion: Almost all contractors will have a few years before they will want to bid on a CMMC-required contract. This is good, because for level 2+, most companies will need a year or more to prepare.
Q: Will CMMC level 3+ companies get priority assessments?
The CMMC-AB has stated that they will facilitate priority assessments for bidders on contracts that require CMMC. The CMMC level required by the contract doesn’t matter. So if a contract comes out for bid in 2021, companies bidding on it should be given assessment priority over companies that aren’t bidding until 2022 or 2023.
Q: Should I send my internal staff to CMMC training?
Mixed. You don’t need any certifications or titles from the CMMC-AB to help a company prepare for an assessment. Neither Registered Practitioner or the Certified Assessor tracks seem to be geared toward internal employees (they require association with consulting or assessment organizations). But having someone on your team who can give input on whether a practice is passing or failing is invaluable.
Registered Practitioner (the closest match for internal staff) focuses on CMMC-specific items like major players, ethics, and the assessment process. Since cybersecurity controls and building a system security plan are contained in multiple compliance frameworks (like NIST SP 800-171), the RP training doesn’t cover these topics. Kieri Solutions (the sponsor of this article) has instructor-lead training about cybersecurity compliance activities that might be more applicable.
I hope this article is helpful to you! If you want to add a question to the list, please comment!
V. Amira Armond (CISSP, CISA, PMP, MBA) is a computer systems architect, cyber-security consultant, and owner of Kieri Solutions LLC. She specializes in CMMC preparation and DFARS 252.204-7012 compliance, and designing secure and resilient enterprise systems for private sector and the DoD.