This article is provided by Kieri Solutions, a CMMC C3PAO candidate. Thanks to them for sharing some of the secret sauce!
This article is meant to provide short explanations on topics that are commonly misunderstood (and not performed correctly) by defense contractors. It will be updated over time. We’ve done a LOT of research on the CMMC and have decades of experience managing secure military networks, but this is a free article and the answers are summaries, so it is not guaranteed to be 100% correct for you. Talk to a cyber security expert, lawyer, or your contracting officer to be sure.
If you want to add to the question list, please comment below!
Q: What is CMMC or what is FCI / CUI?
Whoa, this article is going to be too advanced for you.
Go read these articles first:
Then come back and read through this article.
Q: Does my company even have FCI?
If you are a prime or subcontractor working on a government contract, any non-public communications related to that contract are probably FCI. If you are a vendor to a DoD contract, any non-public communications between you and that contractor about products or services are probably FCI.
FCI is not limited to communications between the Government and yourself. It also applies to communications between companies that are performing a contract.
The exception is a purely Commercial Off-The-Shelf (COTS) product or service. Selling chairs or bolts is not considered FCI as long as there aren’t details about the use (such as “this bolt is used for the F16 landing gear”). If you customize your product or service at all for the government, it is no longer COTS.
Q: Does my company even have CUI?
Technically, the question should actually be “Does my company even have Covered Defense Information (CDI)?”
For your company to have Controlled Unclassified Information, you must meet these conditions:
- An official agreement with the United States Federal Government or you support an organization that has an agreement
A) The organization / government provides CUI to you as part of the agreement, or B) You create the CUI on behalf of the agreement
Tip: Just because your company is developing cool technology on a topic that is normally controlled (like weapons systems), does not mean that it is automatically CUI. You need to be performing work as part of active agreement with the Government.
Q: What CMMC Level will I need to get?
As of May 7, 2021, the CMMC regulation (DFARs 252.204-7021) says simply that the prime contractor needs a CMMC certificate at the level required by the contract. It also states that higher level contractors will flow down CMMC requirements to their subs based on the type of data that is flowed down.
Q: Which of my data needs to be protected under CMMC?
This is harder. CUI and FCI are considered in-scope when they are generated or received as part of performance on a contract.
The government or your partners SHOULD be labeling any CUI when they send it to you…
Tip: Reach out to your contract officer and ask them what their procedure for labeling CUI is. Or ask your partner.
If you create the CUI yourself, as part of a contract, then you need to identify and label it yourself.
Here is a useful graphic showing the protection requirements based on the types of data you have
Reference: DoD guidance for CUI
Q: Is it OK to email CUI?
In short, if you are using regular email messages to send or receive CUI, you are doing it wrong.
You should be doing this: “Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.”
That means that when you are sending CUI or storing CUI, it needs to be encrypted. Regular emails are NOT encrypted.
Reference: CMMC version 1.02 Appendix (review practice SC.3.177)
Q: How do I correctly send and receive CUI?
Very simply, you need to 1) Make sure that you are sending it to an authorized person (double-check that name), and 2) use an encrypted transport of some sort.
Here are some good options for encrypted transport:
- Use encrypted emails
- Employ a CUI-rated file share.
- Use AMRDEC SAFE safe.apps.mil to send one-off files (needs a CAC to send, unless recipient creates a request for you).
Tip: Have a conversation with your Government counterparts and your partners to make a plan for how everyone will send CUI.
Q: Is my cloud vendor OK for CMMC level 3+?
The CMMC-AB has confirmed that cloud vendors are in-scope for CMMC level 3 assessments. Please check this interview from December 18, 2020 with Regan Edens for more details.
Now go check the FedRAMP Marketplace. Search for your vendor’s name. Not in the list? You may have a big problem…
Don’t stop yet. Even if they were in the list, you need to check with your vendor and ask if they are DFARS compliant, and ask if your license is for that FedRAMP cloud.
Tip: If you didn’t specifically ask for their government solution (and pay more money), you probably aren’t on it.
Reference: CUI and Cloud Vendors – do you need FedRAMP?
Q: How do I tell if cloud security is “equivalent to FedRAMP”?
In DFARS 252.204-7012, the paragraph about cloud provider security states “the Contractor shall require and ensure that the cloud service provider meets security requirements equivalent to […] FedRAMP Moderate baseline…”
In theory, this means that your preferred cloud provider could meet requirements even if they aren’t on the FedRAMP marketplace.
In reality, every time I’ve reached out to a provider about their cybersecurity program, they weren’t even close to meeting security requirements. Even for vendors that advertise they are secure enough for government.
In reality, even if a provider gave you full access to review (they won’t), are you a FedRAMP auditor to judge if they are equivalent?
In our (Kieri Solution’s) experience, if a cloud provider puts in the extreme effort to meet FedRAMP requirements, they will always go get the certification. It generally isn’t worth the effort to evaluate non-FedRAMP certified clouds for equivalence.
Reference: DFARS 252.204-7012
Q: How much will CMMC assessment cost?
Good question. Market forces will probably be in charge of this. The minimum I’ve heard is $3,000 for a level 1 assessment of a small company (<10 computers). The DoD estimates it will cost $50,000 for a level 3 assessment. We will need to see how this goes.
Q: Is there a CMMC easy button? Can I just outsource this?
If you outsource any of your cybersecurity for CMMC, you will still need to prove that the outsourced company is performing each CMMC requirement. This is easiest done if the other company has their own CMMC certificate at an equivalent or higher level.
The best easy button is avoiding dealing with CUI. Even if your employees handle sensitive information, you might be able to avoid the problem by … 1) Using a partner’s network (which is CMMC-ready), 2) Use a government network.
Cloud vendors who advertise that their solution meets CMMC requirements normally just mean technical items like FIPS-validated cryptography. For example, even though Microsoft GCC High can handle many technical requirements, they aren’t going to automatically make your laptops secure or do background checks on your staff. No easy button there.
Q: Are mobile phones allowed at level 3?
I recommend getting an in-depth evaluation from a cybersecurity consultant for this question.
To know the answer, you need to go through ALL the CMMC requirements and evaluate them against your mobile phones. Can you secure your phones, or do they lack the ability for some requirements?
Q: Is public WI-FI allowed at level 3?
I don’t know of anyone who has failed an audit because their employees used hotel WI-FI. But it is not recommended, and most organizations prohibit public hotspots.
Using zero-trust architecture, smart software firewalls, and VPNs are ways to help protect your employee’s laptops when they travel.
The best practice for traveling workers is to issue them cellular hotspot devices. Yes this costs money.
There is precedent for allowing workers to use their home WI-FI, but you will want to couple this with cyber-hygiene training and a remote work agreement.
Q: Should I buy a set of policies for CMMC?
Maybe? It is just money, after all.
A lot of the time, when a company buys a set of $$policies, they just download them and ignore them.
Your policies need to reflect your organization’s actual practices. It is worse to have a policy that says “All systems will be patched within 5 days” and not patch your system, than it is to have a policy that says “We don’t believe in patching” and not patch your system. This is tongue-in-cheek, because both of those would totally fail, but I hope you understand the idea. Not following your policies is a problem.
Bad policies require a doctorate degree to understand and are never looked at. Good policies are written in plain English, and are referenced often.
Check our resources page for links to free policy templates. The problem with the free templates available right now is that they don’t describe each practice for CMMC individually. This is a requirement for CMMC Maturity Level 2 and above.
Kieri Solutions offers a full set of documentation designed for CMMC Level 2 and 3 which specifically address each practice and help you build evidence. There are other paid vendors that sell policies written for the CMMC. No matter what, you need to budget some time to customize the policies to fit your exact business, and plan to bring in your high level executives to support and enforce the policies.
Q: Should I sign up for a Compliance Platform?
Please be really careful about this. When you enter data into a cloud-based Compliance Platform (a website that lets you automatically create your CMMC compliance documents), you are putting your vulnerability data into that cloud vendor. At the least, make sure they are located in the U.S.A and owned by U.S. Citizens. I personally suspect that these platforms need to be DFARS compliant (not just their hosting system, but the cloud platform itself). I haven’t seen any clarification from the Government on this exact topic yet.
Q: Can I use a Managed Service Provider?
There isn’t much official information available on this topic. (If you know of some, please comment)
Even at level 1, you need to prove that your managed service provider does the level 1 requirements as they relate to your information system.
At level 3+, it looks like there will be stringent requirements for provider companies. For example, they might be required to certify their information system at CMMC level 3+ too.
Since Managed Service Providers typically have multiple unnamed staff and remote management capabilities into your network, it is very risky to use an MSP unless they are cybersecurity super-stars AND you have a contractual agreement with them to perform CMMC level 3 screening and security on their own people and network.
Q: What about paying for a CMMC Level 3 system?
Two possibilities here:
- A technical solution (such as an email system) that says you just need to use them and you will be CMMC Level 3 compliant.
Among professionals, this is considered blatant false advertising because there are no technical solutions which provide CMMC Level 1 , 2, or 3 compliance. A huge amount of CMMC compliance is manual processes performed by humans. Things like authorizing Debbie’s accounts and identifying the roles and permissions she should have. Performing risk assessments to determine a path forward when your manufacturing software is vulnerable but no patch is available. Monitoring physical facilities security.
2. Renting computers, servers, and MSP services in a package that is designed to replace your IT department entirely. This is actually a workable model for about 90% of the CMMC requirements. As long as the client is forced to perform the activities that are specific to them (such as requesting accounts and escorting visitors), this could work.
There is a concern about whether hosting lots of different clients in your (un-segmented) information system would pass an assessment. Whether you could get one CMMC level 3 assessment for a “model” information system in order to make segmenting affordable.
I have heard of at least two companies selling “Guaranteed CMMC Level 3” systems. This is an immediate turn-off for most professionals in the CMMC space because there are so many unknowns still that no one can be certain they will pass CMMC Level 3. What happens if the company doesn’t pass? Maybe the clients don’t need to pay? But that still means huge disruption to the client revenue and a huge hassle trying to change to a different network.
Until someone has successfully gotten a certification while hosting disparate customers, there isn’t any sure path forward.
Q: Can I use consultants?
Note: Before CMMC rolls out and DFARS 252.204-7012 is updated, there doesn’t seem to be any rule against using IT consultants. However, in the next few months, things are expected to change.
At level 1, your consultant needs to make sure their own information system meets level 1 requirements too.
For level 3+, if a consultant needs to use their own information system to deal with your CUI (including sensitive network info), then you should verify that they meet CMMC level 3+ requirements.
Because consultants are named persons, you should be able to avoid vendor risk by having consultants use your company’s information systems and processes. This means performing background screens, signing agreements, providing training, issuing accounts, and issuing a laptop as though they were an employee. By having consultants use your information system while working for you, they keep all CUI within the scope of your existing network.
Q: Can my employees use home computers to work?
No. Edited: Mostly no (see comments).
Even at CMMC level 1, the practices say that you need to control and limit the use of personal devices connecting to your network or information. The example describes not allowing employees to work on Federal Contract Information using personal devices. At level 1, if you require security measures on home computers (like antivirus, patches, passwords, and restricting use by random family and friends), you can probably get away with it. But at that point, are they still “home” computers?
For higher levels that deal with CUI, the answer is HECK NO!
If your employees need to work from home, you should ideally be issuing them a company laptop or set up virtual desktops, or both. Yes, this costs money.
Reference: CMMC Level 1 Assessment Guide
Q: Can my employees use personal phones for email?
The very first requirement of CMMC says that you need to “limit information system access to … authorized devices.”
If your email has Federal Contract Information (FCI) in it *hint: it does*, then connecting personal phones to email would add them to the list of devices that need to meet security requirements. At Level 1, this isn’t too hard, but you need to show that you authorized each phone before it connects to your email system.
This security requirement is one where your users will try to circumvent any policy or training you give them. I recommend using technical configurations to lock down access wherever possible.
Reference: CMMC Level 1 Assessment Guide
Q: When will the CMMC actually affect me?
There has been a lot of fear-mongering out there. If a salesperson threatens that you will lose your Government contracts after December 2020, they are using strong arm tactics and shouldn’t be trusted.
According to what the DoD and CMMC Accreditation Body has released publicly, the CMMC will be a gradual roll-out over 5 years (2026).
Starting around December 2020, new and renewing contracts will have the OPTION of including a CMMC level requirement in their Request for Proposals.
Like all government RFPs, they want to have some competition on their bids. So before releasing a CMMC requirement, the procurement officer is probably going to verify that at least two potential bidders have the certification. This means that procurement officers either need to wait for lots of companies to get certified, or give advance warning to potential bidders that the proposal will require CMMC.
Short opinion: Almost all contractors will have a few years before they will want to bid on a CMMC-required contract. This is good, because for level 2+, most companies will need a year or more to prepare.
Q: Will CMMC level 3+ companies get priority assessments?
The CMMC-AB has stated that they will facilitate priority assessments for bidders on contracts that require CMMC. The CMMC level required by the contract doesn’t matter. So if a contract comes out for bid in 2021, companies bidding on it should be given assessment priority over companies that aren’t bidding until 2022 or 2023.
Q: Should I send my internal staff to CMMC training?
Mixed. You don’t need any certifications or titles from the CMMC-AB to help a company prepare for an assessment. Neither Registered Practitioner or the Certified Assessor tracks seem to be geared toward internal employees (they require association with consulting or assessment organizations). But having someone on your team who can give input on whether a practice is passing or failing is invaluable.
Registered Practitioner (the closest match for internal staff) focuses on CMMC-specific items like major players, ethics, and the assessment process. Since cybersecurity controls and building a system security plan are contained in multiple compliance frameworks (like NIST SP 800-171), the RP training doesn’t cover these topics. Kieri Solutions (the sponsor of this article) has instructor-lead training about cybersecurity compliance activities that might be more applicable.
Q: Can my employees discuss CUI over the phone?
Phone conversations that occur over Common Carrier and analog telephone lines (POTS) are not in-scope for DFARS 252.204-7012 or CMMC at this point. That means that an assessor should not ask you questions about your Common Carrier and POTS phone conversations during an assessment.
However, voice conversations that occur over data channels such as Microsoft Teams, WebEx, and some types of VOIP systems ARE in-scope and need to be protected. Voicemail systems can also be in-scope because they store the recording in data form.
The best answer for real security is that your employees shouldn’t discuss CUI over regular phonelines. You should probably train your staff to only discuss CUI using authorized programs or tools.
Reference: DFARS Cyber FAQ, question #103
This article was submitted by Kieri Solutions. Thanks to them for their insights!
I hope this article is helpful to you! If you want to add a question to the list, please comment!
V. Amira Armond (CISSP, CISA, PMP, MBA) is a computer systems architect, cyber-security consultant, and owner of Kieri Solutions LLC. She specializes in CMMC preparation and DFARS 252.204-7012 compliance, and designing secure and resilient enterprise systems for private sector and the DoD.