Expert Answers to Top 5 CMMC Questions

Many companies in the Defense Industry Base (DIB) and others doing work for the federal government have heard of the Cybersecurity Maturity Model Certification (CMMC) process, but few are on the path to compliance—and even fewer are fully ready for the mandate to begin showing up on DoD project bids in May 2023. 

Organizations across the USA–who are actively taking and bidding on government contracts—have shared their confusion with the program: the various levels, program changes, an interim rule, and moving dates on when the requirements might take effect.  

With those challenges in mind, the team at Firewater Advisors invited CMMC Registered Practitioner and national cybersecurity expert Wayne Shaw to answer our five most vital questions around what organizations need to know and how to get started. 

Question 1:  Why does my organization want CMMC certification? 

What’s the downside? You either pass the CMMC self-assessment or a third-party audit or you don’t go after any DOD contracts. It’s that simple. The federal contracts will go to your competitor.  And as we’ve heard in a town hall from representatives with Boeing and other big players, if your competitor is certified and has their assessment and you don’t, you’re out and they’re not going to come back. 

So the CMMC is we look at from the business side is a competitor-crushing, business-increasing opportunity. 

CMMC requirements are expected to appear in DoD Contracts as early as May 2023 

Question 2:  How do I determine what level of assessment to get? 

That will be determined by the RFP. If you handle CUI, or “Controlled, Unclassified Information,” you will be level two or three. If you only handle FCI Federal contract information, then you only need to be level one.  

Level three has yet to be totally determined.  That’s where the big boys are, that Boeing, that’s Northrop Grumman. 

Most of the defense industry base and most RFPs will fall into Level Two. So our recommendation is go for Level 2.  [Regarding the NIST 800-171 cybersecurity guidelines] You’re supposed to be there anyway. Do it. 

Question 3:  Should my organization request an auditor? 

This is what we advise all our customers to do: yes. Go ahead and get assessed because there’s going to be fewer and fewer companies out there that are assessed.  

Most companies are going to take the self-assessment path since the CMMC have said in some limited situations people can be self-assessed.  Because of this, there are fewer assessors that are going to hit the ground running. 

So we say go ahead and be prepared to be assessed now. Get all of your ducks in a row. Make sure you have all the artifacts, the training, all the policies and procedures.  

Bids and opportunities will come in that require being certified and assessed for the particular RFP.  Now it becomes a business decision.  The cost of getting certified isn’t cheap.  You’re going to have to have an assessor come to your location or locations, they’ll be assessing your company for a week or two weeks.  

But if you’re assessed, certified, and ready for it, then you can hop on that bid.  That’s why we say getting certified and assessed now is a business decision that you make, not just a compliance issue. 

“If you are taking multiple contracts it’s likely that at least one will require a third party audit.”

Stacy Bostjanick, CMMC Chief of Implementation and Policy 

Question 4:  What’s the most efficient way to begin? 

The training needs to be done first. This is so everybody in the company understands what’s coming at them.  That makes it less expensive for you to run the new controls or the new requirements through your company, because everybody goes, “Oh, yeah, I understand that.” 

“It’s much easier to get compliance bits and pieces from partners, then spend your time, energy, and effort on the hard parts of CMMC certification—because there are some hard parts in this.”

Wayne Shaw, CMMC RP

Question 5:  Can my organization do the training ourselves? 

Yes, you can. It would be very expensive. First you would have to get an element of a learning management system in your organization, and they’re not cheap.  Then you would have to a consultant to make sure that you hit all the requirements that are out there. 

It’s just so much easier to to go out and get those bits and pieces that you can and then spend your time, money, energy and effort on the hard parts—because there are some hard parts in this.  

The training is the most important part, to me, when introducing anything new or bringing any changes to an organization. 

We put a training session together, a training seminar. It’s easy to use, it’s inexpensive. We provide all of the elements that meet the CMMC requirements, and it’s updated every year so it meets the CMMC requirement to renew the training every year for all of your employees. 

If you’re interested in our training, just click through, find out more about it.  If you have any questions, you can always email us.    

Leave a Comment

Your email address will not be published.