Every day, questions arise on how contractors can facilitate their path to CMMC compliance. Our sales team hears these questions as well. Here are the 10 questions they get asked most frequently along with answers vetted by our compliance team.
The documentation for the CMMC model v1.02 states that: “when implementing CMMC, a DIB contractor can achieve a specific CMMC level for its entire enterprise network or for particular segment(s) or enclave(s), depending upon where the information to be protected is handled and stored.”
So, the “enclave model” for protecting CUI is supported by CMMC policies and the security boundary can include only those employees that handle CUI.
You can continue to use platforms like Commercial O365 and Gmail but they must be separated from your compliance boundary and not handle CUI.
Download a pdf copy of 10 FAQs About CMMC
If you receive CUI from your prime, it should already be marked as such. You will need to handle the CUI according to the policies and procedures laid out in your System Security Plan (SSP).
If you share CUI with your own suppliers, you’ll want to make sure they have a compliant environment for storing and handling CUI. You also want to make sure you share CUI with the proper encryption according to the procedures stated in your SSP.
My responsibility to my suppliers is that I must comply with the 110 NIST 800-171 controls and be prepared to support the 130 CMMC practices when contracts begin to include CMMC.
My responsibility to my subcontractors is to flow down the DFARS 7012 requirement to them and ensure they meet the 110 NIST 800-171 controls and 130 CMMC practices when they appear in contracts.
The responsibility of my CSP is to ensure we can meet the requirements for cyber incident reporting detailed in DFARS 7012 paragraphs c-g. Additionally, the CSP must also have achieved FedRAMP moderate equivalency.
FedRAMP standards require that any cloud services provider (CSP) storing CUI must address FedRAMP Moderate controls. Most defense contractors are not CSPs themselves, instead they store federal data with a CSP. So, the defense contractor does not need to be FedRAMP compliant but the CSPs they work with do need to meet this level of compliance. Make sure that the CSP you are planning to work with is storing data in a sovereign Continental US “FedRAMP Authorized” cloud or equivalent such as FedRAMP Moderate Baseline.
One option is to replace your existing technologies to support CMMC level 3 compliance. However, an alternative is to maintain your existing systems for non-CUI management and deploy an enclave for CUI so that the information is protected per the requirements detailed in the NIST 800-171 and CMMC controls.
Many small and large defense companies don’t have the inhouse expertise and knowledge required to put their company onto a CMMC compliance path. For these organizations, there are a number of qualified MSPs, MSSPs or consulting organizations who can help.
PreVeil can help connect you with a qualified partner that has been trained by the CMMC-AB.
If you currently have FOUO, you must treat it as CUI and migrate it to a NIST 800-171 and CMMC compliant environment. It cannot remain in noncompliant systems
Learn more about protecting CUI.
Download these 6 common myths about CUI protection.
The company should have a policy in their SSP for handling CUI outside of the compliant network intended for CUI. The policy should include instructions for promptly moving the CUI to the compliant network and sanitizing the CUI from the non-compliant network.
There is some confusion that this event should be reported as an incident to DIBnet per DFARS clause 252.204-7012 but DOD policy states that a cyber incident is defined as a “compromise or an actual or potentially adverse effect on an information system and/or the information residing therein. Assuming the CUI is promptly moved off the non-compliant network it would likely not be considered an incident.
Maturity can be demonstrated to assessors or auditors by showing appropriate and complete documentation for the NIST 800-171 or CMMC controls as well as evidence and artifacts that the controls have been in use over a period of at least 3-6 months.
Have another CMMC compliance question you think we should answer? Just email us at [email protected]