Over 2,300 registrants participated in our 2023 CMMC Summit. Leading experts, including Matt Travis (Cyber AB, CEO), Paul Escobedo (CISO, Raytheon), and Dr. Ron Ross (Author, NIST), answered audience questions about all aspects of CMMC compliance.
 

 
This blog summarizes the Summit’s most popular questions, including details about the new CMMC timeline, handling Controlled Unclassified Information (CUI), and more.

1. When will CMMC become mandatory?

CMMC does not introduce any new security controls. It is comprised of the same 110 controls that lie at the core of NIST 800-171, differing only in how the rules are enforced. NIST 800-171 allowed self-assessment, while CMMC will require a third party assessment conducted by an independent C3PAO (CMMC Third-Party Assessor Organization).
 
Defense contractors handling controlled unclassified information (CUI) have been required to meet NIST 800-171 since 2017. Defense contractors are thus already required to meet CMMC standards – they’ve been required to for the past five years. The only piece still up in the air is when strict enforcement will begin.
 
CMMC is expected to be included in contracts by mid- to late-2024. Due to the amount of time required by most contractors to achieve compliance, this means now is the time to prioritize achieving CMMC readiness.
 
As Matt Travis (CMMC-AB, CEO) said at the Summit:
 

 

“If you do not get your CMMC certification, you will not be able to eventually win DoD contracts. I cannot stress that enough. For those of you within the DIB (Defense Industrial Base) watching here today, if you haven’t gleaned that very cold reality, the fact is …. you will not be able to win DoD work if you don’t get your CMMC certification.”

 
It really is that simple. To continue working with the DIB, your organization must achieve CMMC compliance. For contractors handling CUI, that means getting compliant with NIST 800-171.
 
For more information, check out our CMMC timeline.

2. Am I responsible for marking and handling CUI?

CUI is information that the Federal government creates or possesses, or that an organization creates or possesses on behalf of the Federal government. That information requires handling with safeguards and dissemination controls consistent with applicable laws, regulations or government-wide policies. CUI is not classified information.
 
If you are a small-medium business doing contracted work for a Prime, your Prime is responsible for marking CUI. If you receive materials that you believe are CUI but aren’t marked as such, you should reach out to your contract manager for clarification. If you’re unable to get an answer, ask yourself whether the information could be material to national security. If the answer is yes, then treat the information as CUI.
 
The bottom line is that you’re responsible for protecting any CUI your organization handles. While it is your Prime’s duty to inform you which information is sensitive, it’s up to you to take the steps necessary to secure that information. To learn more, check out our guide to protecting CUI.

3. Will Revision 3 impact CMMC compliance?

NIST 800-171r3 has just come out as a draft. It is currently in a public comment period, which will run through January 24, 2024. After the public comment period, Revision 3 may undergo additional changes before its final release in spring 2024.
 
NIST 800-171r2, the predecessor to NIST 800-171r3, has been in effect since December 2017. Revision 3 trims the controls required for compliance, reducing the regulation from 110 controls to only 95.
 
It is important to note, however, that the assessment objectives (AOs) required to meet the controls will increase from 320 AOs to 390 AOs. Controls are only met when all their AOs are met. Thus the assessment will be more rigorous for Revision 3 than Revision 2.
 
At this point, contractors handling CUI should focus on the fact that they are required to meet the 110 controls present in the NIST 800-171 standard and required by their contract. For contracts received today, that means meeting R2. R3 will be phased into new contracts once it is finalized. Those new contracts with R3 will only come online in the months and years that follow
 
For more information, see our key takeaways from NIST 800-171r3.
 

4. How can a small-medium enterprise manage costs for CMMC Level 2 compliance?

There is no way to make achieving CMMC compliance completely pain-free and cost-free, but you can make it easier and more affordable for your organization. Here are some tips.
 
First, assign a CMMC lead to manage the process. Distributed responsibility tends to make processes less efficient and more costly. A single leader tasked with managing the compliance process will allow you to ensure there are no redundancies or oversights.
 
Second, scope correctly. The larger your scope, the more expensive and burdensome your process. Create an enclave wherein CUI lives and limit access to only those team members who need it. Keeping your CUI scope tight can create huge cost savings for your organization.
 

Keeping your CUI scope tight can create huge cost savings for your organization.

 
Third, choose your technologies carefully. You’ll need to use technology, such as a communication platform, to handle CUI. Make sure to choose technology that is cost-effective and user-friendly.
 
Fourth, create robust documentation from the start. A system security plan (SSP) is not only required for your CMMC assessment, but can also provide a helpful roadmap for your compliance process. Don’t procrastinate documentation – you’ll have to do it eventually, and the earlier you do it the more it can help you save time and money.
 
These tips can go a long way in helping make CMMC compliance affordable for your organization. For more helpful tips, including how to use self-assessment and Registered Practitioner Organization (RPOs) to streamline your process, check out our CMMC Compliance Checklist.

5. Has a PreVeil customer passed a CMMC or NIST 800-171 assessment?

Currently, CMMC is not law. The current expectations, as noted above, are that CMMC will become a final rule next year. Today, all compliance assessments are against NIST 800-171.
 
However, to date, PreVeil has enabled two customers to successfully pass a NIST 800-171 assessment. In each case, the customer was able to meet all of the 110 NIST 800-171 controls.
 
The first PreVeil customer to achieve a 110 score did so in a rigorous NIST SP 800-171 audit conducted by the Department of Defense’s (DoD) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). The organization deployed PreVeil as an overlay of its Microsoft 365 Commercial environment and hired a PreVeil partner and consultant to guide them through the audit process. And, because the contractor met all 110 controls of NIST 800-171, the principal requirement for CMMC Level 2 certification, the contractor also demonstrated CMMC 2.0 compliance. You can read the full case study here.
 
The second PreVeil customer to achieve a 110 score did so in a Joint Surveillance Voluntary Assessment (JSVA) led by a C3PAO and supported by DIBCAC. This organization deployed PreVeil to only 50 of its 300 employees, thus creating a secure enclave for storing, processing and transmitting CUI. The enclave enabled the org to dramatically decrease compliance costs. The C3PAO intends to issue a CMMC Level 2 certificate to the contractor once federal rulemaking establishes the CMMC program. You can read the full case study here.
 
PreVeil supported both customers through the assessment process and was there to answer questions posed by auditors. As a result of this support, both organizations were able to reduce the time, effort and costs to secure their CUI and achieve compliance.

Takeaways

CMMC is coming soon. Now is the time to bring your organization up to compliance level, if you aren’t there yet.
 
For more information about the current state of CMMC, and what your organization needs to do now, check out the complete recording of our 4th annual CMMC summit.