When 2,500 defense contractors gathered at our recent CMMC Summit, they asked hundreds of questions about identifying CUI, scoping CMMC, documentation, their Primes, and assessments.
Here are their 15 most common questions, answered by our compliance experts.
Questions on Scoping & Boundaries
Q: For organizations with multiple locations, does CMMC apply company-wide or can it be limited to specific locations?
CMMC can be limited to specific locations. The most effective approach is to create an “enclave” that isolates CUI-handling systems and locations from the rest of your organization. Your SSP can explicitly document which locations and systems are in scope for certification, while listing other company locations as out of scope. This focused approach both simplifies compliance and reduces costs by applying security controls only where needed.
Q: What happens if CUI is sent outside of the PreVeil email/drive? Am I out of compliance?
A CUI spillage incident doesn’t mean you’re “out of compliance”. You just need to have documented procedures for handling such incidents- documenting the incident, tracking the spillage, and implementing clean-up protocols – that your system administrators would follow. You maintain CMMC compliance.
Q: Are remote employee’s home networks in scope when employees connect their corporate devices containing CUI?
Most likely not, but it depends on their configuration and set up. We recommend two separate home networks (just to be super sure an assessor won’t nit pick) – one for work and one for home, and the work network is set up compliantly (firewall settings, router settings, etc.). It’s an easy set up and can address some of the concerns with working on a home network.
Q: If I’m using PreVeil and I have CUI on my endpoints, and that endpoint also has access to my corporate network- how do I manage that?
The answer depends wildly on your setup. However, we have recommendations to simplify this, reducing costs and complexity. Schedule 15 minutes with our compliance team to learn more.
Questions on CUI Identification & Handling
Q: Is ITAR controlled technology considered CUI?
ITAR and CUI are independent classifications: Not all ITAR is CUI, and not all CUI is ITAR.
Information can be:
- Neither ITAR nor CUI
- Only ITAR
- Only CUI, or
- Both ITAR and CUI.
The key is to check the markings on any files you receive and if you’re uncertain about the classification, always consult your contracting officer or Prime (see below).
Q: If I encrypt CUI with a customer managed key vault and store the encrypted CUI in a CSP for backup is the encrypted CUI still considered CUI?
Dana Mason from the CMMC PMO’s office unequivocally stated that CUI is CUI until it is properly decontrolled. Encryption has no bearing on the state of CUI.
Q: In the example above, does the CSP hosting encrypted CUI still require FedRAMP?
Yes, Dana Mason from the CMMC PMO’s office unequivocally stated that if encrypted CUI is stored in a CSP it must be FedRAMP moderate or FedRAMP Moderate Equivalent. Learn more about how PreVeil achieved Equivalency in this blog.
Q: What if CUI is not clearly identified and we can’t get answers from our customers?
If you’re uncertain about CUI identification, your first step should be consulting your contracting officer or Prime- they have the responsibility to properly identify CUI. You are not responsible for marking information received from others as CUI. However, note that you do have an obligation to mark any CUI you create as a derivative of existing CUI.
Questions on Compliance Requirements & Documentation
Q: What are the CMMC Level 2 requirements that are not allowed on a POAM?
For CMMC Level 2 certification, you must meet a minimum threshold of 88 controls during your initial assessment. Critically, you must meet:
- All CMMC Level 1 controls
- All 3 or 5 point controls (except SC.L2-3.13.11, if it is partially met—encryption is employed but is not FIPS validated—reducing a SPRS score by 3 points instead of 5.
- The following 1 point controls:
- AC.L2-3.1.20 – External Connections (CUI Data)
- AC.L2-3.1.22 – Control Public Information (CUI Data)
- PE.L2-3.10.3 – Escort Visitors (CUI Data)
- PE.L2-3.10.4 – Physical Access Logs (CUI Data)
- PE.L2-3.10.5 – Manage Physical Access (CUI Data)
If you don’t meet these requirements in your first assessment, you’ll need to start the entire assessment process over – including paying for a new assessment. This is why many organizations opt for a readiness assessment first to ensure they meet these minimum requirements. Read more in the Final Register.
Questions on Prime Contractor Relationships
Q: What DFARs clauses should I be looking for to see my flow-down requirements?
The key DFARS clauses for CMMC flow-down requirements are 252.204-7012, 7019, 7020, and 7021. Of particular importance is 7021, which addresses CMMC requirements and flow-down to subcontractors. Read more here.
Q: The CMMC requirement is needed at time of order, not when quoting, correct?
Correct- While CMMC certification is officially required at time of contract award rather than during the bidding process, Prime contractors are increasingly making certification a prerequisite for consideration.
Here’s what JR Williamson, CISO at Leidos said at our CMMC summit:
We do run the risk that we may have a really great supplier that has a perfect solution that fits excellently into our offering to the customer but they are not certified and not going to be certified for another 12-14 months. As a result, we just cannot use them and they’re off the team because we run the risk of not winning if they cannot be certified at the time the award is given.
Q: What are the consequences for my ongoing work for a Prime if I’m not compliant after CMMC goes live?
The consequences of non-compliance can be severe, potentially resulting in contract termination and exclusion from future opportunities. Prime contractors have made it clear that they cannot risk working with non-compliant suppliers once CMMC requirements take effect. This could mean losing both current contracts and future business opportunities within the defense industrial base. See JR’s stance above.
Questions on Assessment & Costs
Q: Do you have to do a readiness assessment before you can go for certification?
No, but you must complete a self-assessment. We do highly recommend readiness assessments as well because failing your official CMMC assessment means starting over, and paying for a new one. A readiness assessment helps identify and address gaps before committing to the formal certification process, potentially saving significant time and money by ensuring you’re fully prepared.
Q: What’s the cost for CMMC Level 2 Audit? Are there resources to help?
CMMC Level 2 certification costs vary based on organization size, complexity, and current security posture. The DoD estimates the cost of preparing for, conducting, and reporting a level 2 assessment at $100,000, but note this doesn’t include documentation, tools, and potential remediation. We’ve identified several ways organizations can optimize their spending and reduce overall certification costs – these strategies are detailed in our CMMC cost-saving guide.
Q: Is FIPs required on the firewall? Isn’t CUI flowing through it, even if it’s protected via PreVeil?
FIPS is required when protecting the confidentiality of CUI, but if data is already encrypted (like with PreVeil), then the firewall doesn’t need to be FIPS-enabled.
Q: Are there samples available of a responsibility matrix & what information is required from an MSP, ESP, or CSP?
Responsibility matrices are essential for clearly defining security control ownership between your organization and service providers. These documents outline which party is responsible for implementing and maintaining specific controls. PreVeil offers assessment-ready, pre-filled documentation, including Service Provider Responsibility Matrices (SRM)’s. Talk to our sales team for more information.
Q: How much documentation will MSPs need to provide in an C3PAO assessment?
Documentation requirements for MSPs vary based on their specific role in handling CUI and supporting CMMC compliance. MSPs must provide evidence for any control they’re responsible for implementing or maintaining, which could include risk assessments, configuration management, training records, and access control documentation. It’s crucial to clearly define these responsibilities in your service agreements.
Q: Is NIST SP 800-171 Rev 3 applicable now?
CMMC requirements are currently based on NIST SP 800-171 Revision 2 and will remain so for the foreseeable future. While Revision 3 has been released, it is not incorporated into CMMC requirements.
Still have questions?