FREQUENTLY ASKED QUESTIONS
We’re here to help! Below you’ll find answers to the questions we get asked the most about our CMMC assessment and certification process.
Have another question? Ask us today!
Frequently Asked Questions
DTC’s primary mission in the CMMC space is to mature the cybersecurity posture of the Defense Industrial Base (DIB). While there are multiple C3PAOs in the ecosystem, some are focused on single transaction sales. We want to partner with DIB companies over the long haul. Our view is that the cost of any assessment is directly related to the organization’s readiness as well as the size of the organization and scope of the enclave being assessed. Without reviewing an organization’s System Security Plan, Network Architecture diagram, Data Flow and/or CUI Flow diagrams, estimates are baseless. DTC will only provide estimates after conducting thorough due diligence to ensure your organization is truly ready for an assessment.
Yes and No! The Federal CUI Rule (32 CFR Part 2002) is also undergoing the rulemaking process and it will apply protection requirements for ALL federal contracts will be required to safeguard Controlled Unclassified Information. The framework for compliance with the FAR CUI rule is the same NIST 800-171/172 requirements that the DoD’s CMMC program will use.
During a CMMC assessment, a Certified Assessment team will review your organization’s cybersecurity practices and processes against the specific CMMC level requirements applicable to your contract. The assessment will involve examining documentation, interviewing personnel, and observing system implementations to ensure the required cybersecurity controls are in place and effective. The assessor will also verify that cybersecurity processes are institutionalized, meaning they are consistently followed and maintained across the organization.
The required CMMC level will be specified in the solicitation or contract documents. It is determined by the type of information your organization handles or processes and the associated risk. You can also consult with the contracting officer or the requiring activity for clarification. (Ref DFARS Section 204.7501)
A CMMC certification will be valid for three years. Contractors must maintain a current certificate at the required level throughout the life of the contract and for any option periods or extensions. (Ref DFARS 204.7501)
If your organization does not pass the CMMC assessment, you will receive a list of deficiencies that need to be addressed. You will have to implement corrective actions and may need to undergo a re-assessment to obtain certification before you can be awarded DoD contracts that require CMMC. (Ref DFARS 252.204-7021 Cybersecurity Maturity Model Certification Requirements)
While organizations can perform self-assessments to prepare for the official CMMC assessment, the actual certification must be conducted by a CMMC Third Party Assessment Organization (C3PAO) or a Certified Assessor. (Ref DFARS 252.204 7021)
Yes, prime contractors must ensure that their subcontractors have the appropriate level of CMMC certification based on the type of information that will be shared with or handled by the subcontractor. The prime contractor is responsible for flowing down the CMMC requirements to all subcontractors. (Ref DFARS 252.204 7021)