CMMC Assessment FAQs

CMMC Assessment FAQs2024-05-10T14:24:45-04:00

CMMC Assessment FAQs

The Frequently Asked Questions (FAQ) are topics we frequently get asked about when it comes to completing CMMC Conformity Assessments.

How up-to-date is Peak InfoSec regarding CMMC?2024-04-23T11:41:08-04:00

Our founder, Matt Titcombe, was a volunteer on the Cyber-AB Standards Industry Working Group.  He has directly participated in:

  • Creation of the assessment methodology
  • Creation and drafting of the CMMC Assessment Criteria
  • Creation and drafting of the CMMC Getting Started guide

Mr. Titcombe is also a Subject matter Expert developing certified training curriculum for the Cyber-AB approved Licensed Partner Publishers.  Specifically, he has worked on the CMMC Certified Practitioner (CCP) and Assessor (CCA) curriculums.

What is an assessment?2024-04-30T07:19:44-04:00

Per NIST SP 800-171A, an assessment or “security control assessment” means:

“The testing or evaluation of security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for a system or organization.”

Source: assessment – Glossary | CSRC (nist.gov)

The CMMC Program definition in 32 CFR Part 170 defines an assessment as:

“The testing or evaluation of security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for an information system or organization, as defined in §170.15 to §170.18.

Source:  §170.4, Acronyms & Definitions

What is the difference between a conformity, gap, and mock assessment?2024-04-30T07:54:49-04:00

Keeping in mind the definition of an assessment from https://peakinfosec.com/faq-items/what-is-an-assessment/,

“The testing or evaluation of security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for a system or organization.”

Source: assessment – Glossary | CSRC (nist.gov)

The key difference is the intent of the assessment.  Additionally, every authorized CMMC 3rd Party Assessment Organization (C3PAO) may have tweaked definitions.

The short answer is gap assessments are used where consultative advice is given to correct identified deficiencies.

A Mock Assessment does not give any consultative advice or recommendations but is not intended to be used for a certification event.  Mock Assessments are commonly used with Pre-Assessment Readiness Reviews (PARR) and Certification Assessment Readiness Reviews (CARR) prior to the form Conformity Assessment.

The Conformity Assessment is the formal event led by a C3PAO or Defense Industrial Base Cybersecurity Assurance Center (DIBCAC) assessors that results in a formal scoring and submission to formal reporting mechanisms like the Supplier Performance Risk System (SPRS).

Here is a table view of the differences:

Gap Mock Conformity
Identifies deficiencies Yes Yes Yes
Provides recommended remediations Yes No No
Used in consultative engagements Yes No No
Used to gauge an organization’s readiness for a formal certification event No Yes No
Used in a JSVA No No Yes
Used for a CMMC formal assessment No No Yes
Results are submitted to SPRS No No Yes
Results are submitted to CMMC eMASS No No Yes

 

 

What CMMC Level Conformity Assessments is Peak InfoSec authorized to conduct?2024-04-23T11:11:33-04:00

As of right now, none.

Peak InfoSec is an Authorized C3PAO. However, until the 32 CFR Part 170 CMMC Program rule is formally published, CMMC technically does not exist.

Once it is published, Peak InfoSec will be re-authorized by the CyberAB and allowed to conduct CMMC Conformity Assessments.

Is Peak InfoSec CMMC Certified?2024-04-23T11:13:18-04:00

Yes.  Peak InfoSec is an authorized C3PAO.  To be authorized, Peak InfoSec underwent a Defense Industrial Base Cybersecurity Assurance Center (DIBCAC) audit of our NIST SP 800-171 implementation.  DIBCAC certified us against CMMC 2.0.

Can Peak InfoSec conduct CMMC Conformity Assessments?2024-04-23T11:25:34-04:00

Not Yet.

Peak InfoSec was authorized by the Cyber Accreditation Body (Cyber-AB) to be a CMMC 3rd Party Assessor Organization in May 2022.  Our CMMC Accreditation Body Marketplace listing is at https://cyberab.org/Catalog#!/c/s/Results/Format/list/Page/1/Size/9/Sort/NameAscending?term=Peak%20InfoSec.

We are waiting for the Draft 32 CFR Part 170 rule to go into effect before we can conduct formal CMMC Conformity Assessments.

 

What level is Peak InfoSec certified at under CMMC?2024-04-23T11:26:02-04:00

Peak InfoSec completed a Defense Industrial Base Cybersecurity Assurance Center (DIBCAC) CMMC assessment in April 2022 and we were certified as being fully compliant at Level 2.

Is Peak InfoSec DFARs & NIST SP 800-171 Compliant?2024-04-23T11:35:52-04:00

Yes.  Peak InfoSec is an authorized C3PAO.  To be authorized, Peak InfoSec underwent a Defense Industrial Base Cybersecurity Assurance Center (DIBCAC) audit of our NIST SP 800-171 implementation and conformity to DFARS Clause 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting.

What is the difference between an Audit and an Assessment?2024-04-23T11:19:26-04:00

When it comes to CMMC, the formal audit is called a “Conformity Assessment,” and we refer to the gap assessment phase where we provide recommended remediations as “Consulting.”

Does our IT or Managed Service Provider (MSP) have to be compliant?2024-04-23T11:37:24-04:00

Yes.

CMMC auditors will focus extra attention on your Supply Chain and your IT/MSP provider will be the first ones a good auditor will ask about.

Make sure your organization passes both the FAR 52 & DFARS Clause onto them.  Don’t try to read in partial compliance…you don’t have the authority per the DFARS clause.

External Service Providers (ESP) are heavily cited as being in scope in the DRAFT 32 CFR Part 170 – Cybersecurity Maturity Model Certification (CMMC) Program rule.

We are DFARS & NIST SP 800-171 Compliant. Which level should we target?2024-04-23T11:40:28-04:00

We recommend clients target CMMC Level 2 because it encompasses all of the 110 controls in NIST SP 800-171.

Only DoD can direct an organization to be CMMC Level 3 Certified.  It is recommended that organizations that already handle Classified artifacts, work with Space, Command and Control, or are large integrators be ready to be CMMC Level 3 certified.

What is Federal Contract Information (FCI)?2024-04-23T11:34:17-04:00

Officially:

Federal Contract Information means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public Web sites) or simple transactional information, such as necessary to process payments. Source: 48 CFR § 52.204-21

Unofficially, FCI is the lowest level of information a DoD Contractor has to protect and is only associated with CMMC Level 1.  FCI occurs where information is created by either the Federal Agency or a contractor when it is information about the contract that the Federal government does not want publicly released.

FCI is not:

  • Publicly available content
  • Classified information

Some common examples of FCI include:

  • Emails between you and your DoD Contracting Officer or Prime about the contract.
  • Information you may be loading into your ERP about the contract.
"What is Federal Contract Information (FCI)?" diagram.

Key CMMC Sites

Key References

Key Acquisition References

Other Key Sites

© Copyright    |   Peak InfoSec LLC   |   All Rights Reserved   |   Privacy Policy   |   Powered by Mountain Air Marketing
Go to Top