CMMC Assessment FAQs
The Frequently Asked Questions (FAQ) are topics we frequently get asked about when it comes to completing CMMC Conformity Assessments.
Our founder, Matt Titcombe, was a volunteer on the Cyber-AB Standards Industry Working Group. He has directly participated in:
- Creation of the assessment methodology
- Creation and drafting of the CMMC Assessment Criteria
- Creation and drafting of the CMMC Getting Started guide
Mr. Titcombe is also a Subject matter Expert developing certified training curriculum for the Cyber-AB approved Licensed Partner Publishers. Specifically, he has worked on the CMMC Certified Practitioner (CCP) and Assessor (CCA) curriculums.
Per NIST SP 800-171A, an assessment or “security control assessment” means:
“The testing or evaluation of security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for a system or organization.”
The CMMC Program definition in 32 CFR Part 170 defines an assessment as:
“The testing or evaluation of security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for an information system or organization, as defined in §170.15 to §170.18.
Source: §170.4, Acronyms & Definitions
Keeping in mind the definition of an assessment from https://peakinfosec.com/faq-items/what-is-an-assessment/,
“The testing or evaluation of security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for a system or organization.”
The key difference is the intent of the assessment. Additionally, every authorized CMMC 3rd Party Assessment Organization (C3PAO) may have tweaked definitions.
The short answer is gap assessments are used where consultative advice is given to correct identified deficiencies.
A Mock Assessment does not give any consultative advice or recommendations but is not intended to be used for a certification event. Mock Assessments are commonly used with Pre-Assessment Readiness Reviews (PARR) and Certification Assessment Readiness Reviews (CARR) prior to the form Conformity Assessment.
The Conformity Assessment is the formal event led by a C3PAO or Defense Industrial Base Cybersecurity Assurance Center (DIBCAC) assessors that results in a formal scoring and submission to formal reporting mechanisms like the Supplier Performance Risk System (SPRS).
Here is a table view of the differences:
Gap | Mock | Conformity | |
Identifies deficiencies | Yes | Yes | Yes |
Provides recommended remediations | Yes | No | No |
Used in consultative engagements | Yes | No | No |
Used to gauge an organization’s readiness for a formal certification event | No | Yes | No |
Used in a JSVA | No | No | Yes |
Used for a CMMC formal assessment | No | No | Yes |
Results are submitted to SPRS | No | No | Yes |
Results are submitted to CMMC eMASS | No | No | Yes |
As of right now, none.
Peak InfoSec is an Authorized C3PAO. However, until the 32 CFR Part 170 CMMC Program rule is formally published, CMMC technically does not exist.
Once it is published, Peak InfoSec will be re-authorized by the CyberAB and allowed to conduct CMMC Conformity Assessments.
Yes. Peak InfoSec is an authorized C3PAO. To be authorized, Peak InfoSec underwent a Defense Industrial Base Cybersecurity Assurance Center (DIBCAC) audit of our NIST SP 800-171 implementation. DIBCAC certified us against CMMC 2.0.
Not Yet.
Peak InfoSec was authorized by the Cyber Accreditation Body (Cyber-AB) to be a CMMC 3rd Party Assessor Organization in May 2022. Our CMMC Accreditation Body Marketplace listing is at https://cyberab.org/Catalog#!/c/s/Results/Format/list/Page/1/Size/9/Sort/NameAscending?term=Peak%20InfoSec.
We are waiting for the Draft 32 CFR Part 170 rule to go into effect before we can conduct formal CMMC Conformity Assessments.
Peak InfoSec completed a Defense Industrial Base Cybersecurity Assurance Center (DIBCAC) CMMC assessment in April 2022 and we were certified as being fully compliant at Level 2.
Yes. Peak InfoSec is an authorized C3PAO. To be authorized, Peak InfoSec underwent a Defense Industrial Base Cybersecurity Assurance Center (DIBCAC) audit of our NIST SP 800-171 implementation and conformity to DFARS Clause 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting.
When it comes to CMMC, the formal audit is called a “Conformity Assessment,” and we refer to the gap assessment phase where we provide recommended remediations as “Consulting.”
Yes.
CMMC auditors will focus extra attention on your Supply Chain and your IT/MSP provider will be the first ones a good auditor will ask about.
Make sure your organization passes both the FAR 52 & DFARS Clause onto them. Don’t try to read in partial compliance…you don’t have the authority per the DFARS clause.
External Service Providers (ESP) are heavily cited as being in scope in the DRAFT 32 CFR Part 170 – Cybersecurity Maturity Model Certification (CMMC) Program rule.
We recommend clients target CMMC Level 2 because it encompasses all of the 110 controls in NIST SP 800-171.
Only DoD can direct an organization to be CMMC Level 3 Certified. It is recommended that organizations that already handle Classified artifacts, work with Space, Command and Control, or are large integrators be ready to be CMMC Level 3 certified.
Officially:
Federal Contract Information means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public Web sites) or simple transactional information, such as necessary to process payments. Source: 48 CFR § 52.204-21
Unofficially, FCI is the lowest level of information a DoD Contractor has to protect and is only associated with CMMC Level 1. FCI occurs where information is created by either the Federal Agency or a contractor when it is information about the contract that the Federal government does not want publicly released.
FCI is not:
- Publicly available content
- Classified information
Some common examples of FCI include:
- Emails between you and your DoD Contracting Officer or Prime about the contract.
- Information you may be loading into your ERP about the contract.
Social Contact