CMMC FAQ

HomeCMMC ComplianceCMMC FAQ
CMMC FAQ2020-02-16T13:15:59-07:00
How is CMMC structured?2020-02-26T11:46:06-07:00

The CMMC is broken down into 17 domains with both Process and Practice requirements spread across the 5 levels of compliance.  We suggest watching our video, CMMC: Breaking down the Framework, to better explain how CMMC is organized.

How up-to-date is Peak InfoSec regarding CMMC?2020-07-31T10:04:50-06:00

Our founder, Matt Titcombe, is a volunteer on the CMMC-AB Standards Industry Working Group.  He has directly participated in:

  • Creation of the assessment methodology
  • Creation and drafting of the CMMC Assessment Criteria
  • Creation and drafting of the CMMC Getting Started guide
Can Peak InfoSec do CMMC Audits?2020-02-10T09:07:33-07:00

Frankly, we don’t know yet.  The Office of Secretary of Defense hasn’t put out enough information on how Auditing will work.

Please go to our contact page at https://peakinfosec.com/contact/ so we can let you know more when we know.

Can Peak InfoSec help us prepare for CMMC?2020-02-10T09:07:21-07:00

Yes.  Peak InfoSec can help you organization by providing:

  • Assessment of your current status
  • Identification of required remediations
  • Helping to implement remediations
  • Tailoring our CMMC Policy Package to meet your business
  • Building your evidence book
  • Being there during the Audit
What level is Peak InfoSec certified at under CMMC?2020-02-10T09:07:09-07:00

Currently, just like everyone else, we aren’t certified.  We have started our own preparations and plan to be certified at Level 4, Proactive.

BTW, if anyone is telling your they are certified right now, we have a term for them our West…a Snake Oil Saleperson.

Does Peak InfoSec have CMMC compliant Policy, Plans, Procedures, and Standards we can use?2020-02-10T09:06:42-07:00

Yes, and all will require varying degrees of tailoring to fir your business.

Our Policy & Plans package requires the least amount of tailoring while procedures will will a lot more.

Is Peak InfoSec DFARs & NIST SP 800-171 Compliant?2020-02-10T09:06:09-07:00

Yes.  We can provide our System Security Plan (SSP) upon request.

What is the difference between an Audit and an Assessment?2020-02-10T09:07:52-07:00

An Audit is like a final exam.  The Auditor or Auditing firm will come in and evaluate all of your controls as either compliant or non-compliant.  There is no middle-ground.  The Auditor or Auditing firm will then give you their compliance report.  Some firms will allow your to suggest changes or provide your remediation plan for a deficiency.  Likewise, some firms will include an option to come back in period of time to re-review non-compliant controls.

An Assessment is where the Assessor or Assessing firm comes in and evaluates all of your controls as either compliant, partially compliant, or non-compliant.  At Peak InfoSec, we will let you know why anything is off, provide you recommendations on how to remediate, and be there to help you to remediate.  If we are doing an assessment that leads up to an audit, we can even help you build you “Evidence Book.”

What is an “Evidence Book”?2020-02-10T09:07:45-07:00

An “Evidence Book” is created during the pre-Audit efforts and is provided to the Auditor at the start of an audit.  The Auditor uses this to document to conduct their initial compliance review of your controls.  Depending on the Auditor and audit requirements, the Auditor may spot check a percentage of controls or validate all are compliant.  The “Evidence Book” streamlines the audit process for everyone.

Does our IT or Managed Service Provider (MSP) have to be compliant?2020-02-10T09:05:10-07:00

Yes.

CMMC auditors will focus extra attention on your Supply Chain and your IT/MSP provider will be the first ones a good auditor will ask about.

Make sure your organization passes both the FAR 52 & DFARS Clause onto them.  Don’t try to read in partial compliance…you don’t have the authority per the DFARS clause.

Does an incident have to be confirmed before we report it?2020-02-10T09:03:44-07:00

No.

The key word in the definition is “potential.”  We also call it an “Indicator of Compromise” or IoC.

The “potential” part is wherever Confidentiality, Integrity, or Availability of the system may indicate a compromise.

The firewall or your End Point Protection software blocking malware or stopping a user from going to malicious site is not an IoC and does not need to be reported.

Remember, you need to report an Incident with 72 hours to DC3.

For more information about our Incident Response Services, please go to our CMMC Incident Response page.

 

What do we need to know in order to report an incident to DC3?2020-02-10T09:03:33-07:00

In our experience working through real world Incidents with DC3, you only need to provide them the information about the confirmed or potential Indicators of Compromise.

Information about the hackers Tools, Techniques, and Procedures (TTP); business impacts; data exfiltration; and remediation efforts can be provided in your final report.

DC3 does like to get your list on DoD contracts as soon as possible.

For more information about our Incident Response Services, please go to our CMMC Incident Response page.

We are DFARS & NIST SP 800-171 Compliant. Which level should we target?2020-02-10T09:14:34-07:00

We recommend clients target CMMC Level 3 because it encompasses all of the 110 controls in NIST SP 800-171.

Level 3 also adds another 20 controls for a total of 130 Practices that you will need to demonstrate compliance to.

Level 3 also adds 51 Maturity Processes (3 Maturity Level Process requirements * 17 Domains) you will also have to demonstrate compliance with.

What is Controlled Unclassified Information (CUI)?2020-02-10T09:06:54-07:00

For the long answer, go to “Does our organization handle Controlled Unclassified Information (CUI)? (Long Winded Answer)

Our interpreted definition is:

Any Technical Information collected, developed, received, transmitted, used, or stored,” such as “research and engineering data, engineering drawings, and associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses and related information, and computer software executable code and source code,” used or created “in support of the performance of” a DoD “contract.”

We like turn it around and ask it as question:

Since 2015, has your organization ever “Collected, developed, received, transmitted, used, or stored” any “technical information” such as “research and engineering data, engineering drawings, and associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses and related information, and computer software executable code and source code” “in support of the performance of” a DoD “contract” ?

What is Federal Contract Information (FCI)?2020-02-10T09:08:20-07:00

Officially:

Federal contract information means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public Web sites) or simple transactional information, such as necessary to process payments. Source: 48 CFR § 52.204-21

Unofficially, FCI is the lowest level of information a DoD Contractor has to protect and is only associated with CMMC Level 1.

Does our organization handle Controlled Unclassified Information (CUI)? (Long Winded Answer)2020-02-10T09:04:07-07:00

This sure sounds like an easy question, and, given the Federal government’s involvement, it isn’t.

HINT:  If you want to skip the long-winded answer, go to What is Controlled Unclassified Information (CUI)?.

Step 1: Define Covered Defense Information (CDI)

The answer begins with the DFAR’s Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting.  Paragraph (a) has two key definitions we need to bring highlight:

“Controlled Technical Information (CTI)” means technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Controlled technical information would meet the criteria, if disseminated, for distribution statements B through F using the criteria set forth in DoD Instruction 5230.24, Distribution Statements on Technical Documents. The term does not include information that is lawfully publicly available without restrictions.
“Covered Defense Information (CDI)” means unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry at http://www.archives.gov/cui/registry/category-list.html, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies, and is—

(1) Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or
(2) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.

So, does the DFARs clause ever define CUI, no.  Nor does it clearly define the relationship between CDI & CTI.

Step 2: Define CUI

To get the official definition of CUI, we need to go to https://www.archives.gov/cui/about, which states:

Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.

That really didn’t help.

Step 3: Understand NARA’s CUI categories

The second definition points us to the National Archives & Records Administration (NARA) at http://www.archives.gov/cui/registry/category-list.html to figure out this mess.  If you go to the, you will see a list of categories and sub-categories like:

  • Critical Infrastructure
  • Defense
    • Controlled Technical Information
    • DoD Critical Infrastructure Security Information
    • Naval Nuclear Propulsion Information
    • Unclassified Controlled Nuclear Information – Defense
  • Export Control
  • Immigration
  • Intelligence
  • International Agreements
  • Law Enforcement
  • Legal
  • Natural and Cultural Resources
  • North Atlantic Treaty Organization (NATO)
  • Nuclear
  • Patent
  • Privacy
  • Proprietary Business Information
  • Provisional
  • Statistical
  • Tax
  • Transportation

What matter to us is the definition for CTI:

“Controlled Technical Information means technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Controlled technical information is to be marked with one of the distribution statements B through F, in accordance with Department of Defense Instruction 5230.24, “Distribution Statements of Technical Documents.” The term does not include information that is lawfully publicly available without restrictions. “Technical Information” means technical data or computer software, as those terms are defined in Defense Federal Acquisition Regulation Supplement clause 252.227-7013, “Rights in Technical Data – Noncommercial Items” (48 CFR 252.227-7013). Examples of technical information include research and engineering data, engineering drawings, and associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses and related information, and computer software executable code and source code.”

The italicized part is what really matters.

Step 4: Bring it all together

In short hand, CDI is the CUI Category of Defense CTI.

We find it best to bring all of this together in the form of a question:

Since 2015, has your organization ever “Collected, developed, received, transmitted, used, or stored” any “technical information” such as “research and engineering data, engineering drawings, and associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses and related information, and computer software executable code and source code” “in support of the performance of” a DoD “contract” ?

If you can answer yes to this question, then your organization handled CUI, CDI, or CTI.

For more information, please contact us at info@peakinfosec.com.

Go to Top